How To Get Started with your IT Compliance Efforts for SOX

There’s no question about it. For many of you top executives in the corporate world, all roads leading to a brighter future have to go through SOX compliance. And because the business processes that contribute to financial reporting (the crux of the Sarbanes-Oxley Act) are now highly reliant on IT systems, it is important to focus a good part of your attention there.

It is a long and arduous path to IT compliance, so if you don’t want your company to fall by the wayside due to inefficient utilisation of resources, it is important to set out with a plan on hand. What we have here are some vital information that will guide you in putting together a sound plan for SOX compliance of your company?s IT systems.

Why focus on IT systems for SOX compliance?

We’ll get to that. But first, let’s take up the specific portions of the Sarbanes-Oxley Act that affect information technology. These portions can be found in Section 302 and Section 404 of the act.

In simplified form, Section 302 grants the SEC (Securities and Exchange Commission) authority to come up with rules requiring you, CEOs and CFOs, to certify in each annual or quarterly financial report the following:

  • that you have reviewed the report;
  • that based on your knowledge, the report does not contain anything or leave out anything that would render it misleading;
  • that based on your knowledge, all financial information in the report fairly represent the financial conditions of the company;
  • that you are responsible for establishing internal controls over financial reporting; and
  • that you have assessed the effectiveness of the internal controls.

Similarly, Section 404, stated in simplified form, allows the SEC to come up with rules requiring you, CEOs and CFOs, to add an internal control report to each annual financial report stating that you are responsible for establishing internal controls over financial reporting.

You are also required to assess the effectiveness of those controls and to have a public accounting firm to attest to your assessment based upon standards adopted by the Public Company Accounting Oversight Board (PCAOB).

While there is no mention of IT systems, IT systems now play a significant role in financial reporting. Practically all of the data you need for your financial reports are stored, retrieved and processed on IT systems, so you really have to include them in your SOX compliance initiatives and establish controls on them.

Now that that’s settled, your next question could very well be: How do you know what controls to install and whether those controls are already sufficient to achieve compliance?

Finding a suitable guide for IT compliance

The two bodies responsible for setting rules and standards dealing with SOX, SEC and PCAOB, point to a well-established control framework for guidance – COSO. This framework was drafted by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) and is the most widely accepted control framework in the business world.

However, while COSO is a tested and proven framework, it is more suitable for general controls. What we recommend is a widely-used control framework that aligns well with COSO but also caters to the more technical features and issues that come with IT systems.

Taking into consideration those qualifiers, we recommend COBIT. COBIT features a well thought out collection of IT-related control objectives grouped into four domains: Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME). The document also includes maturity models, performance goals and metrics, and activity goals.

A few examples of COBIt’s detailed control objectives are:

DS4.2 – IT Continuity Plans
DS4.9 – Offsite Backup Storage
DS5.4 – User Account Management
DS5.8 – Cryptographic Key Management
DS5.10 – Network Security
DS5.11 – Exchange of Sensitive Data

By those titles alone, you can see that the framework is specifically designed for IT. But the document is quite extensive and, chances are, you won’t need all of the items detailed there. Furthermore, don’t expect COBIT to specify a control solution controls for every control objective. For example, throughout the control objective DS4 (Ensure Continuous Service), you won’t find any mention of virtualisation, which is common in any modern business continuity solution.

Basically, COBIT will tell you what you need to attain in order to achieve effective governance, management and control, but you’ll have to pick the solution best suited to reach that level of attainment.

Articles highly relevant to the one you just read:

Month End Accounting The Way It Should Be Today
Spreadsheet Woes ? Burden in SOX Compliance and Other Regulations
Spreadsheet Woes ? Limited Features For Easy Adoption of a Control Framework
How Internal Auditors Can Win The War Against Spreadsheet Fraud

Check our similar posts

Sources of Carbon Emissions

Exchange of carbon dioxide among the atmosphere, land surface and oceans is performed by humans, animals, plants and even microorganisms. With this, they are the ones responsible for both producing and absorbing carbon in the environment. Nature?s cycle of CO2 emission and removal was once balanced, however, the Industrial Revolution began and the carbon cycle started to go wrong. The fact is that human activities substantially contributed to the addition of CO2 in the atmosphere.

According to statistics gathered by the Department of Energy and Climate Change, carbon dioxide comprises 82% of UK?s greenhouse gas emissions in 2012. This makes carbon dioxide the main greenhouse gas contributing to the pollution and subsequent climate change in UK.

Types of Carbon Emissions

There are two types of carbon emissions ? direct and indirect. It is easier to measure the direct emissions of carbon dioxide, which includes the electricity and gas people use in their homes, the petrol burned in cars, distance of flights taken and other carbon emissions people are personally responsible for. Various tools are already available to measure direct emissions each day.

Indirect emissions, on the other hand, include the processes involved in manufacturing food and products and transporting them to users? doors. It is a bit difficult to accurately measure the amount of indirect emission.

Sources of Carbon Emissions

The sources of carbon emissions refer to the sectors of end-users that directly emit them. They include the energy, transport, business, residential, agriculture, waste management, industrial processes and public sectors. Let’s learn how these sources contribute carbon emissions to the environment.

Energy Supply

The power stations that burn coal, oil or gas to generate electricity hold the largest portion of the total carbon emissions. The carbon dioxide is emitted from boilers at the bottom of the chimney. The electricity, produced from the fossil fuel combustion, emits carbon as it is supplied to homes, commercial establishments and other energy users.

Transport

The second largest carbon-emitting source is the transport sector. This results from the fuels burned in diesel and petrol to propel cars, railways, shipping vehicles, aircraft support vehicles and aviation, transporting people and products from one place to another. The longer the distance travelled, the more fuel is used and the more carbon is emitted.

Business

This comprises carbon emissions from combustion in the industrial and commercial sectors, off-road machinery, air conditioning and refrigeration.

Residential

Heating houses and using electricity in the house, produce carbon dioxide. The same holds true to cooking and using garden machinery at home.

Agriculture

The agricultural sector also produces carbon dioxide from soils, livestock, immovable combustion sources and other machinery associated with agricultural activities.

Waste Management

Disposing of wastes to landfill sites, burning them and treating waste water also emit carbon dioxide and contributes to global warming.

Industrial Processes

The factories that manufacture and process products and food also release CO2 , especially those factories that manufacture steel and iron.

Public

Public sector buildings that generate power from fuel combustion also add to the list of carbon emission sources, from heating to other public energy needs.

Everybody needs energy and people burn fossil fuels to create it. Knowing how our energy use affects the environment, as a whole, enables us to take a step ahead towards achieving better climate.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Keys to Successful Matrix Management

Matrix management, in itself, is a breakthrough concept. In fact, there are a lot of organizations today that became successful when they implemented this management technique. However, there are also organizations that started it but failed. And eventually abandoned it in the end.

Looking at these scenarios, we can say that when you implement matrix management in your organisation, two things can happen – you either succeed or fail. And there?s nothing in between. The truth is, the effectiveness of matrix management lies in your hands and in your implementation. To ensure that you achieve your desired results, recognise these essential keys to successful matrix management.

Establish Performance Goals and Metrics

This should be done as soon as the team is formed, at the beginning of the year or during the process of setting organisational objectives. Whenever it is, the most important thing is that each team player understands the objectives and metrics to which their performances will be evaluated. This ensures that everyone is looking at the same set of objectives as they carry out their individual tasks.

Define Roles and Responsibilities

One pitfall of matrix management is its internal complexity. Awareness of this limitation teaches you to clearly define the roles and responsibilities of the team players up front. Basically, there are three principal sets of roles that should be explained vividly ? the matrix leader, matrix managers and the matrixed employees. It is important to discuss all the possible details on these roles, as well as their specific responsibilities, to keep track of each other?s participation in the projects of the organisation.

One effective tool to facilitate this discussion is through the RACI chart – Who is Responsible? Who is Accountable? Who should be Consulted? Who will Implement? With this, clarification of roles and responsibilities would be more efficient.

When roles are already clearly defined, each participant should review their job descriptions and key performance metrics. This is to make sure that the roles and responsibilities expected of you integrates consistently with your job in the organisation, as a whole.

Manage Deadlines

In matrix management, the employees report to several managers. They will likely have multiple deadlines to attend to and accomplish. There might even be conflicts from one deadline to another. Hence, each should learn how to schedule and prioritise their tasks. Time management and action programs should be incorporated to keep the grace under pressure.

Deliver Clear Communication

Another pitfall of matrix management is heightened conflict. To avoid unrealistic expectations, the matrix leaders and managers should communicate decisions and information clearly to their subordinates, vice versa. It would help if everyone will find time to meet regularly or send timely reports on progress.

Empower Diversity

Knowledge, working styles, opinions, skills and talents are diverse in a matrix organisation. Knowing this fact, each should understand, appreciate and empower the learning opportunities that this diversity presents. Trust is important. Respect to each other?s opinions is vital. And acknowledgement of differing viewpoints is crucial.

The impetus of matrix management is the same ? mobilise the organisation’s resources and skills to cope with the fast-paced changes in the environment. So, maximise the benefits of matrix management as you consider these essential keys to its successful implementation.

When Carrefour Pushed the Right Buttons

Retail giant Carrefour based in Boulogne Billancourt, France is big business in anybody?s numbers. Europe?s #1 retailer opened its first store in 1958 near a crossroads (Carrefour means ?crossroad? in French) and has largely not looked back since then. The slogan for the hypermarket chain with more than 1,500 outlets and close to a half million employees is ?choice and quality for everyone?. Our story begins when Carrefour decided these things belong at home too.

The company implemented a worldwide universal responsibility program firmly anchored on a tripod of goals for environmental, economic and social progress. Its first step was to appoint a five-person project team tasked with liaising with program delegates in all thirty countries in which it operates, and who had responsibility for driving these goals.

The team?s job was to make sure that policies, standards, procedures and key performance areas were common visions throughout Carrefour. By contrast, the local managers? were tasked with aligning these specifics to local conditions in terms of environmental, political and social issues. The project team checked the fit quarterly via video conferences.

The Triple Bottom Line Goals were woven through with Carrefour?s Seven Core Values, namely Freedom, Responsibility, Sharing, Respect, Integrity, Solidarity and Progress. Constant contact was maintained with staff and other stakeholders through ?awareness training? seminars and other dialogues. As the program took hold and flourished, it became evident that the retail giant needed help with managing the constant stream of metrics flowing in.

After reviewing options, Carrefour appointed a software provider to monitor progress against its primary focuses on energy, water, waste, refrigeration, paper, disposable checkout bags, hygiene & quality, management gender parity, disabled people and logistics. This enabled it to track progress online against past performance, and produce meaningful reports.

The Environmental Manager in the Corporate Sustainability Department waxed lyrical when he said, ?We believe that our sustainability strategy and software solution have powerfully improved collaboration, innovation, and overall performance?. He went on to describe how it was helping drive cost down and profitability up, while simultaneously growing brand.

Non-conformance costs can be high and run counter to the imperative to make a profit – while simultaneously ensuring a better world for our children?s children. In Carrefour?s case, having a consultant to measure progress was the key that unblocked the administrative bottleneck. Irish company Ecovaro does this for companies around the world. Click here. Discover what we will do for you.

Ready to work with Denizon?

Contact Us Today