How To Get Started with your IT Compliance Efforts for SOX

There’s no question about it. For many of you top executives in the corporate world, all roads leading to a brighter future have to go through SOX compliance. And because the business processes that contribute to financial reporting (the crux of the Sarbanes-Oxley Act) are now highly reliant on IT systems, it is important to focus a good part of your attention there.

It is a long and arduous path to IT compliance, so if you don’t want your company to fall by the wayside due to inefficient utilisation of resources, it is important to set out with a plan on hand. What we have here are some vital information that will guide you in putting together a sound plan for SOX compliance of your company?s IT systems.

Why focus on IT systems for SOX compliance?

We’ll get to that. But first, let’s take up the specific portions of the Sarbanes-Oxley Act that affect information technology. These portions can be found in Section 302 and Section 404 of the act.

In simplified form, Section 302 grants the SEC (Securities and Exchange Commission) authority to come up with rules requiring you, CEOs and CFOs, to certify in each annual or quarterly financial report the following:

  • that you have reviewed the report;
  • that based on your knowledge, the report does not contain anything or leave out anything that would render it misleading;
  • that based on your knowledge, all financial information in the report fairly represent the financial conditions of the company;
  • that you are responsible for establishing internal controls over financial reporting; and
  • that you have assessed the effectiveness of the internal controls.

Similarly, Section 404, stated in simplified form, allows the SEC to come up with rules requiring you, CEOs and CFOs, to add an internal control report to each annual financial report stating that you are responsible for establishing internal controls over financial reporting.

You are also required to assess the effectiveness of those controls and to have a public accounting firm to attest to your assessment based upon standards adopted by the Public Company Accounting Oversight Board (PCAOB).

While there is no mention of IT systems, IT systems now play a significant role in financial reporting. Practically all of the data you need for your financial reports are stored, retrieved and processed on IT systems, so you really have to include them in your SOX compliance initiatives and establish controls on them.

Now that that’s settled, your next question could very well be: How do you know what controls to install and whether those controls are already sufficient to achieve compliance?

Finding a suitable guide for IT compliance

The two bodies responsible for setting rules and standards dealing with SOX, SEC and PCAOB, point to a well-established control framework for guidance – COSO. This framework was drafted by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) and is the most widely accepted control framework in the business world.

However, while COSO is a tested and proven framework, it is more suitable for general controls. What we recommend is a widely-used control framework that aligns well with COSO but also caters to the more technical features and issues that come with IT systems.

Taking into consideration those qualifiers, we recommend COBIT. COBIT features a well thought out collection of IT-related control objectives grouped into four domains: Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME). The document also includes maturity models, performance goals and metrics, and activity goals.

A few examples of COBIt’s detailed control objectives are:

DS4.2 – IT Continuity Plans
DS4.9 – Offsite Backup Storage
DS5.4 – User Account Management
DS5.8 – Cryptographic Key Management
DS5.10 – Network Security
DS5.11 – Exchange of Sensitive Data

By those titles alone, you can see that the framework is specifically designed for IT. But the document is quite extensive and, chances are, you won’t need all of the items detailed there. Furthermore, don’t expect COBIT to specify a control solution controls for every control objective. For example, throughout the control objective DS4 (Ensure Continuous Service), you won’t find any mention of virtualisation, which is common in any modern business continuity solution.

Basically, COBIT will tell you what you need to attain in order to achieve effective governance, management and control, but you’ll have to pick the solution best suited to reach that level of attainment.

Articles highly relevant to the one you just read:

Month End Accounting The Way It Should Be Today
Spreadsheet Woes ? Burden in SOX Compliance and Other Regulations
Spreadsheet Woes ? Limited Features For Easy Adoption of a Control Framework
How Internal Auditors Can Win The War Against Spreadsheet Fraud

Check our similar posts

When Carrefour Pushed the Right Buttons

Retail giant Carrefour based in Boulogne Billancourt, France is big business in anybody?s numbers. Europe?s #1 retailer opened its first store in 1958 near a crossroads (Carrefour means ?crossroad? in French) and has largely not looked back since then. The slogan for the hypermarket chain with more than 1,500 outlets and close to a half million employees is ?choice and quality for everyone?. Our story begins when Carrefour decided these things belong at home too.

The company implemented a worldwide universal responsibility program firmly anchored on a tripod of goals for environmental, economic and social progress. Its first step was to appoint a five-person project team tasked with liaising with program delegates in all thirty countries in which it operates, and who had responsibility for driving these goals.

The team?s job was to make sure that policies, standards, procedures and key performance areas were common visions throughout Carrefour. By contrast, the local managers? were tasked with aligning these specifics to local conditions in terms of environmental, political and social issues. The project team checked the fit quarterly via video conferences.

The Triple Bottom Line Goals were woven through with Carrefour?s Seven Core Values, namely Freedom, Responsibility, Sharing, Respect, Integrity, Solidarity and Progress. Constant contact was maintained with staff and other stakeholders through ?awareness training? seminars and other dialogues. As the program took hold and flourished, it became evident that the retail giant needed help with managing the constant stream of metrics flowing in.

After reviewing options, Carrefour appointed a software provider to monitor progress against its primary focuses on energy, water, waste, refrigeration, paper, disposable checkout bags, hygiene & quality, management gender parity, disabled people and logistics. This enabled it to track progress online against past performance, and produce meaningful reports.

The Environmental Manager in the Corporate Sustainability Department waxed lyrical when he said, ?We believe that our sustainability strategy and software solution have powerfully improved collaboration, innovation, and overall performance?. He went on to describe how it was helping drive cost down and profitability up, while simultaneously growing brand.

Non-conformance costs can be high and run counter to the imperative to make a profit – while simultaneously ensuring a better world for our children?s children. In Carrefour?s case, having a consultant to measure progress was the key that unblocked the administrative bottleneck. Irish company Ecovaro does this for companies around the world. Click here. Discover what we will do for you.

IT Transformation Defined

Businesses depend on IT to effectively manage business processes and to provide products and services to clients. As IT technologies advance, it is crucial that businesses update their hardware to remain competitive. But businesses should do more than simply upgrade their servers and should really strive to effect IT transformation.

What is IT Transformation?

IT transformation is the ongoing process of changing the way that a company uses IT to better align it with current business goals. Through the IT transformation process, businesses try to determine whether they are meeting mission-critical benchmarks through the incorporation of new IT technologies for corporate transformation.

For example, if one of the current business concerns is whether the company can improve customer service, the IT system will need to evolve in such a way that improves customer service in a measurable way.

Successfully Aligning the Technology to Business Goals

In order to successfully align the IT system with business goals, it is important to understand the newly integrated technologies to understand how they can change business processes. If a new feature is intended to make the server more secure, the management should know exactly how the feature will improve the security of the server and whether the new implementation is redundant.

Once the business objectives have been identified, IT transformation is carried out by changing both the software and hardware used by the company. An example would be the growing trend of server migration to the cloud. Cloud computing is the growing trend of making files and data accessible from anywhere. If an organisation believes that it can improve productivity through a server cloud migration, it will need a way to test this.

The IT Transformation Process

Given that IT transformation is directly related to the core business, the IT transformation process must begin by identifying which aspects of the company must be changed. Then, the company must determine?IT services that could potentially be integrated into the business in a way that will help the company achieve benchmarks. After the key decision-makers understand the IT network well enough to effectively implement it, the company must efficiently manage the transformation process. Then, after the IT has been integrated, the company must have a system in place to measure business transformation in a numerical way.

For example, when assessing customer satisfaction, one effective strategy would be to distribute customer satisfaction surveys that ask customers to rate their experiences on a scale of one to ten. The company can then measure the results of the customer satisfaction survey to determine whether the new IT implementations are accomplishing their intended goals.

If the expected benchmarks are not being met, the next step in the IT transformation process is to determine if there is a specific reason for that. Is there a way that the feature can be better integrated to achieve desired business objectives? Are there other features that can help the company better achieve its goals?

Upgrading a network can be an expensive process and it is important to identify early on which options are the most likely to benefit the company’s bottom line.

Field Service Organisations should use Digital Forms

For many Organisations, making use of paper based forms, is a common practice and method for collecting data and recording transactions. Whether it be for producing Quotations, Invoices or even getting sign off on completed jobs.

Paper based forms and documents have been the main stay of office communication and productivity for over 200 years. Paper-based forms are used to create anything from Invoices, Receipts, Purchase Orders, Contracts to the humble internal memo!

Paper-based forms radically improved productivity, efficiency and compliance by enabling people to create paper based instructions and enabling others to add additional information as required.

Over the past 3 decades or so, modern business environments have gradually been evolving towards the concept of the Paperless Office, resulting in the humble Paper based document migrating to a Digital Counterpart. The ease of availability of various Word Processing and Spreadsheet software products and cheap and easy data storage capacity have resulted in the Proliferation of thousands if not millions of files and documents being stored somewhere on the Company’s IT infrastructure.

People often create Digital Templates of forms that may be printed off and supplied to staff to complete using Pen and Paper or electronically. The data collation and reporting is often process

Often when conducting Operational Reviews, it is commonly found that the processing and analysing paper based forms is the least productive, efficient and profitable areas of business, although it is often vitally important.

Benefits of using digital forms for data collection

The ability to collect and analyse data effectively is increasingly important to businesses. Companies gather, examine, process and build reports on large volumes of data. Traditionally, they have deployed mail surveys, telephone interviews, door-to-door interviews as methods to collect information. With the ongoing digitisation, these procedures have become old fashioned.The digital transformation is changing many business operations at a high speed and a great deal of processes that were executed manually are now accomplished using digital methods.

Technology has had a major impact on how to approach data research and has provided researchers new tools that have transformed and improved data collection and analysis. The pace of change requires companies to be able to react quickly and adapt themselves to changing demands from customers and market conditions.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today