There’s no question about it. For many of you top executives in the corporate world, all roads leading to a brighter future have to go through SOX compliance. And because the business processes that contribute to financial reporting (the crux of the Sarbanes-Oxley Act) are now highly reliant on IT systems, it is important to focus a good part of your attention there.
It is a long and arduous path to IT compliance, so if you don’t want your company to fall by the wayside due to inefficient utilisation of resources, it is important to set out with a plan on hand. What we have here are some vital information that will guide you in putting together a sound plan for SOX compliance of your company’s IT systems.
Why focus on IT systems for SOX compliance?
We’ll get to that. But first, let’s take up the specific portions of the Sarbanes-Oxley Act that affect information technology. These portions can be found in Section 302 and Section 404 of the act.
In simplified form, Section 302 grants the SEC (Securities and Exchange Commission) authority to come up with rules requiring you, CEOs and CFOs, to certify in each annual or quarterly financial report the following:
- that you have reviewed the report;
- that based on your knowledge, the report does not contain anything or leave out anything that would render it misleading;
- that based on your knowledge, all financial information in the report fairly represent the financial conditions of the company;
- that you are responsible for establishing internal controls over financial reporting; and
- that you have assessed the effectiveness of the internal controls.
Similarly, Section 404, stated in simplified form, allows the SEC to come up with rules requiring you, CEOs and CFOs, to add an internal control report to each annual financial report stating that you are responsible for establishing internal controls over financial reporting.
You are also required to assess the effectiveness of those controls and to have a public accounting firm to attest to your assessment based upon standards adopted by the Public Company Accounting Oversight Board (PCAOB).
While there is no mention of IT systems, IT systems now play a significant role in financial reporting. Practically all of the data you need for your financial reports are stored, retrieved and processed on IT systems, so you really have to include them in your SOX compliance initiatives and establish controls on them.
Now that that’s settled, your next question could very well be: How do you know what controls to install and whether those controls are already sufficient to achieve compliance?
Finding a suitable guide for IT compliance
The two bodies responsible for setting rules and standards dealing with SOX, SEC and PCAOB, point to a well-established control framework for guidance – COSO. This framework was drafted by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) and is the most widely accepted control framework in the business world.
However, while COSO is a tested and proven framework, it is more suitable for general controls. What we recommend is a widely-used control framework that aligns well with COSO but also caters to the more technical features and issues that come with IT systems.
Taking into consideration those qualifiers, we recommend COBIT. COBIT features a well thought out collection of IT-related control objectives grouped into four domains: Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME). The document also includes maturity models, performance goals and metrics, and activity goals.
A few examples of COBIT’s detailed control objectives are:
DS4.2 – IT Continuity Plans
DS4.9 – Offsite Backup Storage
DS5.4 – User Account Management
DS5.8 – Cryptographic Key Management
DS5.10 – Network Security
DS5.11 – Exchange of Sensitive Data
By those titles alone, you can see that the framework is specifically designed for IT. But the document is quite extensive and, chances are, you won’t need all of the items detailed there. Furthermore, don’t expect COBIT to specify a control solution controls for every control objective. For example, throughout the control objective DS4 (Ensure Continuous Service), you won’t find any mention of virtualisation, which is common in any modern business continuity solution.
Basically, COBIT will tell you what you need to attain in order to achieve effective governance, management and control, but you’ll have to pick the solution best suited to reach that level of attainment.
Articles highly relevant to the one you just read:
Month End Accounting The Way It Should Be Today
Spreadsheet Woes – Burden in SOX Compliance and Other Regulations
Spreadsheet Woes – Limited Features For Easy Adoption of a Control Framework
How Internal Auditors Can Win The War Against Spreadsheet Fraud