How To Get Started with your IT Compliance Efforts for SOX

There’s no question about it. For many of you top executives in the corporate world, all roads leading to a brighter future have to go through SOX compliance. And because the business processes that contribute to financial reporting (the crux of the Sarbanes-Oxley Act) are now highly reliant on IT systems, it is important to focus a good part of your attention there.

It is a long and arduous path to IT compliance, so if you don’t want your company to fall by the wayside due to inefficient utilisation of resources, it is important to set out with a plan on hand. What we have here are some vital information that will guide you in putting together a sound plan for SOX compliance of your company?s IT systems.

Why focus on IT systems for SOX compliance?

We’ll get to that. But first, let’s take up the specific portions of the Sarbanes-Oxley Act that affect information technology. These portions can be found in Section 302 and Section 404 of the act.

In simplified form, Section 302 grants the SEC (Securities and Exchange Commission) authority to come up with rules requiring you, CEOs and CFOs, to certify in each annual or quarterly financial report the following:

  • that you have reviewed the report;
  • that based on your knowledge, the report does not contain anything or leave out anything that would render it misleading;
  • that based on your knowledge, all financial information in the report fairly represent the financial conditions of the company;
  • that you are responsible for establishing internal controls over financial reporting; and
  • that you have assessed the effectiveness of the internal controls.

Similarly, Section 404, stated in simplified form, allows the SEC to come up with rules requiring you, CEOs and CFOs, to add an internal control report to each annual financial report stating that you are responsible for establishing internal controls over financial reporting.

You are also required to assess the effectiveness of those controls and to have a public accounting firm to attest to your assessment based upon standards adopted by the Public Company Accounting Oversight Board (PCAOB).

While there is no mention of IT systems, IT systems now play a significant role in financial reporting. Practically all of the data you need for your financial reports are stored, retrieved and processed on IT systems, so you really have to include them in your SOX compliance initiatives and establish controls on them.

Now that that’s settled, your next question could very well be: How do you know what controls to install and whether those controls are already sufficient to achieve compliance?

Finding a suitable guide for IT compliance

The two bodies responsible for setting rules and standards dealing with SOX, SEC and PCAOB, point to a well-established control framework for guidance – COSO. This framework was drafted by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) and is the most widely accepted control framework in the business world.

However, while COSO is a tested and proven framework, it is more suitable for general controls. What we recommend is a widely-used control framework that aligns well with COSO but also caters to the more technical features and issues that come with IT systems.

Taking into consideration those qualifiers, we recommend COBIT. COBIT features a well thought out collection of IT-related control objectives grouped into four domains: Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME). The document also includes maturity models, performance goals and metrics, and activity goals.

A few examples of COBIt’s detailed control objectives are:

DS4.2 – IT Continuity Plans
DS4.9 – Offsite Backup Storage
DS5.4 – User Account Management
DS5.8 – Cryptographic Key Management
DS5.10 – Network Security
DS5.11 – Exchange of Sensitive Data

By those titles alone, you can see that the framework is specifically designed for IT. But the document is quite extensive and, chances are, you won’t need all of the items detailed there. Furthermore, don’t expect COBIT to specify a control solution controls for every control objective. For example, throughout the control objective DS4 (Ensure Continuous Service), you won’t find any mention of virtualisation, which is common in any modern business continuity solution.

Basically, COBIT will tell you what you need to attain in order to achieve effective governance, management and control, but you’ll have to pick the solution best suited to reach that level of attainment.

Articles highly relevant to the one you just read:

Month End Accounting The Way It Should Be Today
Spreadsheet Woes ? Burden in SOX Compliance and Other Regulations
Spreadsheet Woes ? Limited Features For Easy Adoption of a Control Framework
How Internal Auditors Can Win The War Against Spreadsheet Fraud

Check our similar posts

Is Your Project Agile, a Scrum or a Kanban?

Few projects pan out the way we expect when starting out. This is normal in any creative planning phase. We half suspect the ones that follow a straight line are the exceptions to the rule. Urban legend has it; Edison made a thousand prototypes before his first bulb lit up, and then went on to comment, ?genius is 1% inspiration, 99% perspiration?. Later, he added that many of life’s failures are people who did not realise just how close they were to success when they gave up.

So be it to this day, and so be it with project planning too. There is no one size fits all approach when it comes to it. Agile, Scrum and Kanban each have their supporters and places where they do well. Project planning often works best when we use a sequential combination of them, appropriate to what is currently happening on the ground.

Of the three, Agile is by far the most comprehensive. It provides a structure that begins with project vision / conceptualisation, and goes as far as celebration when the job is over, and retrospective discussion afterwards. However, the emphasis on daily planning meetings may dent freethinking, and even smother it.

Scrum on the other hand says ?forget all that bureaucracy?. There is a job to do and today is the day we are going to do it. Although the core Agile teamwork is still there it ignores macro project planning, and could not be bothered with staying in touch with customers. If using Scrum, it is best to give those jobs to someone else.

The joker in the pack is Kanban, It believes that rules are there to substitute for thought, and that true progress only comes from responsible freedom. It belongs in mature organisations that have passed through Scrum and Agile phases and have embarked on a voyage towards perfection.

That said, there can be no substitute for human leadership, especially when defined as the social influence that binds the efforts of others towards a single task.

2015 – What’s ahead for UK Business?

According to reports just in, the global environment industry is down. Less money is available for what some CEO?s still see as grudge expenditure, and many U.S. agencies are seeking soft budget cuts. The UK is proving to be an exception following the announcement of ESOS, and EcoVaro does not expect the May elections will have much impact in this regard.

ESOS calls for mandatory energy assessments in companies above a certain size, and requires specific proposals to cut consumption. There is no indication of compulsory follow-through, although it is clear the Environment Agency hopes rising electricity prices and the prospect of monetary savings will do the trick.

It is an open question whether the Tory government would have interfered with commerce to this extent, were it not for the European directive that enforced it. The overall goal is to cut EU energy consumption across the board by 20% by 2020. Energy consultants are rubbing their hands in glee. EcoVaro?s response is to provide cloud-based software.

We will be interested to see how many UK companies make the first deadline of 5 December 2015, in the light of reports that half the 9,000 firms affected appear not to even know that ESOS exists. Some will no doubt pay last-minute lip service. Those with an eye on their own sustainability will grasp the Energy Saving Opportunity Scheme with both hands.

The initial ESOS deadline was always going to be a challenge. Some big corporates have stolen a march albeit egged on by green stakeholders. The next challenge comes in June 2015 with the implementation of the European Union?s ?Waste Catalogue? of hazardous substances, and rules for their disposal. We hope a new ISO 14001 will arrive soon and pull the loose threads together.

The introduction of carbon trading late this year brings further opportunities to increase profits through wise stewardship. Auditable metrics are essential for this.

EcoVaro can assist by processing your raw data. We provide this service on a virtual cloud. In return, you can get advice on optimising the quality of your graphs for presentations. 

Data Replication

Medical Data Form

These days, not many companies can continue to operate once their entire computer system goes down. All the information needed in daily operations are stored in databases while the interfaces that make use of them all come in the form of software applications.

Software applications can be rapidly reinstalled and configured for as long as the necessary programs are available. Data, however, cannot be reconstructed as quickly even with hard copies available. It is therefore necessary to store your data in a replicated setup so that when one section goes down, operations can proceed without interruption.

For instance, if a category 5 hurricane renders your main office useless, you can simply rent workstations elsewhere, connect to the Internet and continue with your usual transactions for as long as data is readily accessible.

So how do we ensure the accessibility and reliability of your data? Here’s what we’ll do:

  • Activate data replication on your database management system. If your DBMS does not support replication, we’ll migrate all your data to one that does.
  • If absolutely necessary, we can allow modernised systems to run parallel to your legacy systems and prepare both for full modernisation when you’re ready.
  • Implement fail-over technologies where applicable to provide for automatic switching to a backup data server or network from one that has just failed.

We can also assist you with the following:

Ready to work with Denizon?

Contact Us Today