Select Page

SOX IT Implementation

by | Apr 2, 2020 | Uncategorized

I have established SOX IT compliance objectives from scratch for companies that merged and went public. This involved working with the management, external auditors and also train control owners to ensure smooth and continuous operations were followed. Below were some of the best practices from years of experience within the SOX IT domain – 

1. Understand SOX Requirements

Objective: Educate the control owners and stakeholders with the Sarbanes-Oxley Act requirements, especially Section 404 which deals with internal controls over financial reporting.

2. Assessment – Current State Vs. Compliance State

Objective: Conduct comprehensive assessment of the current IT risk landscape to identify key applications and systems likely to be in SOX scope, and assess their controls in place to identify compliance gaps (deficiencies).

  • Evaluate Existing Controls: Review current IT processes, controls, and policies.

  • Risk Assessment: Identify potential risks that could affect the accuracy and integrity of financial reporting.

3. Form a SOX IT Compliance Team

Objective: Assemble a cross-functional team that includes IT, finance, and compliance experts. Company can also follow a 3 level of defense (LOD) structure.

  • Roles and Responsibilities: Develop RACI to clearly define and articulate roles and responsibilities for each of the stakeholder.

  • Training: Provide training on SOX requirements and the importance of IT controls in financial reporting.

4. Develop a SOX Compliance Framework

Objective: Create company’s framework and policies, standards  and guidelines that outline the processes, controls, and documentation required to achieve SOX compliance. NIST and ISACA’s COBIT frameworks can be referenced for guidance.

  • Policy Development: Develop IT policies and procedures that align with SOX requirements.

  • Control Implementation: Implement controls around access management, change management, data protection, and incident response.

5. Implement IT Controls for In-Scope Systems

Objective: Implement and strengthen IT controls to ensure the integrity and accuracy of financial data. High level objectives are outlined below:

  • Access Controls: Ensure that access to financial systems and data is restricted to authorized personnel only.

  • Change Management: Implement change management processes to track and approve changes to IT systems.

  • Computer Operations: Ensure backups and data recovery are in place and jobs are protected.

  • Incident Response: Develop, implement, and assess incident response plan to resolve process issues.

  • Data Reporting: Ensure data integrity for accuracy and completeness of transactions during their journey from initiation to reports.

6. Conduct Regular Audits and Reviews

Objective: Ensure continuous compliance by conducting regular audits and reviews of IT controls.

  • Internal Audits: Internal Audit conducts independent regular internal audits to review effectiveness of the IT controls. The idea is that all in-scope systems should be evaluated to obtain coverage for the entire reporting period, plus evaluate any significant changes to technology, process and people.

  • External Audits: Management should engage with external auditors to conduct independent reviews.

7. Continuous Improvement

Objective: Create a culture of continuous improvement to adapt to new threats and compliance requirements.

  • Monitor and Update Controls: Management should  regularly review  and update controls to address new risks and regulatory changes.

  • Automate: Opportunities to automate any analysis of recurring labor intensive test-steps should be considered to obtain a continuous audit approach and help save on human resources. Typically I have automated reconciliation of system data for baseline configuration checks, user provisioning/deprovisioning, etc. 

  • Training and Awareness: Continuously educate employees on the importance of IT controls and regulatory compliance.

8. Reporting

Objective: Maintain transparent and comprehensive reporting to stakeholders.

  • Documentation: Keep detailed documentation of all controls, processes, and audit results.

  • Communicate with Stakeholders: Regularly update stakeholders on the status of SOX compliance efforts.

Following these steps may  help  the  company establish a  strong  SOX  IT  compliance  structure, while ensuring  the  integrity and reliability of financial reporting of the organization .