How To Get Started with your IT Compliance Efforts for SOX

There’s no question about it. For many of you top executives in the corporate world, all roads leading to a brighter future have to go through SOX compliance. And because the business processes that contribute to financial reporting (the crux of the Sarbanes-Oxley Act) are now highly reliant on IT systems, it is important to focus a good part of your attention there.

It is a long and arduous path to IT compliance, so if you don’t want your company to fall by the wayside due to inefficient utilisation of resources, it is important to set out with a plan on hand. What we have here are some vital information that will guide you in putting together a sound plan for SOX compliance of your company?s IT systems.

Why focus on IT systems for SOX compliance?

We’ll get to that. But first, let’s take up the specific portions of the Sarbanes-Oxley Act that affect information technology. These portions can be found in Section 302 and Section 404 of the act.

In simplified form, Section 302 grants the SEC (Securities and Exchange Commission) authority to come up with rules requiring you, CEOs and CFOs, to certify in each annual or quarterly financial report the following:

  • that you have reviewed the report;
  • that based on your knowledge, the report does not contain anything or leave out anything that would render it misleading;
  • that based on your knowledge, all financial information in the report fairly represent the financial conditions of the company;
  • that you are responsible for establishing internal controls over financial reporting; and
  • that you have assessed the effectiveness of the internal controls.

Similarly, Section 404, stated in simplified form, allows the SEC to come up with rules requiring you, CEOs and CFOs, to add an internal control report to each annual financial report stating that you are responsible for establishing internal controls over financial reporting.

You are also required to assess the effectiveness of those controls and to have a public accounting firm to attest to your assessment based upon standards adopted by the Public Company Accounting Oversight Board (PCAOB).

While there is no mention of IT systems, IT systems now play a significant role in financial reporting. Practically all of the data you need for your financial reports are stored, retrieved and processed on IT systems, so you really have to include them in your SOX compliance initiatives and establish controls on them.

Now that that’s settled, your next question could very well be: How do you know what controls to install and whether those controls are already sufficient to achieve compliance?

Finding a suitable guide for IT compliance

The two bodies responsible for setting rules and standards dealing with SOX, SEC and PCAOB, point to a well-established control framework for guidance – COSO. This framework was drafted by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) and is the most widely accepted control framework in the business world.

However, while COSO is a tested and proven framework, it is more suitable for general controls. What we recommend is a widely-used control framework that aligns well with COSO but also caters to the more technical features and issues that come with IT systems.

Taking into consideration those qualifiers, we recommend COBIT. COBIT features a well thought out collection of IT-related control objectives grouped into four domains: Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME). The document also includes maturity models, performance goals and metrics, and activity goals.

A few examples of COBIt’s detailed control objectives are:

DS4.2 – IT Continuity Plans
DS4.9 – Offsite Backup Storage
DS5.4 – User Account Management
DS5.8 – Cryptographic Key Management
DS5.10 – Network Security
DS5.11 – Exchange of Sensitive Data

By those titles alone, you can see that the framework is specifically designed for IT. But the document is quite extensive and, chances are, you won’t need all of the items detailed there. Furthermore, don’t expect COBIT to specify a control solution controls for every control objective. For example, throughout the control objective DS4 (Ensure Continuous Service), you won’t find any mention of virtualisation, which is common in any modern business continuity solution.

Basically, COBIT will tell you what you need to attain in order to achieve effective governance, management and control, but you’ll have to pick the solution best suited to reach that level of attainment.

Articles highly relevant to the one you just read:

Month End Accounting The Way It Should Be Today
Spreadsheet Woes ? Burden in SOX Compliance and Other Regulations
Spreadsheet Woes ? Limited Features For Easy Adoption of a Control Framework
How Internal Auditors Can Win The War Against Spreadsheet Fraud

Check our similar posts

Server Application Solutions – Don’t Let Spreadsheets Hold Your Business Back

The problems and limitations of spreadsheet-based systems are well documented. That’s why we at Denizon have come up with ways to give you freedom from these UDAs (User Developed Applications). With the server application solutions we offer, your IT and financial system can be:

Totally devoid of spreadsheet risks

By getting rid of spreadsheets, you also get rid of broken links, incomplete range selections, accidental deletion of cells, incorrect copy-pasting and other spreadsheet-related slip-ups.

In their place, we offer a faster but more robust and reliable centralised system. Errors are substantially minimised by built-in controls, while inconsistencies are avoided because changes made by one user are automatically reflected on the data delivered to others.

Built-in business-critical controls

Some solutions are designed to add control features on spreadsheets. We believe that such features can only be truly effective in today?s fast-paced and dynamic business environment if they are already inherent in the design of the IT solution; not something that’s merely added as an afterthought.

For one, while these band-aid solutions may succeed in adding controls, they don’t get rid of the slow, tedious, and time-consuming processes that accompany spreadsheet systems.

Less prone to fraud

Weak controls and the absence of reliable audit trails are two factors that encourage fraudsters to prey on spreadsheet systems.

With our server-based applications solutions, your data is protected by user-based access controls that allow users to see only the information that they’re supposed to see and modify data which they have been granted sufficient access rights to.

Our solutions also produce clear audit trails for painless tracking, viewing and searching of user-entered changes. This will enable you to pinpoint who changed what, as well as where and when the changes were made.

Ready for regulatory compliance and beyond

When better controls are enforced, financial reports become more reliable. That should give your company the edge it needs to easily comply with SOX as well as other regulations and, as a consequence, build stakeholder confidence.

And because our solutions can churn out accurate reports for regulation compliance at shorter turnaround times than spreadsheet systems, you end up saving more man-hours. That should give your team more time to innovate, analyse information and deliver goods or services to your customers faster.

Designed for agility

Let’s face it. Spreadsheets, which used to serve as nifty ad-hoc business tools, are no longer suitable for agile organisations. When faced with the demands of rapidly changing markets and dynamic environments, spreadsheets can instead slow a business down.

Multi-dimensional reports, dashboards, report filters, drill-downs, collaboration and automated reporting, budgeting and forecasting capabilities are needed for gaining insights and making fast critical decisions.

Sad to say, your trusty spreadsheet application is not designed to provide these features. Hence, it’s time to move on to the type of solutions that are.

Our solutions can transform your IT and financial systems and make them better-equipped to meet the demands of today?s rapidly changing economic environment. With features designed for agile businesses, our solutions can help you tackle change with ease.

Automatic consolidation eliminates errors and wasted time caused by tedious copy-pasting of data and linking of cells.

Better collaboration capabilities allows team members to bring their heads together for planning, budgeting and reporting even while on the go.

Mobility support enables users to input data or retrieve information through their wireless mobile devices.

Superior sharing features ensures that everyone is exactly on the same page and viewing real-time information.

Dashboards provide insightful information at-a-glance through KPIs, graphs and various metrics.

Drill-downs enable users to investigate unusual figures and gain a better understanding of the details that contribute to the big picture.

Easy to learn interfaces allow your organisation to cope with fast personnel turnaround or Mergers & Acquisitions.

More Spreadsheet Blogs


Spreadsheet Risks in Banks


Top 10 Disadvantages of Spreadsheets


Disadvantages of Spreadsheets – obstacles to compliance in the Healthcare Industry


How Internal Auditors can win the War against Spreadsheet Fraud


Spreadsheet Reporting – No Room in your company in an age of Business Intelligence


Still looking for a Way to Consolidate Excel Spreadsheets?


Disadvantages of Spreadsheets


Spreadsheet woes – ill equipped for an Agile Business Environment


Spreadsheet Fraud


Spreadsheet Woes – Limited features for easy adoption of a control framework


Spreadsheet woes – Burden in SOX Compliance and other Regulations


Spreadsheet Risk Issues


Server Application Solutions – Don’t let Spreadsheets hold your Business back


Why Spreadsheets can send the pillars of Solvency II crashing down

?

Advert-Book-UK

amazon.co.uk

?

Advert-Book-USA

amazon.com

IT Risk and Control Solutions Specialists – Why you need them more than ever

Over the years, the capabilities of IT systems have certainly grown by leaps and bounds. But so have the risks that accompany them. Countless threats to IT systems now exist that are capable of seriously disrupting business operations. That’s why companies have to conduct assessments aimed at making sure their systems are still capable of functioning effectively, efficiently, and securely all the time.

If you think you’ve been lucky enough to be spared from these threats, then maybe it’s because you haven’t conducted a risk assessment on your IT system recently. All too often, we hear of CIOs who believed their IT system was in tip-top condition, only to be later caught off-guard by a critical system breakdown that would eventually cripple their business for days or weeks.

More information assets to look after

If, before, you only had to worry about regular office applications, workstations, a LAN and a server, today’s varied and more sophisticated information assets are more challenging to maintain.

In addition to network operating systems, database management systems, content management systems, email systems, virtualization platforms, document management systems, business intelligence applications, and accounting software, a typical enterprise may also have to look after firewalls, intrusion detection systems, storage and backup systems, and data loss prevention systems, to mention a few.

These understandably require the services of experts spanning a wide range of skill sets.

Rising threats to corporate identity and privacy

Individuals are no longer just the ones being preyed upon by identity thieves. Businesses can now be subject to corporate identity theft as well. You could wake up one day finding your business already accused of carrying out illegal activities, a big chunk of your money gone, and your directors? seats already occupied by complete strangers.

To make things worse, corporate threats aren’t just coming from the outside.

Threats to corporate privacy, for instance, can come from within the organisation itself. Sensitive information like trade secrets and financial data are often leaked out (purposely or inadvertently) by employees. This is largely caused by the ever growing number of options for communications and transferring data (e.g. emails, instant messaging, blogs, social networking sites, ftp, P2P, etc.).

Greater challenges in designing, developing, and implementing policies and programs

Laws and regulations like SOX and Solvency II, which have direct impacts on IT, are on the rise. That is why corporate policies and programs now require sweeping changes. You now have to be more deliberate in integrating IT when establishing governance, internal controls, change management, incident management, and performance management.

A solid understanding on widely accepted frameworks and good practices like COBIT, COSO, and CMMI will help you considerably in such undertakings. Using these frameworks as guidelines will not only help you keep your policies and programs attuned to the times, they will also keep you in compliance with regulations.

Increasing demand for disaster recovery and business continuity capabilities

Every time you have a down time, you increase the probability of losing your customers to competitors. The longer the down time, the greater that probability becomes. Therefore, when a major disruption strikes, you should be able to recover at the soonest. If possible, you should be able to deliver products and services as usual.

This of course requires spending to increase your disaster recovery (DR) and business continuity (BC) capabilities. Are you ready for it? Migrating your IT infrastructure from traditional systems to the latest technologies that are better equipped for BC/DR requires careful planning and implementation to ensure an optimal return on investment.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
A Definitive List of the Business Benefits of Cloud Computing ? Part 4

Lowers cost of analytics

Big data and business intelligence (BI) have become the bywords in the current global economy. As consumers today browse, buy, communicate, use their gadgets, and interact on social networks, they leave in their trail a whole lot of data that can serve as a goldmine of information organisations can glean from. With such information at the disposal of or easily obtainable by businesses, you can expect that big data solutions will be at the forefront of these organisations’ efforts to create value for the customer and gain advantage over competitors.

Research firm Gartner’s latest survey of CIOs which included 2,300 respondents from 44 countries revealed that the three top priority investments for 2012 to 2015 as rated by the CIOs surveyed are Analytics and Business Intelligence, Mobile Technologies, and Cloud Computing. In addition, Gartner predicts that about $232 million in IT spending until 2016 will be driven by big data. This is a clear indication that the intelligent use of data is going to be a defining factor in most organisations.

Yet while big data offers a lot of growth opportunities for enterprises, there remains a big question on the capability of businesses to leverage on the available data. Do they have the means to deploy the required storage, computing resources, and analytical software needed to capture value from the rapidly increasing torrent of data?

Without the appropriate analytics and BI tools, raw data will remain as it is – a potential source of valuable information but always unutilised. Only when they can take the time, complexity and expense out of processing huge datasets obtained from customers, employees, consumers in general, and sensor-embedded products can businesses hope to fully harness the power of information.

So where does the cloud fit into all these?

Access to analytics and BI solutions have all too often been limited to large corporations, and within these organisations, a few business analysts and key executives. But that could quickly become a thing of the past because the cloud can now provide exactly what big data analytics requires – the ability to draw on large amounts of data and massive computing power – at a fraction of the cost and complexity these resources once entailed.

At their end, cloud service providers already deal with the storage, hardware, software, networking and security requirements needed for BI, with the resources available on an on-demand, pay-as-you-go approach. In doing so, they make analytics and access to relevant information simplified, and therefore more ubiquitous in the long run.

As the amount of data continues to grow exponentially on a daily basis, sophisticated analytics will be a priority IT technology across all industries, with organisations scrambling to find impactful insights from big data. Cloud-based services ensure that both small and large companies can benefit from the significantly reduced costs of BI solutions as well as the quick delivery of information, allowing for precise and insightful analytics as close to real time as possible.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today