Sarbox drives UK software spend
IT has a key role to play for companies trying to keep audit costs down when dealing with Sarbox compliance
UK businesses affected by Sarbanes-Oxley compliance have been urged to use IT
to streamline processes in a bid to keep down the escalating cost of audit fees.
This message came at the launch of a white paper studying the potential
impact of IT upon companies dealing with Sarbox compliance, produced by software
developers association BASDA and PricewaterhouseCoopers.
The study found that companies burdened with documenting thousands of
processes should attempt to cut them back, while automating as many as possible,
in a bid to keep down audit costs.
Speaking at the launch, PricewaterhouseCoopers senior manager Anton
Ruddenklau said that the firm had found many global organisations with
duplicated processes across different offices, and using changes to IT
infrastructure to support removing duplications could have a ‘massive’ effect.
‘Automating controls has been a high priority in the US,’ said Ruddenklau.
‘ERP systems, with great functionality, are not being used properly, to their
limit. Some of my clients are looking at controls dashboarding, and then
benchmarking tools.’
Richard Morley, product marketing manager at Epicor, said that as auditors
had put a ‘value’ on dealing with Sarbox clients, it made it ‘easy’ for software
companies to push the business case for selling their software.
‘Reducing the number of processes equals reduced compliance costs,’ said
Morley. ‘Selling a client a preintegrated software “solution” reduces the risk
they face, and this leads to a standardised implementation, which reduces
deployment costs.’
Another method of keeping down an audit fee was using workflow documentation
technology to manage manual and spreadsheet-intensive processes. This lets the
auditor view the process workflow more quickly. Morley said that greater
centralisation of functions, through outsourcing for example, was one ‘mechanism
for transferring risk’.
However, the white paper warned businesses to make sure that any third-party
services providers or key suppliers also meet rigorous control standards. For
example, IT and business process outsourcers should consider meeting the
requirements of SAS 70, a report that provides a uniform framework in which a
service organisation can disclose its activities and processes to its users.
The auditors preparing the SAS 70 reports seeks to check that the controls
described by the service centre are materially correct, appropriate and
effective.