The United States Congress passed the Sarbanes-Oxley Act in 2002 to enforce regulations on publicly traded companies. This legislation passed after numerous scandals by public companies such as WorldCom and Enron Corporation that caused a stock market decline prior to the 2002 elections. Congress passed the legislation in order to compel accountability by management and board of directors on financial reporting. With the incorporation of technology in financial reporting, the Act became more complex than originally intended.
Sarbanes-Oxley Act regulations pertained to different areas. The discussions of corporate responsibility and governance brought about concerns of information security. Complying with regulations set by the SOX act can be overwhelming for organizations. SOX testing should focus on the areas that are crucial to your organization.
The SOX act created the Public Company Accounting Oversight Board (PCAOB) and instituted limitations on public accounting firm auditors including independence benchmark. The auditing standards implemented IT reviews as part of the mandatory regulations, as IT controls have become part of financial reporting.
The board requirements for auditing emphasized the importance of using a risk-based, individualized approach to determining controls. SOX, therefore, remains individualized unlike the ISO 29001 or PCI DSS.
The Committee of Sponsoring Organizations created the COSO framework to include areas of compliance such as data security controls, risk review control activities, data and communication and oversight. Last year, COSO improved its enterprise risk management (ERM) framework to respond to variations in the risk environment.
The committee intended the update to assist companies align performance strategies to risks they faced. COSO and its framework are the lynchpin for any SOX compliance program and assessing COSO framework offers awareness into conformity procedure.
The first step to SOX compliance is performing a risk review on the organizations ITGC. Performing an appropriate risk review requires organizations to determine the objective of the assessment. The controls should be assessed depending on confidentiality, integrity, and availability defined with the risk standards.
Establishing internal controls refers to the review of an organizations structure. Not all areas if the organizations need to comply with the SOX act. Organizations should, therefore, focus on high-risk areas to ease the task of creating a program. Organizations must, therefore, find areas in their IT landscape that have significant risks and develop distinct controls to mitigate the risks identified.
Engaging in meaningful control goals means integrating control awareness to recognize how the controls work, why they matter and how they fit into the end goal. Executives should, therefore, acknowledge that SOX reviews matter to an organization’s financial success or the internal controls become useless.
Documentation has therefore become important. Management must therefore be able to define their choices for accepting, transferring, mitigating or avoiding risk. They must understand the impact of their controls choices on their economical and reputation risk.
Before compliance can begin, it is important to identify risks and establish controls. Effective compliance is about collecting affirmation that controls work. Control failures that risk errors in financial reports should be tested more strongly. Such controls, therefore, need more testing and documentation. Consistently reviewing access controls become overwhelming as firms grow. A convenient assessment for 100 employees becomes difficult at 1000 employees.
An automated-role based access controls offers companies a pretense of surety that employees have the least amount of access to do their job. However, a single access control may not mitigate risk for important information. Integrating additional data access controls such as multiple authentications may be vital. These controls and control testing need documentation that internal stakeholders should share across the firm.
The auditing process needs a consistent flow of information and documentation between all stakeholders. Various SaaS platforms offer an organization tools to enable SOX audit tracking as test are being run.
These programs allow firms to map controls across frameworks to sustain consistency. This capability allows a company to map controls across multiple frameworks and offers valuable insight for firms that want to execute increased conformity requirements that their state our coun.
External auditors need evidence that a firm has tested controls while organizing documentation in an easy access single location. Programs that offer an individual source of proof that enables simplified audit data collection and reduces compliance friction across the board.