Implementing a new finance system 1273



  • Hi all.
    The company I am working at plans to implement a new financial system (SAP R/3) by the mid of the year and to completely abandon the old one.
    Now, the company has to be SOX compliant as of Dec. 31st '06, and to my understanding, SOX requires compliance over the entire year.
    So, is it correct then to expect the company to test:
    a) the effectiveness of internal controls over financial controlling related to the old financial system
    AND
    b) the effectiveness of internal controls over financial controlling related to the new financial system (SAP) - of course after the implementation?
    If we tested SAP controls only, wouldn’t it lead our auditors to a conclusion of ineffective control design of IT controls (in the first year-half at least)?
    Or is there a possibility to test SAP only, and still be SOX compliant for (entire) 2006?
    Thanks



  • I could be wrong, but it might be a good idea to go about testing your old system in the first half of the year. Then in your quarter 1 or 2 10Q, you should disclose the fact that you’re changing systems. You will probably still have to do testing on SAP in the second half, but it may not be as extensive as your first half testing. Remember, DISCLOSURE is very important.



  • I would start documenting processes as soon as possible. There will be several non-system controls that will not change with the new system such as management reviews, account reconciliations, etc. Getting these out of the way will allow you to focus on the new system in the back half of the year. It will also get you familiar (on your existing system) as to controls you need to have in place in your new system when it goes live.
    Don’t undersstimate the impact on controls of estimating a new system or subsystem. Many companies push to get the new systems live (and contract programmers off the payroll) before the systems have been fully tested. This often results in minor reporting issues that can overwhelm you and take the focus off of controls.
    Personally, I would never recommend going live with a new system after the third quarter of your year if you need to be SOX-compliant.



  • A relevant excerpt from the PCAOB, 6/23/04:
    Q6. If management implements, late in the year, a new accounting system that significantly affects the processing of transactions for significant accounts, and if the majority of the year’s transactions were processed on the old system, does the auditor need to test controls over the new system? Given the same scenario, does the auditor need to test controls over the old system?
    A6. To audit internal control over financial reporting, the auditor will need totest controls over the new system. Paragraphs 147-149 of Auditing Standard No. 2 provide relevant directions to the auditor in this situation. Those paragraphs state that the auditor’s opinion on whether management’s assessment of the effectiveness of internal control over financial reporting is fairly stated relates to the effectiveness of the company’s internal control over financial reporting as of a point in time. Furthermore, Section 404(a) of the Act requires that this assessment be as of the end of the issuer’s most recent fiscal year.
    Because controls over the new system, which significantly affect the processing of transactions for significant accounts, are the controls that are operating as of the date of management’s assessment, the auditor should test controls over the new system. Although the auditor would not be required to test controls over the old system to have sufficient evidence to support his or her opinion on management’s assessment of the effectiveness of internal control over financial reporting as of the end of the issuer’s fiscal year, the old system is relevant to the audit of the financial statements. In the audit of the financial statements, the auditor should have an understanding of the internal control over financial reporting, which includes the old system. Additionally, to assess control risk for specific financial statement assertions at less than the maximum, the auditor is required to obtain evidence that the relevant controls operated effectively during the entire period upon which the auditor plans to place reliance on those controls. Paragraphs 150 and 151 of Auditing Standard No. 2 provide relevant directions to the auditor in this situation.
    Separately, since implementation of a new system has IT remifications, it might be appropriate to address development/testing, and related matters in the IT General Controls documentation.
    IT General Controls
    Controls used to manage and control the IT activities and computer environment, covering the following areas:

    • Maintenance of existing systems
    • Development and implementation of NEW SYSTEMS
    • Information security
    • Computer operations
      Hope this provides further clarification,
      Milan


  • Thanks to all. Your information helped a lot and confirmed my point of view that we need to ensure sufficient internal controls over both accounting systems.


Log in to reply