efforts, effective workflow management
is critical to project success. Organizations need to ensure that process owners
receive appropriate business information,
control owners are notified of risks that
require mitigation, exceptions are identified, and management understands key
Flowcharting software can be used to
draw business processes so that risks and
controls affecting the compliance process
can be identified more easily. The software can also be used to map financial
statement accounts, risk probabilities, loss
impacts, testing procedures, control gaps,
and action plans.
Users of flowcharting tools may be able
to identify risks that would not be apparent when preparing a walk-through memo
of the process. By looking at a visual representation of processes — versus long
text descriptions — inefficiencies and segregation of duties issues may be easier to
spot, especially when working with higher
management levels that are accustomed
to seeing data “boiled down” to its essence.
Although preloaded databases can
serve as a useful guide for risk assessment,
they do not necessarily represent a comprehensive solution. When documenting risks and controls, process owners
using the software will still need to take
their organization’s unique characteristics into account, rather than simply
checking off listed items on screen.
RISK DATABASES Preloaded knowledge-bases of common risks and controls
enable users to plug in the appropriate
information for their given process
quickly. These resource tools are often
organized by both process and alphabetical sequence and aligned with established control models such as The
Committee of Sponsoring Organizations
of the Treadway Commission’s
Internal Control–Integrated Framework, the
Canadian Institute of Chartered Accountants’ Guidance on Control, or the Basel
Committee on Banking Supervision’s
New Basel Capital Accord (Basel II).
The database tools facilitate identification of potential risks and help provide
solutions for risk management. For example, a database containing common risks
associated with improper reporting of
period-end balances would likely include
information on fixed asset accounts.
Under this heading, the database might
list the potential risk that fixed asset additions are not completely processed in the
financial statements. For this risk, the
software would then present a set of mitigating controls such as fixed asset subledger to general ledger reconciliations or
an integrated accounts payable system
that automatically updates the subledger
with any purchases of assets.
EMPLOYEE SURVEYS Several types of survey
tools are available for Sarbanes-Oxley projects. One form of survey enables participants of group sessions to answer
questions through the use of electronic
voting devices. This method ensures an
anonymous, democratic, and quantified
assessment of controls through facilitated
sessions and helps save time by enabling
users to assess process owners’ collective
understanding of the control environment
quickly. Another survey type allows users
to complete manual tasks more efficiently
by gathering data — such as code-of-con-duct signatures and business process control sign-offs — online rather than in
A third form of survey tool facilitates
assessment of the organizational control
environment by asking anonymous questions using Web forms. These tools use
a Web-based platform to launch the survey and disseminate results and can be
managed internally or through an outside party. Some products can automatically generate reports as data is
collected. The software capitalizes on
the fact that people, not financial statements and computers, commit fraud and
that many employees want to share what
they know about organizational control
issues. For example, according to the
Association of Certified Fraud Examiners’ 2002 Report to the Nation, roughly
45 percent of fraud is detected through
employee and business-partner tips.
Therefore, the tools help tap into the
valuable information on fraud detection
that often comes from workers, not databases, extending data analysis beyond
lifeless financial and transactional data
and into the vibrant data stores in
employees’ and business partners’ minds.
Not only does this form of analysis
broaden the organization’s risk and control awareness, but gathering information from a large number of people can
also increase the predictability and confidence levels of the assessment.
ACL Services Ltd.
ANGOSS Software Corp.
Automated Audit Flows
Case Ware Inc.
Control Solutions International Inc.
D’Arcangelo & Co. LLP
DMH Solutions Ltd.
Idea Sciences Inc.
Jefferson Wells International
NetMap Analytics Pty Ltd.
Nth Orbit Inc.
Option Technologies Interactive LLC
Patton & Patton Software Corp.
PeopleView Compliance Group LLC
Proquis Ltd., Proquis Inc.
Resources Connection Inc.
Risk Wizard Pty Ltd.
Sirius Solutions LLP
NOTE: Product listing represents only a sample
INTERNAL AUDITOR FEBRUARY 2004