How To Get Started with your IT Compliance Efforts for SOX

There’s no question about it. For many of you top executives in the corporate world, all roads leading to a brighter future have to go through SOX compliance. And because the business processes that contribute to financial reporting (the crux of the Sarbanes-Oxley Act) are now highly reliant on IT systems, it is important to focus a good part of your attention there.

It is a long and arduous path to IT compliance, so if you don’t want your company to fall by the wayside due to inefficient utilisation of resources, it is important to set out with a plan on hand. What we have here are some vital information that will guide you in putting together a sound plan for SOX compliance of your company?s IT systems.

Why focus on IT systems for SOX compliance?

We’ll get to that. But first, let’s take up the specific portions of the Sarbanes-Oxley Act that affect information technology. These portions can be found in Section 302 and Section 404 of the act.

In simplified form, Section 302 grants the SEC (Securities and Exchange Commission) authority to come up with rules requiring you, CEOs and CFOs, to certify in each annual or quarterly financial report the following:

  • that you have reviewed the report;
  • that based on your knowledge, the report does not contain anything or leave out anything that would render it misleading;
  • that based on your knowledge, all financial information in the report fairly represent the financial conditions of the company;
  • that you are responsible for establishing internal controls over financial reporting; and
  • that you have assessed the effectiveness of the internal controls.

Similarly, Section 404, stated in simplified form, allows the SEC to come up with rules requiring you, CEOs and CFOs, to add an internal control report to each annual financial report stating that you are responsible for establishing internal controls over financial reporting.

You are also required to assess the effectiveness of those controls and to have a public accounting firm to attest to your assessment based upon standards adopted by the Public Company Accounting Oversight Board (PCAOB).

While there is no mention of IT systems, IT systems now play a significant role in financial reporting. Practically all of the data you need for your financial reports are stored, retrieved and processed on IT systems, so you really have to include them in your SOX compliance initiatives and establish controls on them.

Now that that’s settled, your next question could very well be: How do you know what controls to install and whether those controls are already sufficient to achieve compliance?

Finding a suitable guide for IT compliance

The two bodies responsible for setting rules and standards dealing with SOX, SEC and PCAOB, point to a well-established control framework for guidance – COSO. This framework was drafted by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) and is the most widely accepted control framework in the business world.

However, while COSO is a tested and proven framework, it is more suitable for general controls. What we recommend is a widely-used control framework that aligns well with COSO but also caters to the more technical features and issues that come with IT systems.

Taking into consideration those qualifiers, we recommend COBIT. COBIT features a well thought out collection of IT-related control objectives grouped into four domains: Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME). The document also includes maturity models, performance goals and metrics, and activity goals.

A few examples of COBIt’s detailed control objectives are:

DS4.2 – IT Continuity Plans
DS4.9 – Offsite Backup Storage
DS5.4 – User Account Management
DS5.8 – Cryptographic Key Management
DS5.10 – Network Security
DS5.11 – Exchange of Sensitive Data

By those titles alone, you can see that the framework is specifically designed for IT. But the document is quite extensive and, chances are, you won’t need all of the items detailed there. Furthermore, don’t expect COBIT to specify a control solution controls for every control objective. For example, throughout the control objective DS4 (Ensure Continuous Service), you won’t find any mention of virtualisation, which is common in any modern business continuity solution.

Basically, COBIT will tell you what you need to attain in order to achieve effective governance, management and control, but you’ll have to pick the solution best suited to reach that level of attainment.

Articles highly relevant to the one you just read:

Month End Accounting The Way It Should Be Today
Spreadsheet Woes ? Burden in SOX Compliance and Other Regulations
Spreadsheet Woes ? Limited Features For Easy Adoption of a Control Framework
How Internal Auditors Can Win The War Against Spreadsheet Fraud

Check our similar posts

Strategy and Portfolio Management

 

A well planned strategy is the necessary bridge between brilliant leadership and excellent execution. Without it, your entire organisation cannot hope to respond quickly and effectively to challenges and changes within the landscape on which it operates.

Strategic planning involves identifying objectives, understanding what resources are needed to attain them, and then allocating the resources to the appropriate units to ensure they are used optimally towards the achievement of desired objectives. Among the end results which can be reflected by your team members are:

  1. Deeper understanding of the competitive environment;
  2. Snappy execution of plans;
  3. Faster, more aligned actions; and
  4. More intelligent and apt responses against strategic moves of the competition.

We understand the need to institute strategic management in such a way that your organisation can easily adapt to unforeseen developments. As such, all our solutions are formulated to make your organisation not only well-guided but also as dynamic as possible.

Strategy Formulation

Before you can proceed to map out any strategy for your company, you’ll have to study your company’s current environment. This will help you determine what courses of action should be taken to be able to navigate through such environment on your way to the end goal.

If you’re not a full time strategist, such a task can either be very daunting or deceivingly easy… the former can prevent your team from getting started, while the latter can lead your team astray.

Ideally, strategy formulation should be carried out as quickly and as efficiently as possible so you can move on to implementation before the competition can react. Our methods can enable your leaders to hit the ground running each time they set out on a strategic plan.

How?

  • We can assist in accurately applying strategic tools like SWOT and Gap analysis, then help integrate the results into an effective strategic plan.
  • We’ll train your team how to carry out effective research techniques so that the information they gather will really be what we need. This is because the tools mentioned earlier can only work effectively if the inputs were picked intelligently. Of course, if you want the entire process expedited, we can also conduct the research ourselves.
  • We’ll establish best practices for top-down, bottom-up, and collaborative strategic management processes. We’ll even show you how to organise and hold meetings where team members are constantly engaged and in-sync, so action plans can be developed and relayed fast.
  • We’ll see to it that strategies for all functional departments (such as IT management, supply-chain, HR, marketing, and legal) are in line with your business strategies, which should in, turn be aligned with your overall corporate strategy.

Strategy Evaluation

Your strategies have to be periodically assessed if you want to determine whether they are attuned to variations affecting your organisation. These changes may include new technologies, emerging competitors, new opportunities, as well as unexpected developments in the economic environment and political climate.

While no time limit is imposed for the build-up of resources vital to the attainment of a specific objective, the window of opportunity can shut on you before you can start amassing such resources. Given this possibility, it is important for your strategies to undergo evaluation processes that will determine whether you should pursue them or not.

Using only the most reliable evaluation techniques, we’ll help you establish whether:

  • Your strategies will place your company in a position that will give it competitive advantage or will erode whatever advantage the competition already has;
  • Your strategies are consistent with the landscape on which your company currently traverses;
  • They are realistic enough in relation to the resources you have on hand;
  • The associated risks have all been identified and the appropriate control measures have already been put in place;
  • The time frames for their full realisation are both realistic and acceptable.

Portfolio Management

In today’s highly competitive market, many of the more successful enterprises are driven by project-based systems.

Now, there’s always a tendency for project managers to become overenthusiastic and to come up with a number of projects that can’t be sustained by available resources. If your project-based company frequently runs out of resources, then either you just have too many projects running or too much is being allocated to a select few.

In both instances, the problem does not necessarily lie on the individual project managers themselves. Rather, what is needed is the ability to have full control over existing projects and investments.

Your leadership should be able to rank projects in terms of their impact to your organisation’s growth, positioning, and profitability. This will give you sufficient information when deciding which projects to pursue, prioritise, or shut down. These are the benefits you’ll gain from our services:

  • A vivid presentation of the big picture. Only when you can step back from all the detail and see the interplay of investments and resources will you be able to make wise decisions regarding how and where to position them.
  • The ability to distinguish between projects with the highest potentials and those that are outdated.
  • Access to expertise that will help you distribute your present IT infrastructure, human resources, financial resources, and facilities across running projects to obtain the biggest benefits for all stakeholders.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
What are Operational Reviews

Faced with growing competition, businesses continually need to find new innovative solutions and ideas to improved organizational performance, especially in various cut-throat industries where innovation and good management can make or break the company.

This is the reason why, businesses place greater emphasis on the evaluation of efficiency, effectiveness, and economics of its operations.

Conducting regular Operational Reviews are key to keeping your company at peak performance.

What is an Operational Review

An operational review is an in-depth and objective review of an entire organization or a specific segment of that organization. It can be used to identify and address existing concerns within your company such as communication issues between departments, problems with customer relations, operating procedures, lack of profitability issues, and other factors that affect the stability of the business.

Operational reviews allow the organization members to evaluate how well they are performing, given that they perform appropriately according to the procedures set by them, allocating their resources properly, and performing such tasks within time frame set and using cost-effective measures. More importantly, it also shows your company how well it is prepared to meet future challenges.

What are the objectives of an Operational Review

The goals of an operational review are to increase revenue, improve market share, and reduce cost.

An operational review allows the management to see their company in a different light i.e a larger perspective. That is, it gives the management the opportunity to evaluate if the entrusted resources were used wisely to achieve the desired results of operations.

Operational reviews provide a comprehensive assessment of authority in that they help define expectations, and empower people within an organization to enact? up on it. This is due feedback provided will help them to better gauge the value of tasks performed and whether the job is being done the right or wrong way, and on what areas the company can excel and improve on.

The whole is greater than the sum of its parts

Questions worth considering in an Operational Review

Are you able to view your own organization as a whole from an objective angle?

Do the different departments complement each other so that they form a cohesive unit that boosts your business in the right direction?

With our comprehensive assessment of your organization?s current systems, operations, processes, and strategies, our operational review programs aim to help you in achieving these lofty goals: to improve business profitability and identify incompetence in both operations and organizational systems.

Benefits of an Operational Review

The main objective of an operational review is to help organizations like yours to learn how to deal with and address issues, instead of simply reacting to the challenges brought about by growth and change.

Information and data gathered in an Operational Review is practical from both a financial and operational perspective. Using? data, management can then formulate recommendations, which are not only realistic, but more importantly, can help the organization achieve its goals.

The Operational Review recognizes the extent to which your internal controls actually work, and enables you to identify and understand your strengths, weaknesses, opportunities and threats.

What should be included in an operational review

  • Assess compliance within your own organizational objectives, policies and procedures
  • Evaluate specific company operations independently and objectively
  • Impartial assessment regarding the effectiveness of an organization’s control systems
  • Identify the appropriate standards for quantifying achievement of organizational objectives
  • Evaluate the reliability and value of the company’s management data and reports
  • Pinpoint problem areas and their underlying causes
  • Identify opportunities to increase profit, augment revenue, and reduce costs without sacrificing the quality of the product or service.

More Operational Review Blogs

 

Carrying out an Operational Review

 

Operational Reviews

 

Operational Efficiency Initiatives

 

Operational Review Defined

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
What ISO 14001 Status did for Cummins Inc.

Cummins manufactures engines and power generation products, and has been a household name almost since inception in 1919. It sells its products in over 300 countries, through approximately 6,000 dealerships employing 40,000 people. Because its product line runs off fossil fuel it is under steady pressure to display a cleaner carbon footprint.

Cummins decided to go for the big one by qualifying for ISO 14001 certification. This is a subset of a family of standards relating to managing environmental impact while complying with all applicable legislation. In this sense, it is similar to the ISO 9000 quality management system, because it focuses on how products are produced (as opposed to how those products perform). Compliance with ISO 14001 was a doubly important goal, because it is part of the European Union?s Eco Management and Audit Scheme and fast becoming mandatory on suppliers to governments.

The qualification process follows the well-established principle of plan, do, check, act. It begins with gap analysis to detect materials and processes that affect the environment. This is followed by implementation of necessary changes affecting operations, documentation, emergency strategies and employee education. The third step involves measuring and monitoring performance. Finally, the project moves into a phase of ongoing maintenance, and continuous improvement as circumstances change.

In Cummins case, the project was almost worldwide and called for environmental, health and safety reporting throughout the organisation. The information was shared via a globally accessible document repository, and then processed centrally at the head office in Columbia, Indiana USA.

Measuring environmental performance almost inevitably has other benefits that make it doubly worthwhile. Speaking at the 2014 National Safety Council Congress after receiving the top award for excellence, Cummins chairman and ceo Tom Linebarger commented on a journey that was ?nothing short of amazing? yet wasn’t even a ?pathway to the finish line?.

?All of us feel like we have way more to do to make sure that our environment is as safe as it could be,? he added, ?so that our sustainability footprint is as good as it can be and that we continue to set more aggressive goals every year. That’s just how we think about it.? Linebarger concluded.

If you are taking your company on a journey to new heights of environmental excellence, then you should consider choosing ecoVaro as your travelling companion. We are environmental management specialists and have proprietary software geared to process your data. We also have a wealth of experience, and a treasure chest of roadmaps to help you achieve your goal.

Ready to work with Denizon?

Contact Us Today