While not everyone is ready to go the paperless audit route, more finance departments are finding ways in which automation can help them push back against the waste that weighed down earlier internal control audits. One motivation the new breed of tech-enabled finance executives have in common is a focus on using the array of increasingly flexible SarbOx software to meet their own specific audit needs. "The smart companies are starting to flex their negotiating muscle for more thoughtful [audit] approaches," says Tim Leech, chief methodology officer at Paisley Consulting.

EFFICIENT CHATTER

Even auditors can appreciate the efficiency this kind of customized automation brings to the process. "From an auditor's perspective, when a company uses a good software tool to gather and store information, it makes the job a whole lot easier, particularly when they use one of the better, more prevalent tools," says Trent Gazzaway, managing partner of corporate governance at Grant Thornton LLP. "It allows auditors to better locate the data they expect to find and understand how their clients managed the evaluation process."

Finance automation is also allowing companies to reduce the response times and demands from an external 404 audit team, again a potential money-saver. Viasys Healthcare Corp., a $510 million maker of medical devices based in Conshohocken, Pa., is finding new audit efficiencies from a consolidated financial and management reporting system by Cartesis Group. Its Magnitude system can trace and verify entries off the general ledger system from business units in the field, and automatically forecast what discrepancies could occur in a later consolidation. It goes a long way in demonstrating how Viasys' finance department can identify potentially suspicious transactions and how they were approved. G/L entries can be traced back to the individual responsible for correction. That level of detail was something they didn't have before installing the Magnitude software for their initial 404 audits in 2004. "It's easier to respond to auditors," says Matthew Gualtieri, assistant controller at Viasys. "It helps them get a picture of where the consolidation starts and how it ends up. When we sit down to talk to them, we have the financials in front of us that support what we are saying."

The Cartesis system also proved valuable during the company's recent IT audits, when it was easily able to demonstrate security controls through system user IDs that keep unauthorized individuals out of finance's terminal and Web-based servers. "The biggest thing is seeing the approval process," says Gualtieri. "It gives us visibility into who inputs information, when, the time and second they did it. It's a valuable trail."

A LITTLE CASE OF OVERKILL

Adding to the pressure points between companies and their auditors has been the inherent complexity of Sarbanes-Oxley, which in the law's first section established an audit firm regulator, the Public Company Accounting Oversight Board (PCAOB). With audit firms themselves under new pressures to perform, companies were hit with a double-whammy of having to fulfill their own internal control requirements under the law and take some of the passed-on pressures from the audit firms. Compounding the problem, the PCAOB's Auditing Standard No. 2, which laid the groundwork for how internal control reviews were to be done, was widely criticized for giving too little direct guidance in key areas–most significantly in directions to auditors on how much they could rely on a company's own control test results. Some clarifications have followed, but gray areas remain on fundamental issues.

No doubt, regulatory risks raise the stakes for both auditors and companies and applying technology efficiently and effectively is crucial for both. "Automation can't help a company set the scope of testing or decide which processes they need to look at–[that's] based on risks and materiality," says Jennifer Meiselman, managing director at Bridgemark, a New York-based risk consulting and advisory subsidiary of BDO Seidman LLP. "But how you test it and the amount of effort it takes is significantly impacted by the degree of automation."

Many companies remain in the early stages of replacing manual procedures with more automated ones, which should require external auditors to conduct far fewer tests. "The auditor will do one of two things: review your work and rely on your testing or do a full scope of testing themselves," says Meiselman. "Either way, if it's automated, their testing will be more efficient and less costly."

Equally important is the leverage automation provides companies in discussions with auditors. "More companies are using SarbOx automation so they can have the data. The output from reports is well documented in terms of what they have been testing, why they're testing it and why they ignored other things," says Patrick O'Brien, director of product management at OpenPages Inc., a risk and compliance management solutions provider. With automation, "companies have a much stronger case when they go back to their external auditor."

Paisley's Risk Navigator solution offers a single, fully integrated platform for enterprise risk management, SarbOx document management, control monitoring and testing by a company's management and its internal audit team. That approach is designed to create a more efficient engagement when auditors come knocking. "When the external auditor sees the principal work of the company's management and the Q and A testing by internal audit, it should make for a thoughtful position about how much testing they should do," says Paisley's Leech.

SETTING SOME LIMITS

The most effective use of audit-friendly software requires some serious forethought about configurations that make them operate at maximum efficiency for the company and its auditors. "Where companies fail is when they try to load too much detail into a software package, like loading a whole general ledger and trying to tie controls to every individual account," says Grant Thornton's Gazzaway. "It can be 'death by volume.' It becomes hard to identify what's important when you have such a vast volume of information." Once some compliance software is configured, it can become difficult to change later, so Gazzaway recommends companies spend time with a consultant early in the process to make sure a new system is structured to collect data along categories that make sense for that particular company, such as by significant accounts and classes of transactions.

Kyle Didier, vice president of finance at Regis Corp., a $2.2 billion operator of hair salon chains based in Edina, Minn., says that automating many of the company's internal control testing and remediation functions in the last year with a Movaris solution has resulted in external auditors being more trusting when it comes to relying on the company's findings. "Last year, they couldn't rely on our test results, but this year, because we're pushing a lot of the testing to each functional group, they've gotten more comfortable so they can rely on it," says Didier. "The technology made a big difference."

The Movaris system centralizes all process tests and controls across the company's 15 scattered functional groups. It sets the testing plans for each group and manages the process, with updates to responsible employees when certain tests need to be completed and whether or not an outstanding issue has been resolved. "Timely remediation is probably one of the most critical things," says Didier. "When you're not remediating, it will weigh heavily on the conclusions external auditors reach about whether your controls are working." Didier, who oversees the company's five- person internal audit staff, expects the new automation to help fast-growing Regis support a recent acquisition that will double the company's size. He expects the technology can handle the increased burden of integrating high-level compliance reviews across the newly acquired businesses, without the need to add more staff. "We're not in panic mode."