Section 404, which stipulates company management must demonstrate control over financial reporting, is arguably the most significant part of the legislation -- affecting companies with year-ends beginning on or after November 15, 2004.
Of particular concern to IT is one of the four IT General Control objectives specified by the U.S. Public Company Accounting Oversight Board (PCAOB), Access to Programs and Data.
Today, a company's financial reports summarize processes supported by enterprise systems and applications running on sophisticated servers databases and networks. IT processes and controls that are integral to that framework need to satisfy the broader requirements of SOX.
However, many IT organizations lack these controls and most do not have the means to document them or their effectiveness on an ongoing basis.
If this is the case with your company, you must gain a clear understanding of the control framework established by the IT Governance Institute (ITGI).
The ITGI established this framework in collaboration with external auditors and drew from the Securities and Exchange Commission (SEC) and the PCAOB guidelines. The framework also incorporates elements of frameworks such as COSO, IT-specific methodologies such as CobiT, ISO17799, and the Information Technology Infrastructure Library (ITIL).
According to the ITGI, key requirements for implementing PCAOB IT General Controls include:
Programs and Data Controls
For many IT organizations, achieving compliance and implementing controls has been difficult.
According to a September 2004 study conducted by Ernst & Young's Technology and Security Risk Services, the two issues causing the largest number of Section 404 audit exceptions and remediation projects are: lack of application of segregation of duty controls, and excessive and/or improper user access to applications, servers and data.
Most IT organizations' application infrastructure is decentralized at the application system and application environment levels. So it is not surprising that these organizations struggle to manage access rights and create segregation of duty business rules -- often for as many as 100 business applications and related environments.
Increasing this complexity is a transient workforce where new hires, transfers, and terminations occur daily. Similarly, the universe of applications impacted by SOX is evolving as old systems are retired, new ones are brought on-line, and application modules and functional roles change.
Preparation and Compliance
To prepare for and comply with SOX requirements and PCAOB IT General Control objectives, companies must document IT processes that support financial reporting -- implementing and testing controls to protect the integrity of applications and infrastructure.
For some companies, documenting existing processes may be adequate to pass the initial audit. For most publicly-held corporations, though, automated software systems will be required.
The intent of the SOX IT audit is to verify that processes and controls are in place and consistently followed. Manual, paper-based solutions are unlikely to be sufficient on an ongoing basis. In the case of large or geographically dispersed organizations, auditors generally probe more intensively for proof of adequate controls and consistently followed processes.
To comply with Section 404 and implement PCAOB's Access to Programs and Data controls, IT leaders must:
Automation is Key
User access rights and procedures should be standardized and enforced. Compliance and controls can be automated with a self-service provisioning process. With an automated process, the appropriate employees are given access to the right applications and data; and when an employee's functional role or authorization changes, access to those systems is automatically and immediately adjusted.
This automation not only formalizes and ensures control over your application security processes, but it also generates a complete audit trail that demonstrates these processes were followed; a single source where application access and related controls can be tracked to monitor compliance.
Finally, it enables ongoing accountability and a framework to drive future information security and compliance initiatives.
Indeed, the requirements for internal controls continue beyond the initial Section 404 filing: IT organizations must prepare for future compliance after the first successful attestation and filing.
Unlike previous event-driven control activities such as Y2K, SOX will become part of doing business and IT will continue to have an important role in internal control over financial reporting. Organizations must develop an ongoing compliance monitoring process, because the full impact of SOX will not be known for several years.
Bill Fine is vice president of Professional Services at newScale, a vendor of service delivery management software. Prior to joining newScale, Fine was the President and COO of Business Design Associates, a process design and web integration consultancy, with operations throughout the Americas and Europe. More information about newScale can be found at www.newscale.com.