Remember the corporate accounting scandals that took out Enron, Arthur Andersen and WorldCom? They all ended with prison sentences, layoffs, and billions of investor dollars lost forever.
The Sarbanes-Oxley Act of 2002 (SOX) is meant to increase company security and prevent accounting scandals like these from happening again.
How? By establishing strong and transparent internal control over financial reporting (ICFR). Any American or overseas public company that has registered with the Securities and Exchange Commission (SEC) must demonstrate SOX compliance. Same goes for any company providing financial services to any of these firms. According to CFO.com, more than half of the larger companies registered with the SEC will pay $1 million or more to achieve SOX compliance.
What part of this is relevant to you as an IT pro? In 2007, the SEC issued SOX compliance guidance clarifying the IT team's responsibilities: to identify the company's biggest priorities when reporting financial risk, sometimes with help from auditors. Your role, then, is to support the processes that minimize all identified risks. The most pertinent sections of SOX for IT teams are 302, 404, 409 and 802. Here is what they mean for you:
SOX Section 302: Keep Execs in the Loop
SOX requires the CEO and CFO to vouch for the accuracy of a company's financial statements. They need to attest that they've evaluated ICFR within 90 days of certifying the financial results.
The IT team's role is to deliver real-time reporting on their internal controls as they apply to SOX compliance. This requires automating tasks like testing, evidence-gathering, and reporting on remediation efforts. Reporting should be delivered in both auditor- and executive-friendly language.
SOX Section 404: Establish Controls to Support Accurate Financial Reporting
According to SOX, all businesses should have internal controls in place for accurate and transparent financial reporting. An external auditor should review these controls every year, assessing how well businesses document, test, and maintain those internal controls.
The IT team's role here is to identify key IT systems and processes involved in initiating, authorizing, processing and summarizing financial information. This material usually involves security, application testing, the verification of software integrations, and automated process testing. The goal is to ensure all procedures support the accurate and complete transmission of financial data while keeping asset-bearing accounts secure from unauthorized access.
SOX Section 409: Deliver Timely Disclosure
Certain events — like mergers and acquisitions, bankruptcy, the dissolution of a major supplier or a crippling data breach — can significantly shift a company's fiscal prospects. SOX compliance mandates the timely disclosure of any information that could affect a public company's financial performance.
The IT team's role is to support SOX compliance software that uses alert mechanisms that could trigger this timely disclosure requirement, as well as mechanisms for quickly informing shareholders and regulators of any changes in the company financial statement.
SOX Section 802: Ensure Records Retention
Today's SMBs keep both paper and electronic copies of sensitive records when bookkeeping. Spreadsheets on an end user's computer, email messages, IMs, recorded calls discussing money, financial transactions — all of these have to be preserved and made available to auditors for at least five years.
The IT team's role in SOX compliance to preserve these records with internal automated backup processes and ensure the proper function of document management systems (which may or may not include an archive of email and related unified-communications content). IT pros also have the organization control to maintain the availability of these records as they migrate to new technologies, such as from old tape-based systems to cloud backup.
Making Audits Go Smoothly
The Unified Compliance Framework (UCF) aggregates requirements from big regulations like SOX, HIPAA and PCI DSS, along with requirements from federal and state laws. With UCF, the IT team can adopt a set of controls to satisfy multiple regulations.
Network Frontiers, which manages UCF, keeps it up to date, which is a huge time saver for your team. Ron Markham, co-founder of Intreis and former CIO for IBM's Software Group-Business Analytics, used UCF to cut IBM's audit time to two weeks and reduce audit-related costs by 80 percent.
In addition to what Markham calls his "test once, comply many" approach, Markham recommends a unifying platform that automates workflows. The solution should integrate a configuration management database (CMDB) and serve as IT's system of record.
Documenting processes and packaging them in a way that's easy to audit, both for management and outside auditors, prevents frantic pre-audit scrambling. It also saves those most precious of resources: time and money.
The COSO Framework
Similarly, the Committee of Sponsoring Organizations of the Treadway Commission (COSO)'s five framework components work to create an effective internal control system. You can use the five components of the COSO framework to help your team create a foundation for internal organizational control through, "directed leadership, shared values and a culture that emphasizes accountability for control." COSO also advocates for a risk-based approach that frequently identifies and assesses risk at all levels of the company.
The COBIT Framework
Another tool for an effective internal control system is the COBIT framework, which combines compliance with internal control requirements such as SOX, technical issues, and awareness of business risks. COBIT also helps companies to increase value gained from IT teams, as well as simplifies implementation for a successful IT corporate governance throughout an organization.
Your team role to simplify the auditing process through documentation and packaging, as well as supporting systems that minimize risk, is vital to SOX compliance and to preventing accounting oversight in your company.