If you receive errors when attempting to view this white paper, please install the latest version of
Adobe Reader.
"From an accounting system standpoint, a key to
compliance with Sarbanes-Oxley is the presence of an extensive audit trail, complete with drill-down and drill-around functionality. This is where
Microsoft Dynamics NAV can help."
Source: Microsoft
Sarbanes-Oxley Readiness with Microsoft Dynamics NAV
Sarbanes Oxley is also known as :
Compliance Sarbanes Oxley,
Sarbane Oxley Compliance,
Sarbanes Oxley 404 Compliance,
Sarbanes Oxley ACT,
Sarbanes Oxley ACT Compliance,
Sarbanes Oxley Benefits,
Sarbanes Oxley ACT Software,
Sarbanes Oxley CEO,
Sarbanes Oxley Compliance Checklist,
Sarbanes Oxley Compliance Management,
Sarbanes Oxley Compliance Program,
Sarbanes Oxley Compliance Requirements,
Sarbanes Oxley Compliance Rules,
Sarbanes Oxley Compliance Software,
Sarbanes Oxley Compliance Solution,
Sarbanes Oxley Compliance Solutions,
Sarbanes Oxley Compliance Tool,
Sarbanes Oxley Compliance Tools,
Sarbanes Oxley Control,
Sarbanes Oxley Controls,
Sarbanes Oxley Courses,
Sarbanes Oxley Implementation,
Sarbanes Oxley Information,
Sarbanes Oxley Information Technology,
Sarbanes Oxley IT Compliance,
Sarbanes Oxley Legislation,
Sarbanes Oxley News,
Sarbanes Oxley Overview,
Sarbanes Oxley Policy,
Sarbanes Oxley Regulations.
Executive Summary
The US Public Company Accounting Reform and Investor Protection Act of 2002, also known as the
Sarbanes-Oxley Act, came into law in 2002 as an immediate reaction to several corporate scandals
involving accounting information. The legislation requires organizations to communicate their
financial information accurately and reliably to investors, employees and the public. For those
organizations that choose to embrace the changes as opportunities, the legislation can be beneficial. It
gives organizations the possibility to reevaluate their business processes, identify competitive
advantages and provide transparency for investors and the public.
This paper addresses the three sections of Sarbanes-Oxley regarding data accuracy and documentation
requirements. This paper also discusses how the legislation can affect companies and how Microsoft
Dynamics NAV can help organizations to comply with the new regulations.
What is Sarbanes-Oxley?
The Sarbanes-Oxley Act (officially known as the US Public Company Accounting Reform and Investor
Protection Act of 2002) -- came into law in 2002. The need for reform became apparent after a series
of accounting scandals involving large, publicly offered companies such as Enron and WorldCom.
Legislators wrote the Act to restore investor confidence in the integrity of US capital markets in the
wake of these events by implementing higher regulatory standards upon the quality and integrity of
the information itself and assigning responsibility to those responsible for reporting accounting and
financial information.
Simultaneously, other initiatives were taken to improve corporate governance. These include the Basel
II initiative, due for implementation in 2006, which will impose a new operational risk management
framework on financial institutions in G10 nations. The International Accounting Standards (IAS) body
is also developing a number of new and revised standards for better reporting from an international
perspective.
The possible benefits of these changes and the implementation of Sarbanes-Oxley are significant.
Organizations will have the opportunity to reevaluate business processes, including financial reporting
processes, in order to identify the most efficient mode of operation. By reassessing their business
processes, organizations can obtain new competitive advantages if they exploit new, more efficient
modes of operation. These new modes of operation can ultimately provide organizations with more
stable bases for current business operations and for future business development.
These new regulations also provide organizations with the opportunity to increase transparency for
investors, employees and the public, which can positively influence an organization’s public image and
strengthen their trustworthiness for investors still wary after the recent corporate scandals. These
changes also give those individuals who are personally responsible for reporting valid, reliable, and
accurate financial information even greater responsibility. This provides another guarantee to investors,
employees and the public that information stated in reports and statements is correct, and that the
given organization has not provided fraudulent or inaccurate information, thereby giving the
organization another means of reassuring investors of their intentions.
Sarbanes-Oxley, IAS and other initiatives all play an important role in improving modern day corporate
governance. However, with regard to computerized accounting and reporting, these changes also
place a heavy burden on the technological infrastructure of many organizations. Microsoft Dynamics
NAV, a business management software solution that is especially suited for subsidiaries of larger
organizations, provides a range of features, tools and services to help support small to medium-sized
businesses in their efforts to comply with Sarbanes-Oxley.
Sarbanes-Oxley Bill: Sections of Importance
Three sections place significant demands on ERP systems. The following sections describe what is
required for documenting the validity and accuracy of the data that a company will use to compile
their financial reports and release to the public.
Section 302
This section stipulates that the principle officer (CEO, CFO, financial officer) certify in each annual or
quarterly report filed that they have personally reviewed the data contained within the report and that
they are confident in the accuracy and validity of the data, data compellation procedure and analysis
process.
Section 302 is an indication of the changes many organizations will have to make. In order for the
report certification required by this section to be possible, special attention must be given to the kinds
of process controls and event monitoring that typify compliance with sections 404 and 409 of the Act.
Furthermore, if, as a form of personal certification, CEOs, CFOs and other financial officers are required
to sign off on the organization’s annual and quarterly reports, the validity of the information contained
in these reports and how the report was compiled can come into question. This leads to sections 404
and 409, which deal with internal reporting control and regular and timely disclosure of financial
information.
Section 404
This section stipulates that an internal control report must exist, which states that management is
responsible for establishing and maintaining an ample internal control structure/procedure for
reporting. In addition, the report must contain an assessment, as of the end of the fiscal year, of the
effectiveness of the implemented internal control structure/procedure. The last stipulation requires
that an external auditor approve the report.
The objective of this section is to place emphasis upon the controls and procedures for managing
financial reporting processes. A framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)1 is an example of an internal control structure/procedure and can
be helpful in addressing issues related to this section of the Sarbanes-Oxley Act. The section in this
paper titled, “The Demands on ERP Solutions” discusses COSO in further detail.
Section 409
Section 409 requires each issuer to disclose to the public on a regular and timely basis additional
information concerning material changes in the financial or operational health of the issuer in plain
English. This may include trend and qualitative information and graphical representations as necessary
for the protection of investors, employees, as well as in the public interest. The objective of this section is to require that organizations focus on the need to appreciate, analyze and publicize material
business events that will influence the health of the organization.
The fact that organizations have to present the public with financial information about material
changes on a regular basis implies that they would have to have the information on hand immediately
in order to report in this manner. They will need an accurate and up-to-date service to prepare such
information.
1 COSO is a voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics,
effective internal controls and corporate governance. For more information go to: http://www.coso.org/
The Demands on ERP Solutions
Inevitably, as the demands on accounting processes evolve and intensify, so do the demands on ERP
solutions for those dealing with accounting processes. Sarbanes-Oxley is essentially about quality of
process and technology, and in most organizations today, many business processes are managed
across a range of business management software applications. Sarbanes-Oxley focuses primarily on
the quality of the information reported, meaning that the core issue for CFOs to address with regard to
Sarbanes-Oxley compliance is quality in financial processes. While this does not explicitly mean that
software is the primary concern of CFOs and controllers when dealing with Sarbanes-Oxley compliance,
it suddenly becomes a main concern because in a modern organization, information technology (IT) is
a necessary tool in corporate governance. In fact, many of the business processes on which Sarbanes-
Oxley compliance depends center on the use of better software applications, like Microsoft Dynamics
NAV.
Since Sarbanes-Oxley is primarily about data, analysis, and reporting, the IT environment in an
organization will be critical in determining whether that organization is able to be compliant. The
functionality of Microsoft Dynamics NAV provides controls that aid in compliance when coupled with a
Sarbanes-Oxley- targeted management model. Fortunately, COSO provides a framework for helping
companies meet requirements laid out in Section 404 of the Act. The objective of the COSO
framework is to help to ensure internal controls, which are constantly monitored by the organization’s
managerial techniques. According to the COSO framework, organizations must create a control
environment, and within this environment, perform risk assessments and initiate control activities to
ensure that risks are managed. Organizations must have systems in place to make sure that
organizations convey information accurately and in a timely fashion.
Sarbanes-Oxley influences two aspects of the business environment: the purely IT aspect of
accounting/financial reporting and the business/managerial aspect. Once companies implement an
internal controls system such as the one suggested by COSO, much of this burden then shifts to IT,
particularly ERP solutions. The following concepts are invaluable in Sarbanes-Oxley compliance and any
ERP solution should address these concepts when used in the context of Sarbanes Oxley:
Authorization and Security: Access to financial information should be limited to those who have
authorization to the system or to a section of the system. This must be in place to avoid unauthorized
access and fraud.
Validity Information should come from a reliable, trusted source. Only certain people or groups can
post or alter certain information.
Precision: Information is only accepted when entered in the correct format. Furthermore, information
may only be entered once – duplicate entries are detected and then rejected. All information is kept as
current as possible.
Safeguarding: All transactions should be backed up. Additionally, a log of users, their sessions and
transactions is ideal for tracking inconsistencies in the system.
Microsoft Dynamics NAV Features that Help with Compliance Efforts
Authorization and Security with Role-Based Security and Access Restriction
The core functionality of role-based security is to segregate users by tasks and accessibility. IT security
is an important element of the reliability of ERP solutions. Microsoft Dynamics NAV allows the user to
dictate which users have what access rights to the database based on the duties of the user. For
example, a user can be given the right to alter/delete/add entries, be allowed “read only” access to the
database or the user can be blocked completely from certain areas of the database. This can be done
in the Roles window as shown in Figure 1.
Figure 1. Roles Window
Access Restriction in Microsoft Dynamics NAV allows the user to create rules about accessibility to
areas of the database. In the example shown in Figure 2, the Database Logins window for posting
employee absences has been opened through the roles window. In this window, the accessibility to
“HR-ABSENCE” can be limited by user and by company.
Figure 2. Database Login Window
Further levels of permission on the table level can be seen in Figure 3.
Figure 3. HR Absence Window, Levels of Permission
Access can also be controlled through the windows access control table. This table contains
information about the security roles assigned to each user. Through the identity management of
Microsoft Dynamics NAV, access can be granted for users to access the system at any time.
These features, when integrated into the internal controls required for Sarbanes-Oxley compliance, can
help ensure validity. These features help ensure that only necessary personnel can access certain areas
of Microsoft Dynamics NAV. This supports both internal controls and the internal controls reporting
required by section 404. Furthermore, these features will help limit the probability of tampering and
the chance that flawed information will be added to the system. This helps to provide a greater
assurance of reliability for those signing off on any financial reports required by section 302.
Application Controls and Data Validation
Application controls are controls placed within the application to check for the validity, accuracy, and
completeness of data. The following example demonstrates the configured controls in Microsoft
Dynamics NAV. In Figure 4, the user has attempted to post a purchase order without a vendor invoice
number. Microsoft Dynamics NAV will only allow the posting to occur once the vendor invoice
number has been added because of the configurable controls in the application.
Figure 4. Configured Controls in Microsoft Dynamics NAV
Data validation in Microsoft Dynamics NAV means that users can be prevented from making a posting
with invalid information. In Figure 5, the user attempted to post a blanket sales order with a vendor number that does not exist in the database. Microsoft Dynamics NAV notes the error in a pop-up
window and blocks the posting until the appropriate correction is made.
Figure 5. Microsoft Dynamics NAV Helps Prevent Data Entry Errors
Such controls also exist on a field level in order to help ensure the completeness of data throughout
the system. For example, debits and credits must match within the application in order for the
transaction to take place.
These features will help promote sections 404 and 409 compliance by helping users enter data that is
complete, correct and precise. This is valuable in section 404 compliance in which internal controls
must be presented and approved by an external auditor. This feature can be integrated into an
organization’s internal controls and be useful when presenting information to an external auditor. It
also helps ensure that data that may constitute material changes in the financial condition of the
organization is complete and up-to-date so that it can be presented in a timely fashion as required by
section 409.
Reconciliation
The reconciliation feature allows Microsoft Dynamics NAV users to gain financial information from
bank account(s), get instant updates regarding transactions, drill down for more in-depth data, and
resolve discrepancies between dates posted for transactions in Microsoft Dynamics NAV and the dates
of the subsequent bank transactions.
Figure 6. Reconciliation Feature in Microsoft Dynamics NAV
While this feature will aid in the compliance to sections 302 and 404 because it will help improve the
validity of the Microsoft Navision database, the largest gain provided by this feature is the ability to
provide up-to-date and precisely reconciled financial data. This feature will help the user in
recognizing changes in financial conditions that need to be communicated to investors and the public
as required by section 409.
Reporting
Microsoft Dynamics NAV comes with a set of reports used by most businesses. The reports show all
transactions within a set of parameters. This functionality allows those creating reports to review the
history of the information they are reporting to account for any changes that may go otherwise
unexplained.
For example, among the reports available are the aging reports; the program calculates aging from the
due date, posting date or document date depending on your choice on the Options tab. By entering
the following window and opening the options tab, the user can also select other details and
formatting.
Figure 7. Creating an Aging Report
The Order Summary report is another example as it is similar to the aging reports, but this report is
specifically designed to provide a summary of all order transaction within a specified grouping. For
example, if the report should include all customers dealing in American dollars, the report options can
accommodate these demands. The Customer – Order Summary window can be seen in Figure 8.
Under the options tab shown in the window, the starting date from which the report should be created
is visible. At the same time, other information can be altered to create a customized report. This is
demonstrated in Figure 9. Here, the Customer tab called Currency has been filtered to show only
orders in American dollars. This can be invaluable to organizations that are handling orders in different
currencies on a regular basis and that need to report in a single currency such as the American dollar
for reporting purposes.
Figure 8. Custom Order Window
Figure 9. Creating a Customized Report
Both of these features can be helpful when complying with all three sections of the Sarbanes-Oxley Act
discussed earlier in this paper. In addition to providing transparency for external audits, controllers or
CFOs can review the history of accounts in question for validity and precision and with regular
application, can identify trends that can lead to what may constitute material changes in the financial
condition early on and report these.
XBRL Documents
XRBL is an XML-based specification that uses accepted financial reporting standards and practices to
exchange financial reports across different software and technologies, including the Internet. The key
benefits associated with XRBL are technological independence, full interoperability, the efficient
preparation of financial statements and reliable extraction of financial information. XBRL allows
organizations to exchange financial data easily and efficiently based on underlying data tags, which
provide an alternative to scanning and re-keying financial data. Both scanning and re-keying have
inherent downsides such as the usage of time, human error, and there is the possibility that cross
analysis or data extraction can be more difficult or even impossible. XBRL can help protect the
integrity of the data and help to minimize these negative aspects.
XBRL works through a series of XML tags. By mapping financial information to these tags,
communication between completely different financial systems for the purpose of data exchange
becomes possible. In addition, the International Accounting Standards Board has mapped all IAS
accounting terms to XML markup tags and made these tags available for each jurisdiction. Tags have
also been gathered according to each jurisdiction’s local general accounting principles in what is now
called taxonomy. This allows one taxonomy to be used for various output formats, including the
Internet, for further organizational transparency. Tags now allow data to be transferred not only from
system to system for the internal use of the organization, but also to the systems of auditors for review.
Figure 10 shows XBRL taxonomy.
Figure 10. XBRL Taxonomy
XBRL can be an important tool in an organization’s efforts to become compliant with the Sarbanes-
Oxley Act. It provides another resource for helping to ensure the validity and precision of data and
reporting by taking human error out of the financial reporting cycle It also helps ensure that
companies can easily share data with auditors, which can aid in Section 404 compliance. Organizations
will also be able to create reports simply across systems and even post on the Internet, further
informing the public of the current state of the organization and of changes in the financial state of the
organization, aiding in Section 409 compliance.
Navigating – Following the Audit Trail
From an accounting system standpoint, a key to compliance with Sarbanes-Oxley is the presence of an
extensive audit trail, complete with drill-down and drill-around functionality. The sole reason why this
functionality exists is to provide users with the ability to trace source documents through the
accounting systems to the final financial statement and back to the original source document. For
example, from the General Ledger – Chart of Accounts window, the Ledger Entries window can be
accessed by tracking the audit trail. From this point, the user can see how and when the data was
entered and to which account the entries were posted.
Figure 11. Following an Audit Trail
As part of the audit trail drilling tools, Microsoft Dynamics NAV provides the user with tools such as
drill-down, look-up, filtering, Registers, and Navigate. These tools give greater transparency to the
financial reporting process and give those employees responsible for reporting a valuable tool for
helping to ensure the validity and precision of the data entered if any doubt should arise. Drilling is
also useful for auditors reviewing the organizations financial data, thus aiding in Section 404
compliance.
Customization for Local Requirements
In Microsoft Dynamics NAV, it is possible to change the set up parameters for the general ledger,
receivables and payables sections of the program. In Figure 11, the General Ledger Setup window can
be seen. Many parameters in this window such as currency and VAT amounts are essential to sound
bookkeeping and differ between regions or countries. This functionality allows the user to change
these parameters to fit local demands thereby adhering to accepted accounting standards.
Figure 12. General Ledger Set Up Window
Accounting for Alterations Made to Data
Change Log
Microsoft Dynamics NAV’s Change Log tracks all changes made within the database and catalogs them
by date/time. The Change Log Entries table below shows how the feature notes the User ID of the
person making the changes, the fields changed, and the old and new values of the field. These
changes can be tracked either through the window as seen above or made into a report.
Figure 13. Change Log Window
Client Monitor
The Client Monitor also helps to track changes and communications between individual computers and
the Database Server for Microsoft Dynamics NAV. It can monitor communications between the client
and a database that is stored locally. See Figure 14.
Figure 14. Client Monitor Window
The ability to track changes means that administrators will be able to see exactly when changes were
made and who made them. Users will be cited for every change they personally made and for each
time they initiated communication between the client and database. Usually this feature will be used
to validate new customizations to the database to ensure the changes have the desired results.
This safeguarding functionality of Microsoft Dynamics NAV helps in the compliance of sections 302 and
404. With Microsoft Dynamics NAV, it’s possible to track what changes were made and by which
employees, limiting opportunities for all employees to change or tamper with information. This helps
CFO’s and financial controllers to validate that the information in the reports is reliable and accurate,
and that it does not include incidence of fraud before signing off and complying with section 302. This
same transparency will help in the creation of controls and the external evaluation of the system
required for the compliance of section 404. This functionality helps make internal controls more
transparent. It helps those within the organization who are responsible for maintaining internal controls see the controls at work through the changes made by specific employees. Furthermore, this
functionality makes it easier to trace back to a specific date and user for further clarification.
Tools to Help Ensure Data Consistency and Integrity of the System
While this may not be directly related to Sarbanes-Oxley compliance, Microsoft Dynamics NAV
provides tools for programmers and IT employees that help ensure the integrity of the system as a
whole and provide a reasonable assurance that the information presented is valid and the product of
sound programming. These are also used to validate new customizations to the database and help
ensure that customizations have the desired effect.
Backups
The backup feature in Microsoft Dynamics NAV provides for regular backups of either all or part of the
database. These backups can be done manually or can be scheduled to occur regularly.
Figure 15. Back Up Window
This feature supports section 404 by creating a valuable link in an organization’s internal structure and
procedure for financial reporting through safeguarding. The backups help guarantee that information
entered into the system is protected from electronic failures such as computer or network crashes.
Microsoft Dynamics NAV will create a backup file either on command or on a schedule, so if such an
event were to occur, a full record of all transactions as of the backup would be available. This would
help reinforce the systems reliability in connection to Sarbanes-Oxley compliance efforts.
Conclusion
The changes associated with Sarbanes-Oxley compliance may seem like a burden to those facing
compliance, but with the proper approach, compliance may actually leave organizations and their
subsidiaries in a better condition than they were in before complying. Organizations cannot achieve
Sarbanes-Oxley compliance without the proper tools and once these tools have been obtained,
compliance becomes an opportunity for organizations to reevaluate their business practices and grow.
Microsoft Dynamics NAV is a powerful ally in compliance efforts when used within an internal controls
structure, and can give organizations the extra controls and review tools they need to help reach
compliance and improve their organizational capacity.
Additional Resources
For more information about the SOX Bill, please see:
http://www.sec.gov/news/testimony/090903tswhd.htm
http://www.sec.gov/divisions/corpfin/faqs/soxact2002.htm
http://www.sec.gov/spotlight/sarbanes-oxley.htm
For full text of the SOX bill in PDF format, please see:
http://www.sec.gov/about/laws/soa2002.pdf
For more information about COSO, please see:
http://www.coso.org
For more information about IAS, please see:
http://www.iasb.org
For more information about Basel II, please see:
http://www.bis.org/publ/bcbsca.htm
About Microsoft Dynamics
Microsoft Dynamics is a line of integrated, adaptable business management solutions that enables you
and your people to make business decisions with greater confidence. Microsoft Dynamics works like
and with familiar Microsoft software, automating and streamlining financial, customer relationship and
supply chain processes in a way that helps you drive business success.
Table of Contents
- Executive Summary
- What is Sarbanes-Oxley?
- Sarbanes-Oxley Bill: Sections of Importance
- Section 302
- Section 404
- Section 409
- The Demands on ERP Solutions
- Microsoft Dynamics NAV Features that Help with Compliance Efforts
- Authorization and Security with Role-Based Security and Access Restriction
- Application Controls and Data Validation
- Reconciliation
- Reporting
- XBRL Documents
- Navigating – Following the Audit Trail
- Customization for Local Requirements.
- Accounting for Alterations Made to Data
- Tools to Help Ensure Data Consistency and Integrity of the System
- Backups
- Conclusion
- Additional Resources
- About Microsoft Dynamics