How To Get Started with your IT Compliance Efforts for SOX

There’s no question about it. For many of you top executives in the corporate world, all roads leading to a brighter future have to go through SOX compliance. And because the business processes that contribute to financial reporting (the crux of the Sarbanes-Oxley Act) are now highly reliant on IT systems, it is important to focus a good part of your attention there.

It is a long and arduous path to IT compliance, so if you don’t want your company to fall by the wayside due to inefficient utilisation of resources, it is important to set out with a plan on hand. What we have here are some vital information that will guide you in putting together a sound plan for SOX compliance of your company?s IT systems.

Why focus on IT systems for SOX compliance?

We’ll get to that. But first, let’s take up the specific portions of the Sarbanes-Oxley Act that affect information technology. These portions can be found in Section 302 and Section 404 of the act.

In simplified form, Section 302 grants the SEC (Securities and Exchange Commission) authority to come up with rules requiring you, CEOs and CFOs, to certify in each annual or quarterly financial report the following:

  • that you have reviewed the report;
  • that based on your knowledge, the report does not contain anything or leave out anything that would render it misleading;
  • that based on your knowledge, all financial information in the report fairly represent the financial conditions of the company;
  • that you are responsible for establishing internal controls over financial reporting; and
  • that you have assessed the effectiveness of the internal controls.

Similarly, Section 404, stated in simplified form, allows the SEC to come up with rules requiring you, CEOs and CFOs, to add an internal control report to each annual financial report stating that you are responsible for establishing internal controls over financial reporting.

You are also required to assess the effectiveness of those controls and to have a public accounting firm to attest to your assessment based upon standards adopted by the Public Company Accounting Oversight Board (PCAOB).

While there is no mention of IT systems, IT systems now play a significant role in financial reporting. Practically all of the data you need for your financial reports are stored, retrieved and processed on IT systems, so you really have to include them in your SOX compliance initiatives and establish controls on them.

Now that that’s settled, your next question could very well be: How do you know what controls to install and whether those controls are already sufficient to achieve compliance?

Finding a suitable guide for IT compliance

The two bodies responsible for setting rules and standards dealing with SOX, SEC and PCAOB, point to a well-established control framework for guidance – COSO. This framework was drafted by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) and is the most widely accepted control framework in the business world.

However, while COSO is a tested and proven framework, it is more suitable for general controls. What we recommend is a widely-used control framework that aligns well with COSO but also caters to the more technical features and issues that come with IT systems.

Taking into consideration those qualifiers, we recommend COBIT. COBIT features a well thought out collection of IT-related control objectives grouped into four domains: Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME). The document also includes maturity models, performance goals and metrics, and activity goals.

A few examples of COBIt’s detailed control objectives are:

DS4.2 – IT Continuity Plans
DS4.9 – Offsite Backup Storage
DS5.4 – User Account Management
DS5.8 – Cryptographic Key Management
DS5.10 – Network Security
DS5.11 – Exchange of Sensitive Data

By those titles alone, you can see that the framework is specifically designed for IT. But the document is quite extensive and, chances are, you won’t need all of the items detailed there. Furthermore, don’t expect COBIT to specify a control solution controls for every control objective. For example, throughout the control objective DS4 (Ensure Continuous Service), you won’t find any mention of virtualisation, which is common in any modern business continuity solution.

Basically, COBIT will tell you what you need to attain in order to achieve effective governance, management and control, but you’ll have to pick the solution best suited to reach that level of attainment.

Articles highly relevant to the one you just read:

Month End Accounting The Way It Should Be Today
Spreadsheet Woes ? Burden in SOX Compliance and Other Regulations
Spreadsheet Woes ? Limited Features For Easy Adoption of a Control Framework
How Internal Auditors Can Win The War Against Spreadsheet Fraud

Check our similar posts

What GDPR Means in Practice for Irish Business

The General Data Protection Regulation (GDPR) is a European directive aimed at ring-fencing consumer data against illegal or unnecessary access. There is nothing to discuss or debate with local politicians, or the Irish Data Protection Commissioner for that matter. As a European directive, it has over-riding power. To obtain an English version, please visit this link, and select ?EN? from the table of languages.

As you reach for your tea, coffee or Guinness after sighting it, you will be glad to know the Irish Data Protection Commissioner has the lead in turning this into business English we understand. The following diagram should assist you to obtain a quick overview of the process we all have to go through. In this article, we briefly describe what is inside Boxes 1 to 12. The regulation comes into force on 25 May 2018 so we have less than a year to get ready.

The 12 Essential Steps to Implementing the General Data Protection Act

1. Create awareness among your people of what is coming their way. The GDPR has given our regulator discretion to dish out fines up to ?20,000,000 (or 4% of total annual global turnover, whichever is greater) so there is determination to make this happen.

2. Become accountable by understanding the consumer data you hold. Why are you retaining it, how did you obtain it, and why did you originally collect it. Now you know it is there, how much longer will you still need it? How secure is it in your hands, have you ever shared it?

3. Open a communication channel with your staff, your customers, and anyone else using the data. Share how you feel about how accountable you have been with the information in the past. Explain how you plan to comply with the GDPR in future, and what needs to change.

4. Understand the personal privacy entitlement of the subjects of the information. They have rights to access it, correct mistakes, remove information, restrict its use, decline direct marketing, and copy it to their own files. What needs to change in your systems to assure these rights?

5. Issue a policy for allowing consumers access to their information you hold. You must process requests within a month, and you may not charge for the service unless your cost is excessive. You may decline unfounded or excessive demands within your policy guidelines.

6. Adapt to the requirement that you must have a legal basis for everything you do with, and to consumer data. You need to be in a position to justify your actions to the Irish Data Protection Commissioner in the event of a complaint. Having a legitimate interest is no longer sufficient.

7. Ensure that consumer consent to collect, use, and distribute their data is ?freely given, specific, informed, and unambiguous.? From 25 May 2018 onward, this consent will be your only ground to do so. You cannot force consent. Your benchmark becomes what the GDPR says.

8. Issue rules for managing data of underage subjects. This is currently under review and we are awaiting results. Put systems in place to verify age. Set triggers for where guardians must give consent. Make sure age is verifiable. Use language young people understand.

9. Introduce a culture of openness and honesty, whereby breaches of the GDPR are detected, reported, investigated, and resolved. You will have a duty to file a GDPR report with the Data Protection Commissioner within 72 hours, thus it is important to fast track the process.

10. Introduce a policy of conducting a privacy assessment before taking new initiatives. The GDPR calls for ?privacy by deign?, and we need to engineer it in. This may be the right time to appoint a data controller in your company, and start implementing the GDPR while you have time.

11. You may also need to appoint a data protection officer depending on the size of your business. Alternatively, you need to add managing data protection compliance to an employee?s duties, or appoint an external data-protection compliance consultant.

12. Finally, and you will be glad to know this is the end of the list, the GDPR has an international flavour in that multinational organisations will report into the EU Lead Supervisory Authority. This will manage the process centrally while consulting national data authorities.

The GDPR is a project we all need to complete. If we are out of line, it is in our interests to get things straightened out. Once everything is in place, the task should not be too onerous. Getting there could be the pain.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Operational Reviews

IT OPERATIONAL REVIEWS DEFINED
An IT operational review is an in-depth and objective review of an entire organisation or a specific segment of that organisation. It can be used to identify and address existing concerns within your company such as communication issues between departments, problems with customer relations, operating procedures, lack of profitability issues, and other factors that affect the stability of the business.
Operational reviews allow the organisation members to evaluate how well they are performing, given that they perform appropriately according to the procedures set by them, allocating their resources properly, and performing such tasks within time frame set and using cost-effective measures. More importantly, it also shows your company how well it is prepared to meet future challenges.
Simply put, the goals of an operational review are to increase revenue, improve market share, and reduce cost.

THE BENEFITS OF AN IT OPERATIONAL REVIEW
The main objective of IT operational reviews is to help organisations like yours learn how to deal with and address issues, instead of simply reacting to the challenges brought about by growth and change.
In such review, the information provided is practical from both a financial and operational perspective. Using these data, the management can then come up with recommendations, which are not only realistic, but more importantly, can help the organisation achieve its goals. The review recognises the extent to which your internal controls actually work, and enables you to identify and understand your strengths, weaknesses, opportunities and threats

To be more specific, let’s list down the ways wherein an effective operational review can contribute to the success of the organisation.

The review process can:
– assess compliance within your own organisational objectives, policies and procedures;
– evaluate specific company operations independently and objectively;
– give an impartial assessment regarding the effectiveness of an organisation’s control systems;
– identify the appropriate standards for quantifying achievement of organisational objectives;
– evaluate the reliability and value of the company?s management data and reports;
– pinpoint problem areas and their underlying causes;
– give rise to opportunities that may increase profit, augment revenue, and reduce costs without sacrificing the quality of the product or service.
Thus, each operational review conducted is unique, and can be holistic or specific to the activities of one department.

Our Operational Efficiencies cover the entire spectrum:

  • What to buy
  • Optimising what you’ve already bought e.g. underutilised servers, duplicate processes, poorly managed bandwidths
  • Making your team comfortable with the changes
  • Instilling Best Practices

UNCOVER WAYS TO DRIVE YOUR PROFITS UP, THROUGH OPERATIONAL REVIEWS

More Operational Review Blogs


Carrying out an Operational Review


Operational Reviews


Operational Efficiency Initiatives


Operational Review Defined

Top 3 reasons to get into Multi-Channel Retail

Multi-channel retail, which nowadays understandably includes online channels, is something you just have to do this year. Every single day you put off doing it, the competition gobbles up market share that should have been yours. There are a number of reasons why even successful retailers are now going into multi-channel retailing. Here?s three of the most important ones.

1. You’ll get a BIG jump in sales

Not counting this year, which could be getting a big boost from major activities like the Queen?s Diamond Jubilee and the 2012 Olympics, sales of UK retailers have been experiencing tremendous growth particularly from their online channels. Already two years ago (2010), a number of UK retailers boasted significant increases in sales as a result of multi-channel retail initiatives. These retailers included:

  • Argos, which got a whopping ?1.9bn from multichannel sales back then;
  • House of Fraser, which reported a 150% jump in its online sales in just 6 months; and
  • Debenhams, whose profits rose by 20%

There were many others. Now, the reason I?m showing you 2010 figures is because online retail sales increased by 14% in 2011 and those same businesses still added to that growth. So, if only you had enough foresight and started expanding your business to the Web two years ago, you could just imagine what your sales would have been today.

The good news is that, it’s not yet too late if you start now. Here?s why…

2. Those numbers are going to keep on growing

We’re getting all sorts of predictions from leading researchers regarding the possible growth of the Internet economy. All these predictions have one thing in common. They all have a positive outlook. The Boston Consulting Group (BCG), for instance, predicts an average growth of no less than 10% per year in the G-20 nations.

3. Most online retailers aren’t doing it right yet

Although many retailers have already started bringing their business to the Web, most of them are doing it the wrong way. For example, many of them fail to integrate their offline and online channels. This is a serious shortcoming because it leads to customer dissatisfaction.

When a customer goes to your website and sees something he likes, you wouldn’t want him to drive all the way to your store only to find out that the item isn’t available there or, if the item is there, that it isn’t priced as he expected. The lack of multi-channel integration is very common among multi-channel retailers.

These inadequacies are actually good news because it means there are still many areas you can improve on. After improving on them, you can then highlight those areas as your key differentiators.

If you’re still looking for more reasons on why you should go into multi-channel retailing, read this post:

5 Numbers Showing Why the Time to Invest on eCommerce in the UK is Now

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today