Section 404 of Sarbanes-Oxley Act puts additional technological responsibilities onto the public companies in the way they report and monitor their financial transactions. Technology may substantially facilitate the process of forming new Web-enabled solutions, which will allow usual and privileged data users access data stores without making enterprises vulnerable to external threats. Extensible Business Reporting Language can be used as one of the most reliable instruments for developing ERP solutions, web services, and continuous auditing systems. These technologies will guarantee excellent compliance, eliminating the need to address manual instruments of financial control.
IT Governance: How Can Technology Be Used to Address SOX Section 404?
Section 404 of Sarbanes-Oxley Act puts additional technological responsibilities onto the public companies in the way they report and monitor their financial transactions. “In the wake of historic corporate scandals including Enron and WorldCom, SOX prescribes a range of business reporting requirements and management controls” (Tizor, 2008). In general terms, Section 404 of SOX requires that companies implement a whole range of internal report systems to control internal financial procedures and monitor the effectiveness of the internal financial structure. Technology is the integral component of Section 404 compliance.
Section 404: technology as the integral component of SOX compliance
By requiring companies to control the integrity of financial data, and to show and prove that the necessary control components are in place, SOX Section 404 implies the need for implementing a set of specifically designed information technology solutions. These technologies must provide data management and protection from a holistic perspective, and must help create a hyper-networked information environment, where internal and external partners will manipulate their data stores by means of authorization. In this context, technology may substantially facilitate the process of forming new Web-enabled solutions, which will allow usual and privileged data users access data stores without making enterprises vulnerable to external threats. Segregation of duties is the primary element of IT operational policies under Section 404 compliance; this element is further supplemented by Application DBAs “who modify table structure and change data as necessary” (Tizor, 2008). Segregation of duties and Application DBAs become particularly important when it comes to specific financial elements, including requisition, accounts payable and cash management components (McIntosh, 2007). Segregation of duties platform will ensure that the requisition process is valid and that unnecessary paperwork is eliminated; the accounts payable process will be automated to make all critical vendor information available to authorized users. The depreciation of fixed assets is also impossible without integrating user-defined depreciation technologies into company’s IT systems.
When companies look for effective Section 404 compliance solutions, special attention should be paid to monitoring access failures, schema changes, and direct data access. “Information Technology is critical for achieving compliance cost-effectively. Systems such as ERP are required to be deeply integrated into the creation, authorization, and reporting of financial data” (Li et al, 2007). The implementation of ERP technology frameworks helps companies integrate financial reporting with internal control requirements, and develop a new strategic vision on Section 404 compliance. ERPs are developed in a way to minimize financial costs and to maximize the benefits of project-based approach to IT in small and large companies. Technologies will ensure continuous functionality of auditing solutions and will reduce the costs of manual auditing. With continuous auditing being one of the primary Section 404 requirements, companies can use technology to develop and implement embedded operational business processes, and to optimize flexibility, transparency, scalability and real-time advantages of internal financial controls.
Extensible Business Reporting Language can be used as one of the most reliable instruments for developing ERP solutions, web services, and continuous auditing systems (Li et al, 2007). XML-enabled report and auditing systems offer almost unlimited opportunities for developing continuous auditing solutions as required under Section 404 of Sarbanes-Oxley Act. Web-based approaches to continuous auditing and accounting will help improve general transparency of financial information, as well as the consistence of internal financial reports. Researchers suggest that Extensible Business Reporting Language (XBRL) is a universal instrument, which firms can use when developing SOX compliant solutions across different formats and technology platforms (Li et al, 2007). The integration of XBRL solutions into the company’s software systems is inevitable, if firms want to utilize the benefits of technological advancement to promote efficiency and cost-effectiveness of the internal systems of financial control.
Section 404 compliance requires that firms develop and implement special systems of automated risk assessment and control. Automated risk assessment and control is aimed at improving the cost-effectiveness of financial transactions. At this point, the already mentioned segregation of duties platform may substantially facilitate the process of achieving excellence in Section 404 compliance: “companies can enhance their control environments and separate conflicting duties through ensuring that users’ access and privileges within the company’s information and decision-making chain are commensurate with their job responsibilities” (Li et al, 2007). Risk assessment and segregation of duties control allows addressing the five W’s of Section 404 compliance: “Who did, What to, Which data asset, When, and from Where?” (Tizor, 2008). The interrelation of various technological components and the close interaction between segregation of duties, Application DBAs, XBRL Web-based compliance tools, and ERP systems form the basis for continuous financial performance, auditing and internal control within organizations. Section 404 is one of the most technologically advanced provisions of Sarbanes-Oxley, and companies will hardly achieve excellent compliance by using manual instruments of financial reporting and control, without addressing technologies at all stages of their financial performance.
Section 404 of SOX requires that companies implement and use an automated system of internal controls, to monitor financial transactions and to integrate these internal systems with financial reporting requirements. Technologies can provide Section 404 compliance through web-based platforms, segregation of duties and ERP systems, as well as XBRL-based and XML-enabled environments. These technologies will guarantee excellent compliance, eliminating the need to address manual instruments of financial control.
Li, Y., Roge, J.N., Rydl, L. & Highes, J. (2007). Achieving Sarbanes-Oxley compliance with
XBRL-based ERP and continuous auditing. Issues in Information Systems, VIII (2): 430-436. Retrieved October 9, 2008 from http://www.iacis.org/iis/2007_iis/PDFs/Li_Roge_Rydl_Hughes.pdf
McIntosh, R. (2007). The path to automating SOX section 404. American Banker. Retrieved
October 9, 2008 from http://www.americanbanker.com/article.html?id=20070102NC4F9NQK&queryid=1265074844&hitnum=6
Tizor. (2008). SOX 404: regulatory roadblock or roadmap for IT excellence? Tizor
Enterprise Database Monitoring and Protection. Retrieved October 9, 2008 from http://www.tizor.com/Resource-Center/Compliance-Resources/SOX-404