As more companies work to transition their Sarbanes-Oxley (SOX) compliance efforts from a project to an ongoing, sustainable and cost-effective process, they are assessing strategies to better leverage the SOX technologies they've acquired and implemented. Protiviti Inc. has addressed the growing need for substantive and practical guidance in this area with the release of its new publication, Guide to the Sarbanes-Oxley Act: Managing Application Risks and Controls.

This reference tool provides guidance to generate more value out of technologies now that, for most organizations, year two of Sarbanes-Oxley compliance is coming to a close. Written by the leaders of Protiviti's Application Controls Effectiveness (ACE) practice, the guide offers detailed insights, ideas and concepts that should be of great interest to those responsible for internal control strategies within their organizations.

"Protiviti's ACE practice assists companies with their efforts to manage application risks, and the compliance challenges that accompany them, by defining and implementing internal control strategies," said Michael O'Donnell, managing director and global leader of Protiviti's Technology Risk Services. "While the broader context of this guide is the efforts of organizations to address Sarbanes-Oxley, the issues we address will be relevant to executives and audit committees interested in improving and managing the integrity of applications, regardless of a company's compliance initiatives."

The guide provides specific advice on how to identify relevant applications and the related risks that are important to Sarbanes-Oxley compliance, as well as how to most effectively test the controls that mitigate these risks. Additional topics addressed in this publication include:

• General application risk and control considerations for complying with  Sarbanes-Oxley: Protiviti provides a detailed overview of application  risk and control as it relates to Section 404. Topics include:  benchmarking strategy and disclosure guidelines regarding  ERP/application implementation. 
• Application control considerations: Issues include how key applications are identified for documentation, and application control  considerations for the order to cash, procure to pay, and close the  books/financial reporting cycles. 
• Access security considerations: Many security configurations create  exposure relating to segregation of duties issues or excessive access  to sensitive transactions. The guide addresses processes that should  be in place with respect to establishing proper user access security  and segregation of duties, the roles of the business and IT organization in controlling user access processes, and how an organization can improve its ability to manage appropriate security  without incurring excessive cost and time bottlenecks. 
• General IT controls related to applications: Protiviti discusses evaluating application change controls, managing interface risks, and  the elements of data management and disaster recovery that should be evaluated by compliance teams. 
• Implementation controls and considerations: This section includes  explanations of the primary risks associated with implementation of a  new application, data conversions and functional testing. 
• Documentation: Protiviti offers guidance on controls documentation at  various levels, including the entity level and activity/process area  level. 
• Testing: As with other controls, IT controls must be tested to ascertain that they are operating as designed. The guide includes  strategies for controls testing at the infrastructure and application  levels. 
• Addressing deficiencies and reporting: Protiviti discusses ideas for  how management can address deficiencies and gaps in application controls, and how an external auditor views application controls during  the attestation process. 
• ERP compliance software and automated testing tools: Protiviti suggests  Sarbanes-Oxley enablement software that companies should consider along  with questions the organization should address with respect to  evaluating an application's capability to support Section 404  compliance.