SOX-IT Controls

Article Context:

1. SOX IT Control
2. Risk Assessment

The Sarbanes-Oxley Act (SOX) is a U.S. law that was passed in 2002 to protect investors by preventing fraudulent accounting and financial practices at publicly traded companies. The law's purpose is to improve the accuracy and reliability of corporate disclosures, brought about significant changes in corporate governance and financial reporting, including new provisions for Information Technology Controls.

SOX IT controls seek to ensure that the systems are accurate, complete, and free from errors that impact financial reporting. IT General Controls (ITGC) and IT Application Controls (ITAC) are different but equally necessary to the organization's security and an essential part of maintaining IT Compliance.

IT GENERAL CONTROLS (ITGC)

Understanding SOX and ITGC

The first step is to understand the requirements of SOX and how ITGCs are related. SOX 404 emphasizes the importance of internal control over financial reporting, which includes ITGC. These controls affect the organization's financial data and Application controls.

Identify Relevant Systems and Processes

Identify all systems that store, process, or transmit financial data. This includes not only your primary accounting system but also any supplementary systems that feed data into it. These may include sales, inventory, payroll, and other systems.

Risk Assessment

Once the relevant systems are identified, perform a risk assessment to identify the risks to financial reporting in these systems. This process should help you identify where controls are needed.

Create a risk control matrix (RCM) which helps organizations identify, rank, and implement controls to mitigate risks. It is used to determine the scope and required evidence to support management's testing of its internal controls under SOX404. It is also used by the external auditor to issue a formal opinion on the company's internal controls. It involves applying specific risk factors to determine the scope and evidence required in the assessment of internal control. At each step, qualitative or quantitative risk factors are used to focus the scope of the SOX404 assessment effort and determine the evidence required. The use of risk and control matrices is central to this whole process. Internal auditors can also use the risk and control matrix as a valuable tool when approaching an internal audit project to focus scarce audit resources on the key areas within a process.

Here are some steps to create an RCM:

1. Identify the risks like financial risk, operational risk, and strategic risk.
2. Determine the risk controls like preventive controls or detective controls.
3. Assess the risk (e.g.) Severe, High, Moderate, Low, or Negligible.
4. Assign ownership to risk elements. This ensures that someone is responsible for monitoring and managing each control.
5. Review and update the risk model. The RCM will be a living document and it should be reviewed and updated regularly to reflect changes in your organization’s operations, risk environment, or regulatory requirements.

Design and Implement ITGC

Based on the risk assessment, design and implement your ITGC. These controls generally fall into five categories:

• Change Management Controls: These ensure that changes to IT systems which fall under ITGC controls are properly evaluated, prioritized, authorized, tested, approved, documented and monitored.
• Access Controls: These controls ensure that only authorized individuals can physically and electronically access financial systems and data.
• Data Backup and Recovery Controls: These controls ensure that financial data can be recovered in case of system failures.
• System Operations Controls: These controls ensure that application and system processing are monitored for successful completion and errors are corrected and resolved.
• IT Security: These controls ensure that the organization identifies sensitive data, protects against cyberattacks, and detects security incidents. In case of an issue or incident, the company must be able to take corrective action in a timely manner.

Testing

After implementing the controls, they must be tested to ensure they are working effectively. This can involve a combination of automated testing tools, manual testing, and review of system logs and other documentation. Both Scripted and Unscripted testing methodologies may be utilized depending on the needs of the business.

Documentation

SOX requires extensive documentation of ITGC controls. This should include the design of each control, the risks it mitigates, the procedures for operating the control, and the results of control testing.

IT APPLICATION CONTROLS (ITAC)

• IT Applications facilitate an organization's key business processes including finance, human resources, case management, licensing, and billing.
• Application controls are specific to the application and relate to the transactions and data from that application. The objectives of application controls are to ensure the completeness and accuracy of records and the validity of the entries made to each record. Common application control activities include:
  
  
  • Determining whether sales orders are processed within the parameters of customer credit limits.
  • Making sure goods and services are procured with an approved purchase order.
  • Monitoring for segregation of duties.
  • Determining whether there is a three-way match between the purchase order, receiver, and vendor invoice.

ITACs are more specific than ITGCs and focus on a more limited scope of the IT system function. ITACs consists of three methods of control:

• Input and access controls.
• Processing controls.
• Output controls.

Continuous Monitoring and Improvement

SOX compliance is not a one-time event but an ongoing process. IT Controls should be regularly reviewed and updated to aliress new risks and changes in the IT environment. This involves regular audits, either internal or external, to ensure compliance.

Here at Compliance Group, we’re dedicated to helping you achieve frictionless quality by incorporating your SOX Controls into an integrated SDLC Framework. To find out more about how are consulting experts can help, email us at sales@complianceg.com.