Whitepaper
Finding Solutions to SOX Compliancy in IT Architecture Planning
Introduction
Beginning as a swift response of legislative action, the Sarbanes-Oxley Act of 2002 lead us down the unlikely path from corporate ethics to IT implementations – demonstrating how inextricably linked business and IT are to each other in today’s corporations. Though SOX’s major provisions don’t mention IT controls explicitly, SOX has had wide-reaching implications for the IT department. Even audit results don’t reflect the enormous effort spent on IT in order to render an enterprise SOXcompliant.
Indeed, in the first SOX reporting period only 3% of material weaknesses were IT related (Footnote: Survey on Sarbanes-Oxley Compliance Practices Within IT Organizations and Businesses, Gartner, French Caldwell, Christine Adams, John Bace,14 September 2006: ‘In a Gartner review of reports of material weaknesses submitted from the time that SOX Section 404 went into effect on 15 November 2004 through 30 April 2005 – a period that captured the majority of fiscal year 2004 SOX reports – IT accounted for only 3% ofall reported material weaknesses.‘). Yet, with IT being the underpinning of virtually all of a company’s financial reporting processes, it has the potential to be the cause of other material weaknesses. Thus the dive down to the roots is crucial.
The SOX provisions having the most relevance for IT call for CEO/CFO certification of financial reports, and assessment and disclosure of internal controls for financial reporting. The processing, storage and harvesting of the data that finds its way into financial reports, as well as the operation of the infrastructure and workflow systems supporting control-targeted business processes are performed under the auspices of IT. Thus IT has the task of scoping SOX-relevant systems, eliminating any risks posed to the systems, continuously monitoring, documenting and assessing the SOX-relevance of system changes, and reporting changes to the SOX project management office (PMO) as well as including the office in system change decisions.
Whereas SOX has undoubtedly put strains on IT organizations in companies of every size and in every industry (see sidebar), even IT professionals are quick to admit that the ‘Clean up your Act’-Act has brought about important improvements, notably:
- recognition of vulnerabilities in the IT area
- improved information system security
- better understanding and improvement of segregation of duties
- improved access controls and access monitoring
- improved test procedures and program change management
- improved processes to document policies, procedures, and controls (Footnote: Sarbanes Oxley Section 404 Work, Looking at the Benefits, IIA Research Foundation, January 2005)
as well as the ability to leverage the same technologies used for SOX compliance to support other compliance processes. Additionally, SOX has enhanced IT’s profile through recognition of its importance to business and has raised awareness for IT governance in calling for defined decision-making processes and documented plans, and in this context has lead to a more engaged control environment with active participation by board, audit committee, management and other stakeholders (Sarbanes Oxley Section 404 Work, Looking at the Benefits, IIA Research Foundation, January 2005).
There are still benefits to be realized as companies begin to understand that SOX compliancy is not a one-time project but an on-going exercise in controls assessment in the evolution of a corporation’s IT landscape. In learning to anchor control processes and objectives in the IT architecture, enterprises will be able to identify and assess risk more effectively and achieve greater efficiencies in compliancy control.
Frameworks provide guidance for SOX compliancy
What are the essential activities for SOX compliancy? A majority of corporations use the COSO and/or COBIT frameworks for guidance. The COSO framework has been identified by the SEC as a methodology for achieving compliance. It defines internal control as a process designed to provide reasonable assurance of achievement of a stated objective. It is more general in its approach than COBIT and addresses the enterprise as a whole, yet includes five areas which impact the IT department:
Risk Assessment:
Identification of any risk imposed by IT systems or by outdated system documentation which may result in incompleteness or inaccuracy of financial reports.
Control Environment:
Creation of an environment which promotes personal responsibility for the success of projects. Employees should cross train with design, implementation, quality assurance and deployment teams to better understand the entire technology lifecycle.
Control Activities:
Definition and documentation of how each financerelated IT system is used. Projects should be clearly documented with regards to security protocols, technical specifications, business requirements and related documentation. Creation of an audit trail to monitor deviations from the norm.
Monitoring:
Performance of frequent internal audits by IT staff. External auditors should control at regular intervals, the interval length being appropriate to the level of risk.
Information and Communication:
All control-related information should be timely and accurate ensuring that IT management can proactively identify and address areas of risk.
In comparison, COBIT is specifically focussed on IT controls and aids management in defining a strategic IT plan, defining the information architecture and acquiring the necessary IT hardware and software to execute an IT strategy. It implies that controls and security are in place to govern these processes and these activities are performed in a continuous cycle. COBIT defines four main domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate.
Each domain is comprised of sub-domains, or ‘High Level Control Objectives’ (see sidebar) which describe the specific tasks needed to guide a company’s use of technology to best achieve the company’s goals and objectives.
It is inside these two guiding structures that IT management looks for solutions and takes action to ensure the company’s IT systems are supporting the SOX compliancy effort.
