Management – SOX and Biz Procedure Documentation


You know it all: “…financial scandals lately damaged investor, customer, supplier, and employee confidence…. Government and regulatory agencies are enforcing new rules.; SOX comes around with harsh consequences for your business…”

We won’t elaborate on these pro­positions: Let’s analyse the problem.

If you convince the external auditors that you are doing things right, that your control procedures are in place and any internal event can be reconstructed reliably, you will have the auditors ok and consent. Is it that what you want? We start with two questions:

  1. Why is that so difficult to achieve?
  2. How can it be done?


Answering question 1:

There are many concepts around for internal control, IT-management etc. No doubt – very good con­cepts and models, but mostly very abstract and not covering the whole task. There is no global, pragmatic and simple approach telling precisely what to do. In other words: There is no model mapping clearly the real world of accounting AND IT into documentation.

The IT-Governance Institute only refers to ‘”processes and subprocesses”, does not differentiate between mere IT-procedures and bookkeeping transactions (enabled by IT) and thus makes us forget that a process, if properly modelled, uses resources. These resources again represent a set of identifiable risk objects!

  • This means that resources have to be defined and modelled as building elements for processes.
  • GAAP should not simply be swallowed by IT-Governance; the clear gap between GAAP and Coso/Cobit must remain definite.
  • The degree of detail, the granularity of the model shall be determined by the identifiable risk object, i.e. Internal Control Object. This requires to identify a semaphore (atomic) event be it a bookkeeping transaction (subprocess) or some IT-action (subprocess). Tackling a “money transfer event” and splitting it into “permission” and “execution” is much simpler than analysing the whole governing process on top. The event, identified by a name, appears in a recording journal and is a “natural” risk object.


Answer to question 2:

Compliance Documentation. This second answer looks simplistic; but, in fact, it is not that simple. On the contrary, documentation is strongly neglected and underrated. Docu­mentation here means: mapping objects and events from real world into a descriptive paradigm that covers all control objects of the company with adequate granularity.

Brain at work: Let us take a look at the auditors as human beings subject to human gnostics. The auditors know all about GAAP, IAS, IACA, SEC… guidelines, requirements etc. This abstract universe of measures has to be applied to the grid of your company. But what is the grid and where is the grid? There are two grids!. One grid is in the auditors mind, a cellular neurological pattern determined by knowledge and experience; the other one is constructed by perception of the reality the auditor is con­fronted with and conveyed to the auditors mind. Now the matching of the two grids takes place.

A set of clear and perspicuous images mapped onto your mind will ease the complex process of judging highly intertwined facts. And like every human being the auditor is a Goleman’s “blind spot” victim when he is going through the process of abstraction. So give the auditor an information grid that, cell by cell, corresponds closely to his own one.
The grid is a model. If we do not know the model the auditor carries on his mind, the question arises, whether there is an intuitive model everybody will comply with. A model with the seducing power of clarity? Take a look at Ganymed.