How To Get Started with your IT Compliance Efforts for SOX

There’s no question about it. For many of you top executives in the corporate world, all roads leading to a brighter future have to go through SOX compliance. And because the business processes that contribute to financial reporting (the crux of the Sarbanes-Oxley Act) are now highly reliant on IT systems, it is important to focus a good part of your attention there.

It is a long and arduous path to IT compliance, so if you don’t want your company to fall by the wayside due to inefficient utilisation of resources, it is important to set out with a plan on hand. What we have here are some vital information that will guide you in putting together a sound plan for SOX compliance of your company?s IT systems.

Why focus on IT systems for SOX compliance?

We’ll get to that. But first, let’s take up the specific portions of the Sarbanes-Oxley Act that affect information technology. These portions can be found in Section 302 and Section 404 of the act.

In simplified form, Section 302 grants the SEC (Securities and Exchange Commission) authority to come up with rules requiring you, CEOs and CFOs, to certify in each annual or quarterly financial report the following:

  • that you have reviewed the report;
  • that based on your knowledge, the report does not contain anything or leave out anything that would render it misleading;
  • that based on your knowledge, all financial information in the report fairly represent the financial conditions of the company;
  • that you are responsible for establishing internal controls over financial reporting; and
  • that you have assessed the effectiveness of the internal controls.

Similarly, Section 404, stated in simplified form, allows the SEC to come up with rules requiring you, CEOs and CFOs, to add an internal control report to each annual financial report stating that you are responsible for establishing internal controls over financial reporting.

You are also required to assess the effectiveness of those controls and to have a public accounting firm to attest to your assessment based upon standards adopted by the Public Company Accounting Oversight Board (PCAOB).

While there is no mention of IT systems, IT systems now play a significant role in financial reporting. Practically all of the data you need for your financial reports are stored, retrieved and processed on IT systems, so you really have to include them in your SOX compliance initiatives and establish controls on them.

Now that that’s settled, your next question could very well be: How do you know what controls to install and whether those controls are already sufficient to achieve compliance?

Finding a suitable guide for IT compliance

The two bodies responsible for setting rules and standards dealing with SOX, SEC and PCAOB, point to a well-established control framework for guidance – COSO. This framework was drafted by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) and is the most widely accepted control framework in the business world.

However, while COSO is a tested and proven framework, it is more suitable for general controls. What we recommend is a widely-used control framework that aligns well with COSO but also caters to the more technical features and issues that come with IT systems.

Taking into consideration those qualifiers, we recommend COBIT. COBIT features a well thought out collection of IT-related control objectives grouped into four domains: Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME). The document also includes maturity models, performance goals and metrics, and activity goals.

A few examples of COBIt’s detailed control objectives are:

DS4.2 – IT Continuity Plans
DS4.9 – Offsite Backup Storage
DS5.4 – User Account Management
DS5.8 – Cryptographic Key Management
DS5.10 – Network Security
DS5.11 – Exchange of Sensitive Data

By those titles alone, you can see that the framework is specifically designed for IT. But the document is quite extensive and, chances are, you won’t need all of the items detailed there. Furthermore, don’t expect COBIT to specify a control solution controls for every control objective. For example, throughout the control objective DS4 (Ensure Continuous Service), you won’t find any mention of virtualisation, which is common in any modern business continuity solution.

Basically, COBIT will tell you what you need to attain in order to achieve effective governance, management and control, but you’ll have to pick the solution best suited to reach that level of attainment.

Articles highly relevant to the one you just read:

Month End Accounting The Way It Should Be Today
Spreadsheet Woes ? Burden in SOX Compliance and Other Regulations
Spreadsheet Woes ? Limited Features For Easy Adoption of a Control Framework
How Internal Auditors Can Win The War Against Spreadsheet Fraud

Check our similar posts

Which KPI?s to Use in CRM

Customer relationship management emerged in the 1980?s in the form of database marketing. In those tranquil pre-social media days, the possibility of ?managing? clients may have been a possibility although Twitter and Facebook took care of that. Modern managers face a more dynamic environment. If you are one, then what are the trends you should be monitoring yourself (as opposed to leaving it to others).

If you want to drip feed plants, you have to keep the flow of liquid regular. The same applies to drip-feed marketing. Customers are fickle dare we say forgetful. Denizon recommends you monitor each department in terms of Relationship Freshness. When were the people on your list last contacted, and what ensued from this?

Next up comes the Quality of Engagements that follow from these efforts. How often do your leads respond at all, and how many interfaces does it take to coax them into a decision? You need to relate this to response blocks and unsubscribes. After a while you will recognise the tipping point where it is pointless to continue.

Response Times relate closely to this. If your marketing people are hot then they should get a fast response to sales calls, email shots and live chats. It is essential to get back to the lead again as soon as possible. You are not the only company your customers are speaking too. Fortune belongs to the fast and fearless.

The purpose of marketing is to achieve Conversions, not generate data for the sake of it. You are paying for these interactions and should be getting more than page views. You need to drill down by department on this one too. If one team is outperforming another consider investing in interactive training.

Finally Funnel Drop-Off Rate. Funnel analysis identifies the points at which fish fall off the hook and seeks to understand why this is happening. If people click your links, make enquiries and then drift away, you have a different set of issues as opposed to if they do not respond at all.

You should be able to pull most of this information off your CRM system if it is half-decent, although you may need to trigger a few options and re orientate reporting by your people in the field. When you have your big data lined up speak to us. We have a range of data analysts brimming over with fresh ideas.

Month End Accounting the way it should Be Today

Month end accounting has always been a business critical exercise. Without the balance sheet, income statement, and other financial reports this exercise ultimately produces, management could not make informed decisions to keep the company in the right direction and at the ideal operational speed.

Now, in order to maintain optimal business velocity, month end activities have to be carried out as swiftly and as accurately as possible. Delays will only inhibit managers from reacting and effecting necessary adjustments in time. Inaccurate information, on the other hand, obviously lead to bad decisions.

But that’s not all. Never has the month end close been as demanding as it is today. Regulations like the Sarbanes-Oxley Act, Solvency II, Dodd-Frank Act, and others, which call for more stringent controls and more robust risk management practices, are now forcing companies to find better ways to face the end of the month.

Sticking to old month-end practices while striving to achieve regulation compliance can either cost a company more (if they add manpower) or simply bog it down (if they don’t). Among the worst of these practices is the use of spreadsheets.

These User Developed Applications (UDAs) are very susceptible to errors. (See spreadsheet risks)

What’s more, consolidating data from spreadsheets as well as carrying out reconciliations on them is very time consuming. These activities usually require data from outside sources – i.e. a workstation in a different department, building, or (in the case of really large corporations) geographical locations.

Furthermore, if one of these sources fail, the financial reports won’t be complete. This is not a far-fetched scenario, considering that spreadsheet storage and backup is typically carried out by the average end user. This leaves the spreadsheet data vulnerable to hard disk crashes, virus attacks, and unexpected disasters.

Thus, in order to produce accurate financial reports on time all the time, you need a financial/IT solution that offers optimal provisions for risk management, collaboration, backup, and business continuity. Learn about server-based solutions and discover a better way to carry out month end accounting.

Saving Energy Step 3 ? Towards a Variable Energy Bill

Do you remember the days when energy was so cheap we paid the bill almost without thinking about it? Things have changed and we have the additional duty of reducing consumption to help save the planet. This is the third article in our mini-series on saving energy. It follows on from the first that explored implementing a management system, and the second listing practical things to implement on the shop floor. These open up the possibility of the variable energy bill we expand on as follows.

If ?variable energy bill? sounds strange to you, I used the unusual turn of phrase to encourage you to view things in a different light. We need to move on from the ?pie chart? mentality where we focus on the biggest numbers like materials, facilities and labour, and zoom in on energy where we can achieve similar gains faster with less pain. But first, we need to see beyond the jargon that governments and consultants love, and get to grips with the reality that we can vary our energy bill and bring cost down.

As executives we recognise this, although other pressures distract us from accepting it as a personal goal. And so we delegate it down the organisation to a level where it becomes ?another crazy management idea? we have to follow to stay out of trouble. I read somewhere that half the world?s organisations do not have energy as a defined objective to monitor in the C Suite. No wonder commerce is only pecking away at energy wastage at a rate of 1% per year.

Find out where you are ?spending energy? and relate this to your core business. If there are places where you are unable to make a connection, challenge the activity?s right to exist. Following the energy trail produces unexpected benefits because it permeates everything we do.

  • Improved product design reducing time spent in factory
  • Streamlined production schedules reducing machine run times
  • Less wear on equipment reducing costly maintenance
  • A more motivated workforce that is prouder of ?what we do?

As you achieve energy savings you can pass these on in terms of lower prices and greater market share. All this and more is possible when you focus on the variables behind your energy bill. Run the numbers. It deserves more attention than it often gets.

Ready to work with Denizon?

Contact Us Today