Using automated controls to ensure better, faster, cheaper audits: using technology that automates testing of internal controls ensures regulatory compliance and promotes operational excellence.

• Author: Roland, Holly
• Position: INTERNAL CONTROLS - Sarbanes-Oxley Act of 2002

Not since the 1930s--when the "alphabet soup" agencies of the New Deal were formed--have government mandates caused as much confusion and controversy, or been as sweeping, as the new international laws that dictate higher levels of corporate governance, risk management and compliance (GRC).

From the Sarbanes-Oxley Act of 2002 (SOX) in the U.S., to Bill 198 in Canada, to Japan's Financial Instruments and Exchange Law (so-called J-SOX), the current global regulatory environment is one that demands that enterprises take every step to ensure the integrity of their finances, their data, their processes and their employees.

Coming on the heels of major corporate scandals, Sarbanes-Oxley, for example, created a huge increase in internal costs and external audit fees, a call for additional staff and expertise and a need for new and more sophisticated process automation. For the entire business world, a whole new frontier lay uncharted, with many company fortunes tied to meeting the new challenges.

Effective Controls: No Simple Task

Since then, CFOs have been faced with the difficult compliance challenge of finding a way to reduce the cost of compliance while simultaneously ensuring that the access to data and business process controls that their companies had in place are operating as designed and working effectively to minimize financial reporting risk. However, many companies have deployed disconnected, tactical approaches to internal controls, usually requiring manual control design and testing efforts that result in duplicated activities, high costs, wasted time and resources and limited GRC effectiveness.

This reactive approach makes it impossible to implement a cohesive GRC strategy for monitoring, identifying and managing risk across the enterprise. This fragmentation--when replicated many times across different business applications and functional groups--creates a complex situation that actually introduces new risks and prevents transparency into the efficacy of controls in the organization.

But putting an effective control environment in place is no simple task. Companies need the ability to document and monitor business processes that cross multiple enterprise divisions and regions, span entire business processes and monitor multiple, often disconnected information technology (IT) applications. A company's business processes and the various regulations impacting them often also vary by country and business unit.

Now that many U.S. companies are in their fifth year of Sarbanes-Oxley compliance, expectations about efficiency and effectiveness continue to increase. Audit committees and senior management increased their insight into the risk profile and confidence that the company is truly operating effective and compliant controls. But, they will not accept increased costs to achieve it. Internal auditors need to find effective ways to enforce controls in the company and create control documentation and test results that can be relied upon to reduce the external audit fees.

External auditors also have expectations. They audit the financials with lower materiality levels and, therefore, demand...