How To Get Started with your IT Compliance Efforts for SOX

There’s no question about it. For many of you top executives in the corporate world, all roads leading to a brighter future have to go through SOX compliance. And because the business processes that contribute to financial reporting (the crux of the Sarbanes-Oxley Act) are now highly reliant on IT systems, it is important to focus a good part of your attention there.

It is a long and arduous path to IT compliance, so if you don’t want your company to fall by the wayside due to inefficient utilisation of resources, it is important to set out with a plan on hand. What we have here are some vital information that will guide you in putting together a sound plan for SOX compliance of your company?s IT systems.

Why focus on IT systems for SOX compliance?

We’ll get to that. But first, let’s take up the specific portions of the Sarbanes-Oxley Act that affect information technology. These portions can be found in Section 302 and Section 404 of the act.

In simplified form, Section 302 grants the SEC (Securities and Exchange Commission) authority to come up with rules requiring you, CEOs and CFOs, to certify in each annual or quarterly financial report the following:

  • that you have reviewed the report;
  • that based on your knowledge, the report does not contain anything or leave out anything that would render it misleading;
  • that based on your knowledge, all financial information in the report fairly represent the financial conditions of the company;
  • that you are responsible for establishing internal controls over financial reporting; and
  • that you have assessed the effectiveness of the internal controls.

Similarly, Section 404, stated in simplified form, allows the SEC to come up with rules requiring you, CEOs and CFOs, to add an internal control report to each annual financial report stating that you are responsible for establishing internal controls over financial reporting.

You are also required to assess the effectiveness of those controls and to have a public accounting firm to attest to your assessment based upon standards adopted by the Public Company Accounting Oversight Board (PCAOB).

While there is no mention of IT systems, IT systems now play a significant role in financial reporting. Practically all of the data you need for your financial reports are stored, retrieved and processed on IT systems, so you really have to include them in your SOX compliance initiatives and establish controls on them.

Now that that’s settled, your next question could very well be: How do you know what controls to install and whether those controls are already sufficient to achieve compliance?

Finding a suitable guide for IT compliance

The two bodies responsible for setting rules and standards dealing with SOX, SEC and PCAOB, point to a well-established control framework for guidance – COSO. This framework was drafted by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) and is the most widely accepted control framework in the business world.

However, while COSO is a tested and proven framework, it is more suitable for general controls. What we recommend is a widely-used control framework that aligns well with COSO but also caters to the more technical features and issues that come with IT systems.

Taking into consideration those qualifiers, we recommend COBIT. COBIT features a well thought out collection of IT-related control objectives grouped into four domains: Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME). The document also includes maturity models, performance goals and metrics, and activity goals.

A few examples of COBIt’s detailed control objectives are:

DS4.2 – IT Continuity Plans
DS4.9 – Offsite Backup Storage
DS5.4 – User Account Management
DS5.8 – Cryptographic Key Management
DS5.10 – Network Security
DS5.11 – Exchange of Sensitive Data

By those titles alone, you can see that the framework is specifically designed for IT. But the document is quite extensive and, chances are, you won’t need all of the items detailed there. Furthermore, don’t expect COBIT to specify a control solution controls for every control objective. For example, throughout the control objective DS4 (Ensure Continuous Service), you won’t find any mention of virtualisation, which is common in any modern business continuity solution.

Basically, COBIT will tell you what you need to attain in order to achieve effective governance, management and control, but you’ll have to pick the solution best suited to reach that level of attainment.

Articles highly relevant to the one you just read:

Month End Accounting The Way It Should Be Today
Spreadsheet Woes ? Burden in SOX Compliance and Other Regulations
Spreadsheet Woes ? Limited Features For Easy Adoption of a Control Framework
How Internal Auditors Can Win The War Against Spreadsheet Fraud

Check our similar posts

Introduction to Matrix Management

A leader is responsible to empower his people and get the best out of them. Yet an organisational structure can either help or hamper performance. Worst, it can make or break success.

Looking at the fast-changing world of the global economy, whatsoever slows up and obstructs decision-making is a challenge. Hierarchical management is rather unattractive and functional silos are unlikable. Instead, employees desire to create teams equipped with flexibility, cooperation and coordination.

Recognising that companies have both vertical and horizontal chains of command, the matrix model is created. The concept of this principle lies in the ability to manage the collaboration of people across various functions and achieve strategic objectives through key projects.

Consider this scenario:

Ian is a sales executive of a company. His role is to sell a new product under the supervision of a product manager. The manager is expert about the product and she is accountable to coordinate the people across the organisation, making sure the product is achieved.

Moreover, Ian also reports to the sales manager who oversees his overall performance, monitors his pay and benefits and guides his personal development.

Complicated it may seem but this set-up is common to companies that seek to maximise the effect of expert product managers, without compromising the function of the staffing overhead in control of the organisation. This is a successful approach to management known as Matrix Management.

Matrix Management Defined

Matrix management is a type of organisational management wherein employees of similar skills are shared for work assignments. Simply stated, it is a structure in which the workforce reports to multiple managers of different roles.

For example, a team of engineers work under the supervision of their department head, which is the engineering manager. However, the same people from the engineering department may be assigned to other projects where they report to the project manager. Thus, while working on a designated project, each engineer has to work under various managers to accomplish the job.

Historical Background

Although some critics say that matrix management was first adopted in the Second World War, its origins can be traced more reliably to the US space programme of the 1960’s when President Kennedy has drawn his vision of putting a man on the moon. In order to accomplish the objective, NASA revolutionised its approach on the project leading to the consequent birth of ?matrix organisation?. This strategic method facilitated the energy, creativity and decision-making to triumph the grand vision.

In the 1970’s, matrix organisation received huge attention as the only new form of organisation in the twentieth century. In fact it was applied by Digital Equipment, Xerox, and Citibank. Despite its initial success, the enthusiasm of corporations with regards to matrix organisation declined in the 1980’s, largely because it was complex.

Furthermore, the drive for motivating people to work creatively and flexibly has only strengthened. And by the 1990’s, the evolution of matrix management geared towards creation and empowerment of virtual teams that focused on customer service and speedy delivery.

Although all forms of matrix has loopholes and flaws, research says that until today, matrix management is still the leading approach used by companies to achieve organisational goals.

The Child at Work: Fun Team Builds with LEGO SERIOUS PLAY

There is a child just below the surface in all of us. When were kids, adults lopped off the sharp bits that intruded into their ?genteel? society. Schools, to their everlasting shame sanded away our unique free spirits, as they stuck us into uniforms and imposed a daily classroom discipline. We received badges and prizes if we obeyed, and strict sanctions when we did not. This produced a generation of middle-age managers who no longer know how to play.

Life can be so deadly serious ?

Things work pretty much the same in business. Life is deadly serious. If we want to keep our jobs, we must deliver on the bottom line in our departments. There is little time for fun outside the Christmas party, when we may, within the limits of decorum engage in activity for enjoyment and recreation, rather than a serious or practical purpose.

Team builds (and strategic planning sessions) can be deadly boring affairs that proceed down narrow funnels defined by human resource facilitators. No matter how hard HR they may try, the structural hierarchy will remain intact, unless they find a way to set it aside during the program. Injecting fun into the occasion liberates independent thought, and this is why.

? But not for a little child at play

Next time you dine out at a branded family restaurant, select a seat that allows you observe the kiddies? play zone. Notice how inventive children become, when the family hierarchy is not there to tell them what to do (although parents may try from the wrong side of the soundproof glass). The ?serious play? side of fun team-builds aims to liberate managers by releasing their child for the duration. Shall we dig a little deeper into this and discover the dynamics?

Many of us have less than perfect oral communication skills. This is one of the great impediments to modern business meetings. We may not have sufficient time to formulate our thoughts for them to remain relevant when we speak. When we express them, we sense the group?s impatience for us to hurry up, so other members can have their opportunity to contribute.

Sharing better thinking with LEGO? bricks

Most of us feel an urge to click the brightly coloured plastic bricks together that carpenter Ole Kirk Christiansen released into a war-weary world in 1949. The basic kit is a great leveller because the blocks are all the same, and the discriminators are the colours and the power of our imagination. Watching a free-form LEGO builder in action is equally fascinating, as we wonder ?what they will do next? and ?what is happening in their mind.?

Examples of LEGO Serious PLAY in action

Instead of asking team members to describe themselves in a minute, a LEGO? SERIOUS PLAY? facilitator may gather them around a table piled high with LEGO bricks instead, and ask them to each build a model of themselves. The atmosphere is informal with interaction and banter encouraged. It is still serious play though, as team members get to know each other, and their own personalities better

The system is equally effective in strategic sessions, where the facilitator provides specially selected building blocks for the team to experiment with as they learn to listen, and share. This enables them to deconstruct a problem into its component parts, and share solutions regardless of seniority, culture, and communication skills.

Creating problem- and solution-landscapes three dimensionally this way, enables open conversations that keep the focus on the problem. Participants at these team builds do not only reach effective consensus faster. They are also busy building better communication skills as they do.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Migrating from CRM to Big Data

Big data moved to centre stage from being just another fad, and is being punted as the latest cure-all for information woes. It may well be, although like all transitions there are pitfalls. Denizon decided to highlight the major ones in the hope of fostering better understanding of what is involved.

Accurate data and interpretation of it have become increasingly critical. Ideas Laboratory reports that 84% of managers regard understanding their clients and predicting market trends essential, with accelerating demand for data savvy people the inevitable result. However Inc 5000 thinks many of them may have little idea of where to start. We should apply the lessons learned from when we implemented CRM because the dynamics are similar.

Be More Results Oriented

Denizon believes the key is focusing on the results we expect from Big Data first. Only then is it appropriate to apply our minds to the technology. By working the other way round we may end up with less than optimum solutions. We should understand the differences between options before committing to a choice, because it is expensive to switch software platforms in midstream. data lakes, hadoop, nosql, and graph databases all have their places, provided the solution you buy is scalable.

Clean Up Data First

The golden rule is not to automate anything before you understand it. Know the origin of your data, and if this is not reliable clean it up before you automate it. Big Data projects fail when executives become so enthused by results that they forget to ask themselves, ?Does this make sense in terms of what I expected??

Beware First Impressions

Big Data is just that. Many bits of information aggregated into averages and summaries. It does not make recommendations. It only prompts questions and what-if?s. Overlooking the need for the analytics that must follow can have you blindly relying on algorithms while setting your business sense aside.

Hire the Best Brains

Big Data?s competitive advantage depends on what human minds make with the processed information it spits out. This means tracing and affording creative talent able to make the shift from reactive analytics to proactive interaction with the data, and the customer decisions behind it.

If this provides a d?j? vu moment then you are not alone. Every iteration of the software revolution has seen vendors selling while the fish were running, and buyers clamouring for the opportunity. Decide what you want out first, use clean data, beware first impressions and get your analytics right. Then you are on the way to migrating successfully from CRM to Big Data.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today