How To Get Started with your IT Compliance Efforts for SOX

There’s no question about it. For many of you top executives in the corporate world, all roads leading to a brighter future have to go through SOX compliance. And because the business processes that contribute to financial reporting (the crux of the Sarbanes-Oxley Act) are now highly reliant on IT systems, it is important to focus a good part of your attention there.

It is a long and arduous path to IT compliance, so if you don’t want your company to fall by the wayside due to inefficient utilisation of resources, it is important to set out with a plan on hand. What we have here are some vital information that will guide you in putting together a sound plan for SOX compliance of your company?s IT systems.

Why focus on IT systems for SOX compliance?

We’ll get to that. But first, let’s take up the specific portions of the Sarbanes-Oxley Act that affect information technology. These portions can be found in Section 302 and Section 404 of the act.

In simplified form, Section 302 grants the SEC (Securities and Exchange Commission) authority to come up with rules requiring you, CEOs and CFOs, to certify in each annual or quarterly financial report the following:

that you have reviewed the report;
that based on your knowledge, the report does not contain anything or leave out anything that would render it misleading;
that based on your knowledge, all financial information in the report fairly represent the financial conditions of the company;
that you are responsible for establishing internal controls over financial reporting; and
that you have assessed the effectiveness of the internal controls.

Similarly, Section 404, stated in simplified form, allows the SEC to come up with rules requiring you, CEOs and CFOs, to add an internal control report to each annual financial report stating that you are responsible for establishing internal controls over financial reporting.

You are also required to assess the effectiveness of those controls and to have a public accounting firm to attest to your assessment based upon standards adopted by the Public Company Accounting Oversight Board (PCAOB).

While there is no mention of IT systems, IT systems now play a significant role in financial reporting. Practically all of the data you need for your financial reports are stored, retrieved and processed on IT systems, so you really have to include them in your SOX compliance initiatives and establish controls on them.

Now that that’s settled, your next question could very well be: How do you know what controls to install and whether those controls are already sufficient to achieve compliance?

Finding a suitable guide for IT compliance

The two bodies responsible for setting rules and standards dealing with SOX, SEC and PCAOB, point to a well-established control framework for guidance – COSO. This framework was drafted by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) and is the most widely accepted control framework in the business world.

However, while COSO is a tested and proven framework, it is more suitable for general controls. What we recommend is a widely-used control framework that aligns well with COSO but also caters to the more technical features and issues that come with IT systems.

Taking into consideration those qualifiers, we recommend COBIT. COBIT features a well thought out collection of IT-related control objectives grouped into four domains: Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME). The document also includes maturity models, performance goals and metrics, and activity goals.

A few examples of COBIt’s detailed control objectives are:

DS4.2 – IT Continuity Plans
DS4.9 – Offsite Backup Storage
DS5.4 – User Account Management
DS5.8 – Cryptographic Key Management
DS5.10 – Network Security
DS5.11 – Exchange of Sensitive Data

By those titles alone, you can see that the framework is specifically designed for IT. But the document is quite extensive and, chances are, you won’t need all of the items detailed there. Furthermore, don’t expect COBIT to specify a control solution controls for every control objective. For example, throughout the control objective DS4 (Ensure Continuous Service), you won’t find any mention of virtualisation, which is common in any modern business continuity solution.

Basically, COBIT will tell you what you need to attain in order to achieve effective governance, management and control, but you’ll have to pick the solution best suited to reach that level of attainment.

Articles highly relevant to the one you just read:

Month End Accounting The Way It Should Be Today
Spreadsheet Woes ? Burden in SOX Compliance and Other Regulations
Spreadsheet Woes ? Limited Features For Easy Adoption of a Control Framework
How Internal Auditors Can Win The War Against Spreadsheet Fraud

Check our similar posts

Directions Hadoop is Moving In

Hadoop is a data system so big it is like a virtual jumbo where your PC is a flea. One of the developers named it after his kid?s toy elephant so there is no complicated acronym to stumble over. The system is actually conceptually simple. It has loads of storage capacity and an unusual way of processing data. It does not wait for big files to report in to its software. Instead, it takes the processing system to the data.

The next question is what to do with Hadoop. Perhaps the question would be better expressed as, what can we do with a wonderful opportunity that we could not do before. Certainly, Hadoop is not for storing videos when your laptop starts complaining. The interfaces are clumsy and Hadoop belongs in the realm of large organisations that have the money. Here are two examples to illustrate the point.

Hadoop in Healthcare

In the U.S., healthcare generates more than 150 gigabytes of data annually. Within this data there are important clues that online training provider DeZyre believes could lead to these solutions:

Personalised cancer treatments that relate to how individual genomes cause the disease to mutate uniquely

Intelligent online analysis of life signs (blood pressure, heart beat, breathing) in remote children?s hospitals treating multiple victims of catastrophes

Mining of patient information from health records, financial status and payroll data to understand how these variables impact on patient health

Understanding trends in healthcare claims to empower hospitals and health insurers to increase their competitive advantages.

New ways to prevent health insurance fraud by correlating it with claims histories, attorney costs and call centre notes.

Hadoop in Retail

The retail industry also generates a vast amount of data, due to consumer volumes and multiple touch points in the delivery funnel. Skillspeed business trainers report the following emerging trends:

Tracing individual consumers along the marketing trail to determine individual patterns for different demographics and understand consumers better.

Obtaining access to aggregated consumer feedback regarding advertising campaigns, product launches, competitor tactics and so on.

Staying with individual consumers as they move through retail outlets and personalising their experience by delivering contextual messages.

Understanding the routes that virtual shoppers follow, and adding handy popups with useful hints and tips to encourage them on.

Detecting trends in consumer preferences in order to forecast next season sales and stock up or down accordingly.

Where to From Here?

Big data mining is akin to deep space research in that we are exploring fresh frontiers and discovering new worlds of information. The future is as broad as our imagination.?

Contact Us

(+353)(0)1-443-3807 – IRL
(+44)(0)20-7193-9751 – UK

Increase Customer Loyalty with Field Service Management Software

One sure way to turn off customers is to give them a disappointing experience. It cuts across the board- from plumbing jobs, electrical installation and maintenance projects, window cleaning or repair, tenants in the property you’re managing, to package delivery firms. If your customers keep witnessing delays, cancelled appointments, to oversights like double booking which end up messing their individual schedules, they are likely to stop hiring your services and seek out a competitor.?

Field service jobs are particularly prone to such blunders, especially with the traditional manual way of doing things. While smartphones and computers have been infused into the day-to-day running of businesses, it is still common to find companies relying on manual processes to schedule their appointments, track the employees providing the services, monitor the progress of the jobs and ask for status updates, to managing inventory and invoices for completed tasks. This creates a major bottleneck in operations. The Small & Medium Business Trends Report, that took responses from nearly 500 SMB owners and leaders, showed that they spend an average of 23% of each workday manually inputting data. This is time that would have otherwise been spent tending to the customers? needs. It creates a backlog of tasks, forcing the customers to wait for longer to get their issues handled.?

The inefficiencies witnessed in these traditional methods led to the advent of field service business management software. These systems come in to optimise operations and enhance your service delivery. As a business, automating your scheduling, job tracking, routing procedures and handling the invoicing, all through a single platform, greatly reduces your workload. Managing inventory, communicating with your employees out in the field through handy apps on their phone, giving them access to a database of reports and notes on the various jobs they have been tasked with – these all aid in smoothing out the sorting of tasks, and gets rid of the mounds of paperwork that would have been required.?

From Your Customer’s Perspective

When you’re facing a plumbing leak at home, electrical faults that result in power outages in the office building, damaged gas boilers that are hampering operations in the industrial plants- you want them to be addressed. Homeowners, business owners and facility managers in these situations are anxious about getting the issue resolved- yet the firm they are relying on to handle it is caught up in a logistical nightmare, boggled down by paperwork that prevents them from sending their technicians to the location. You really don’t want to hear a series of excuses about why your problem could not be addressed in time. While delays can be a nuisance, cancelled appointments are altogether exasperating. See, the customer is left in a difficult position, since the problem is not resolved, and they have to contend with having to make a subsequent appointment- of which they will not be sure if they can bank on the hired firm to deliver on its mandate. With an FSM, you get to prevent such incidents from occurring.

How Your Customers Benefit From Field Service Job Management Software

Reliable services

Firstly, the customer wants services that they can count on. When an issue arises and an appointment scheduled, they want it to be honoured. With the FSM, you get to accurately schedule the tasks, from the timing involved to assigning it to the appropriate technician, who is skilled in the task. With the automated scheduling and dispatching, the technician downtime that was previously witnessed is reduced- which has the welcome benefit of cutting down your operational costs.?

Speaking of which, the confusion that was previously seen when perusing through documents and simply calling up the first employee whose skill is similar to the job description, is avoided. Here, the field service management platform enables you to determine the most appropriate member of your workforce to handle the task. This makes them more motivated at their job, resulting in higher quality results- whether it’s an installation task, repair and maintenance project, or cleaning service for companies providing them in residential and commercial buildings.?

Get it done right the first time around

The field service scheduling software enables the technician to have all the information pertaining to the job accessible in real-time. This is availed via app– that the technicians will have on their phones. It is through this very app that they will make updates of the tasks being handled, sending in notes, photos and reports to the system. These will, in turn, be monitored at the head office all through the progress of the job, being managed through the interactive FSM dashboard.?

With the customer’s history being accessed by the technician, information that includes the specs and hazards about the particular job being handled, notes from the previous technicians who had been tasked to the building- such as the installation crew and previous repairs that had been done, will enable the personnel on the ground make well-informed decisions throughout the course of the task. Any issues that arise will also be taken note of, equipment and parts ordered through the app as well, ensuring that things proceed seamlessly. That way, the percentage of situations getting fully resolved during the first appointment increases- which translates to fewer cases of complaints being made.?

Instant invoicing

Immediately the job is done, the customer inputs their e-signature through the app, and the technician marks the task as completed, the very same FSM is used to process the invoice and send out an emailed copy to the customer. This will be an accurate invoice, without any data loss, and the customer can then proceed to make the payment through their preferred mode- from credit card payments to cash, without having to wait for hours for paperwork to be processed. All this information is securely stored on the cloud-based platform.

Creating a great first impression

Your image is a core part of your operations. Certainly, you don’t want to come off as disorganised- and your customers will be quick to note this with issues like missing records, outdated reports, lateness, and improper assigning of tasks. On the other hand, having a modern digital solution integrated into your field service operations will enable you to make a great first impression, showing the level of professionalism with which you offer your services.

Customer access

FSM platforms like FieldElite also give the customers themselves access to the system, through their own dashboard. This is particularly handy given that there are cases where the customer will have multiple jobs to be carried out- like property managers who keep on having cases of plumbing accidents, electrical faults, and cleaning service needs in the different buildings that they are in charge of.?

Through the customer portal, they will be able to make appointments, track the history of repair and maintenance jobs carried out on the property, and follow up on queries. What’s more, together with the IoT where FieldElite links to ecoVaro, one can have an interactive energy management system in place to keep accurate tabs on the energy consumption, efficiency, point out areas where repairs are needed, and have technicians come over- with the bookings being made through the FSM.

Enhance Customer Experience And Score New Business Opportunities

Customer service is a key aspect of your operations. When your customers are well tended to, with their needs being met in a timely and proficient manner, it wins you their loyalty, and they’ll be more open to sending referrals your way- growing your market share. Feedback- from testimonials on your site to the reviews on your social media handles, also aids in this- and you want to have satisfied clients who will put out a good word about your brand. By investing in field software for service businesses, you will increase your employees? productivity, monitor trends, improve communication between your head office and the technicians on the ground, all of which come together to increase customer satisfaction.

How to Reduce Costs when Complying with SOX 404

Section 404 contains the most onerous and most costly requirements you’ll ever encounter in the Sarbanes-Oxley Act (SOX). In this article, we?ll take a closer look at the salient points of this contentious piece of legislation as it relates to IT. We?ll also explain why companies are encountering difficulties in complying with it.

Then as soon as we’ve tackled the main issues of this section and identify the pitfalls of compliance, we can then proceed with a discussion of what successful CIOs have done to eliminate those difficulties and consequently bring down their organisation’s IT compliance costs. From this post, you can glean insights that can help you plan a cost-effective way of achieving IT compliance with SOX.

SOX 404 in a nutshell

Section 404 of the Sarbanes-Oxley Act, entitled Management Assessment of Internal Controls, requires public companies covered by the Act to submit an annual report featuring an assessment of their company?s internal controls.

This ?internal control report? should state management’s responsibility in establishing/maintaining an adequate structure and a set of procedures for internal control over your company?s financial reporting processes. It should also contain an assessment of the effectiveness of those controls as of the end of your most recent fiscal year.

Because SOX also requires the public accounting firm that conducts your audit reports to attest to and report on your assessments, you can’t just make baseless claims regarding the effectiveness of your internal controls. As a matter of fact, you are mandated by both SEC and PCAOB to follow widely accepted control frameworks like COSO and COBIT. This framework will serve as a uniform guide for the internal controls you set up, the assessments you arrive at, and the attestation your external auditor reports on.

Why compliance of Section 404 is costly

Regardless which of the widely acceptable control frameworks you end up using, you will always be asked to document and test your controls. These activities can consume a considerable amount of man-hours and bring about additional expenses. Even the mere act of studying the control framework and figuring out how to align your current practices with it can be very tricky and can consume precious time; time that can be used for more productive endeavours.

Of course, there are exceptions. An organisation with highly centralised operations can experience relative ease and low costs while implementing SOX 404. But if your organisation follows a largely decentralised operation model, e.g. if you still make extensive use of spreadsheets in all your offices, then you’ll surely encounter many obstacles.

According to one survey conducted by FEI (Financial Executives International), an organisation that carried out a series of SOX-compliance-related surveys since the first year of SOX adoption, respondents with centralised operations enjoyed lower costs of compliance compared to those with decentralised operations. For example, in 2007, those with decentralised operations spent 30.1 % more for compliance than those with centralised operations.

The main reason for this disparity lies in the disorganised and complicated nature of spreadsheet systems.

Read why spreadsheets post a burden when complying with SOX and other regulations.

Unfortunately, a large number of companies still rely heavily on spreadsheets. Even those with expensive BI (Business Intelligence) systems still use spreadsheets as an ad-hoc tool for data processing and reporting.

Because compliance with Section 404 involves a significant amount of fixed costs, smaller companies tend to feel the impact more. This has been highlighted in the ?Final Report of the Advisory Committee on Smaller Public Companies? published on April 23, 2006. In that report, which can be downloaded from the official website of the US Securities and Exchange Commission, it was shown that:

Companies with over $5 Billion revenues spent only about 0.06% of revenues on Section 404 implementation
Companies with revenues between $1B – $4.9B spent about 0.16%
Companies with revenues between $500M – $999M spent about 0.27%
Companies with revenues between $100M – $499M spent about 0.53%
Companies with revenues less than $100M spent a whopping 2.55% on Section 404

Therefore, not only can you discern a relationship between the size of a company and the amount that the company ends up spending for SOX 404 relative to its revenues, but you can also clearly see that the unfavourable impact of Section 404 spending is considerably more pronounced in the smallest companies. Hence, the smaller the company is, the more crucial it is for that company to find ways that can bring down the costs of Section 404 implementation.

How to alleviate costs of section 404

If you recall the FEI survey mentioned earlier, it was shown that organisations with decentralised operations usually ended up spending more for SOX 404 implementation than those that had a more centralized model. Then in the ?Final Report of the Advisory Committee on Smaller Public Companies?, it was also shown that public companies with the smallest revenues suffered a similar fate.

Can we draw a line connecting those two? Does it simply mean that large spending on SOX affects two sets of companies, i.e., those that have decentralised operations and those that are small? Or can there be an even deeper implication? Might it not be possible that these two sets are actually one and the same?

From our experience, small companies are less inclined to spend on server based solutions compared to the big ones. As a result, it is within this group of small companies where you can find a proliferation of spreadsheet systems. In other words, small companies are more likely to follow a decentralised model. Spreadsheets were not designed to implement strict control features, so if you want to apply a control framework on a spreadsheet-based system, it won’t be easy.

For example, how are you going to conduct testing on every single spreadsheet cell that plays a role in financial reporting when the spreadsheets involved in the financial reporting process are distributed across different workstations in different offices in an organisation with a countrywide operation?

It’s really not a trivial problem.

Based on the FEI survey however, the big companies have already found a solution – employing a server-based system.

Typical server based systems, which of course espouse a centralised model, already come with built-in controls. If you need to modify or add more controls, then you can do so with relative ease because practically everything you need to do can be carried out in just one place.

For instance, if you need to implement high availability or perform backups, you can easily apply redundancy in a cost-effective way – e.g. through virtualisation – if you already have a server-based system. Aside from cost-savings in SOX 404 implementation, server-based systems also offer a host of other benefits. Click that link to learn more.

Not sure how to get started on a cost-effective IT compliance initiative for SOX? You might want to read our post How To Get Started With Your IT Compliance Efforts for SOX.?