How To Get Started with your IT Compliance Efforts for SOX

There’s no question about it. For many of you top executives in the corporate world, all roads leading to a brighter future have to go through SOX compliance. And because the business processes that contribute to financial reporting (the crux of the Sarbanes-Oxley Act) are now highly reliant on IT systems, it is important to focus a good part of your attention there.

It is a long and arduous path to IT compliance, so if you don’t want your company to fall by the wayside due to inefficient utilisation of resources, it is important to set out with a plan on hand. What we have here are some vital information that will guide you in putting together a sound plan for SOX compliance of your company?s IT systems.

Why focus on IT systems for SOX compliance?

We’ll get to that. But first, let’s take up the specific portions of the Sarbanes-Oxley Act that affect information technology. These portions can be found in Section 302 and Section 404 of the act.

In simplified form, Section 302 grants the SEC (Securities and Exchange Commission) authority to come up with rules requiring you, CEOs and CFOs, to certify in each annual or quarterly financial report the following:

  • that you have reviewed the report;
  • that based on your knowledge, the report does not contain anything or leave out anything that would render it misleading;
  • that based on your knowledge, all financial information in the report fairly represent the financial conditions of the company;
  • that you are responsible for establishing internal controls over financial reporting; and
  • that you have assessed the effectiveness of the internal controls.

Similarly, Section 404, stated in simplified form, allows the SEC to come up with rules requiring you, CEOs and CFOs, to add an internal control report to each annual financial report stating that you are responsible for establishing internal controls over financial reporting.

You are also required to assess the effectiveness of those controls and to have a public accounting firm to attest to your assessment based upon standards adopted by the Public Company Accounting Oversight Board (PCAOB).

While there is no mention of IT systems, IT systems now play a significant role in financial reporting. Practically all of the data you need for your financial reports are stored, retrieved and processed on IT systems, so you really have to include them in your SOX compliance initiatives and establish controls on them.

Now that that’s settled, your next question could very well be: How do you know what controls to install and whether those controls are already sufficient to achieve compliance?

Finding a suitable guide for IT compliance

The two bodies responsible for setting rules and standards dealing with SOX, SEC and PCAOB, point to a well-established control framework for guidance – COSO. This framework was drafted by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) and is the most widely accepted control framework in the business world.

However, while COSO is a tested and proven framework, it is more suitable for general controls. What we recommend is a widely-used control framework that aligns well with COSO but also caters to the more technical features and issues that come with IT systems.

Taking into consideration those qualifiers, we recommend COBIT. COBIT features a well thought out collection of IT-related control objectives grouped into four domains: Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME). The document also includes maturity models, performance goals and metrics, and activity goals.

A few examples of COBIt’s detailed control objectives are:

DS4.2 – IT Continuity Plans
DS4.9 – Offsite Backup Storage
DS5.4 – User Account Management
DS5.8 – Cryptographic Key Management
DS5.10 – Network Security
DS5.11 – Exchange of Sensitive Data

By those titles alone, you can see that the framework is specifically designed for IT. But the document is quite extensive and, chances are, you won’t need all of the items detailed there. Furthermore, don’t expect COBIT to specify a control solution controls for every control objective. For example, throughout the control objective DS4 (Ensure Continuous Service), you won’t find any mention of virtualisation, which is common in any modern business continuity solution.

Basically, COBIT will tell you what you need to attain in order to achieve effective governance, management and control, but you’ll have to pick the solution best suited to reach that level of attainment.

Articles highly relevant to the one you just read:

Month End Accounting The Way It Should Be Today
Spreadsheet Woes ? Burden in SOX Compliance and Other Regulations
Spreadsheet Woes ? Limited Features For Easy Adoption of a Control Framework
How Internal Auditors Can Win The War Against Spreadsheet Fraud

Check our similar posts

A Definitive List of the Business Benefits of Cloud Computing ? Part 4

Lowers cost of analytics

Big data and business intelligence (BI) have become the bywords in the current global economy. As consumers today browse, buy, communicate, use their gadgets, and interact on social networks, they leave in their trail a whole lot of data that can serve as a goldmine of information organisations can glean from. With such information at the disposal of or easily obtainable by businesses, you can expect that big data solutions will be at the forefront of these organisations’ efforts to create value for the customer and gain advantage over competitors.

Research firm Gartner’s latest survey of CIOs which included 2,300 respondents from 44 countries revealed that the three top priority investments for 2012 to 2015 as rated by the CIOs surveyed are Analytics and Business Intelligence, Mobile Technologies, and Cloud Computing. In addition, Gartner predicts that about $232 million in IT spending until 2016 will be driven by big data. This is a clear indication that the intelligent use of data is going to be a defining factor in most organisations.

Yet while big data offers a lot of growth opportunities for enterprises, there remains a big question on the capability of businesses to leverage on the available data. Do they have the means to deploy the required storage, computing resources, and analytical software needed to capture value from the rapidly increasing torrent of data?

Without the appropriate analytics and BI tools, raw data will remain as it is – a potential source of valuable information but always unutilised. Only when they can take the time, complexity and expense out of processing huge datasets obtained from customers, employees, consumers in general, and sensor-embedded products can businesses hope to fully harness the power of information.

So where does the cloud fit into all these?

Access to analytics and BI solutions have all too often been limited to large corporations, and within these organisations, a few business analysts and key executives. But that could quickly become a thing of the past because the cloud can now provide exactly what big data analytics requires – the ability to draw on large amounts of data and massive computing power – at a fraction of the cost and complexity these resources once entailed.

At their end, cloud service providers already deal with the storage, hardware, software, networking and security requirements needed for BI, with the resources available on an on-demand, pay-as-you-go approach. In doing so, they make analytics and access to relevant information simplified, and therefore more ubiquitous in the long run.

As the amount of data continues to grow exponentially on a daily basis, sophisticated analytics will be a priority IT technology across all industries, with organisations scrambling to find impactful insights from big data. Cloud-based services ensure that both small and large companies can benefit from the significantly reduced costs of BI solutions as well as the quick delivery of information, allowing for precise and insightful analytics as close to real time as possible.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Are Target Operating Models strategic compasses?

The short answer is they usually are, because every organisation needs a road-map of where they are going. Target operating models can be complex documents with illustrative details including project management structures, special tools, implementation procedures and management metrics. They can also be simple statements, as for example Winston Churchill?s promise that ?we shall fight them on the beaches, on the landing grounds and in the fields? which gave Britain the strategic direction it needed.

Many initiatives unfortunately fail because managers are ?too busy? to bottom on what their target operating model should say, or simply don’t believe in paperwork. As a result, promising initiatives may blunder off course or die a slow death without them really noticing. We cannot manage what we cannot measure, which is where the management metrics fit in. One of my favourite quotes is ?if you don’t know where you are going any road will get you there? which is what the Cheshire Cat said to Alice in Wonderland when she got lost.

The author blundered through life without a plan because there was no one else with his particular brand of imagination. The current business climate is different because everybody is trying to ramp up, and investors want to know exactly what is going to happen to their money and by when. Hence a target operating model can be indispensable throughout a change or product cycle.

The benefits of having a measurable operations / technology plan can produce powerfully tangible results if the organisation follows through on it. Built-in metrics with milestones are powerful tool for management, and, when they map through to the company financial plan almost irreplaceable as cash-flow forecasters.

Other benefits may include:

  • Shorter times to market and greater agility when launching new ideas
  • Reduced investor risk through a predictable process that’s readily monitored
  • A stable operating environment where there is consensus on direction
  • Greater likelihood of delivering on time and leading to repeat orders
  • A more cost-effective process, with less risk of loss of quality and money

Although it dates back a few years the Wills UK and Ireland Retail model still provides an excellent benchmark of a target operating plan that worked. The strategic goals were exceptionally clear, and they brought in a proven project manager to help them drive the program forward.

We have delivered advanced business management services to many of our clients, and believe you will find our personalised approach time-efficient and effective too.

Align IT Investments With Organization Goals

While some organisation leaders loathe spending on IT, a growing number are already convinced of the necessity of investing in it. Unfortunately, a substantial fraction of those convinced to pursue IT investments are misguided as to which initiatives are really contributory to reaching their organisation’s goals.

In the end, many of their purchases either end up underutilised or become white elephants altogether. There are also those difficult to spot – IT purchases that do become integrated into daily operations but have little effect on the organisation’s growth, positioning, profitability, or efficiency.

If a purchase is to cost your company a fortune, then its positive impact on established company objectives should reflect accordingly. But how would you know it would? You can’t hope to foresee all its benefits especially if the IT solution is still quite new to you.

Our job is not only to identify the strengths of an IT system but also to determine whether these strengths are at all useful to your organisation’s thrusts.

Basically, here’s what we’ll do:

  • Conduct a rigorous analysis of your organisation to determine the specific and overall impact of certain IT solutions. We’ll be looking for areas where the effects of IT can result in the most rapid reduction of costs and, at the same time, drive the organisation in the direction of its established goals.
  • Propose cohesive best-of-breed solutions in line with the results of our analysis. Our familiarity with the IT landscape and our extensive selection of contacts in the industry will allow us to conduct insightful picks from a vast field of choices.
  • Establish best practices to make sure IT investments are optimally utilised.
  • Perform periodic reviews to ensure practices and processes are still in line with the established goals.

Find out how we can increase your efficiency even more:

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today