The present invention relates to the field of software applications generally, and specifically to the implementation of financial applications. The corporate accounting scandals surrounding WorldCom, Enron and Tyco in 2002, have spurred the passage of the Sarbanes-Oxley Act of 2002. The Act creates an obligation for officers of a company to warrant to their shareholders the accuracy of the company's accounting information, the controls in place to safeguard the assets of the company, and the validity of the financial statements they produce. Although these obligations have previously existed in a weaker form in the United States, the advent of the Sarbanes-Oxley Act has made these obligations much stronger. Any company that is listed on an American stock exchange has these obligations.
The Act codifies a framework for internal accounting controls specified by the committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO establishes three categories of controls: Effectiveness and Efficiency of Operations; Reliability of Financial Reporting; and Compliance with Laws and Regulation. COSO also establishes five interrelated components of effective internal control: Control Environment; Risk Assessment; Control Activities; Information and Communications; and Monitoring. In summary, the methodology prescribed by COSO includes identifying the opportunities for fraudulent reporting, determining the risks arising from these opportunities, and then providing accounting controls to mitigate these risks.
Although compliance with the Act is reason enough to implement this framework, enterprises also benefit (in the form of higher stock prices) from the increased confidence of their shareholders. The framework bestows additional benefits to the enterprise, including: the ability to identify and reengineer processes that are inefficient; the ability to identify redundant control procedures; and the ability to improve managerial controls.
Addressing the requirements of the Sarbanes-Oxley is an urgent need. It is desirable to have an audit system that enables an enterprise to efficiently implement the requirements of the Act. It is desirable for an audit system to: 1) configure and implement audit processes; 2) determine the set of risks associated with the business processes of an enterprise; 3) apply a set of controls to the business processes of an enterprise to mitigate the set of associated risks; 4) continuously monitor the effectiveness of a set of controls; 5) determine when business processes used by an enterprise have deviated from a model process; 6) certify new business processes; 7) integrate business processes and their associated risks and controls with financial statements; and 8) create audit procedures to be followed by auditors and employees to implement audit processes. It is further desirable to provide a hosted service to provide auditors with a set of audit procedures and to enable auditors to track compliance with these procedures for a set of standard business processes.