The Sarbanes-Oxley (SOX) Act of 2002 serves an important purpose—preventing the type of devastating fraud many investors experienced in the Enron scandal. Unfortunately, getting compliant is a long, complex process.
Let’s face it, SOX compliance isn’t exactly fun. It’s time consuming, expensive, and the prospect of your publicly-traded company failing its SOX testing is enough to keep you up at night.
As IT consultants, we deal with the IT side of SOX—what are called “IT General Controls,” or ITGC.
In today’s WOOF, let’s talk about the good these ITGCs do for a business. From the IT department to the whole organization.
#1 – Security-Focused Standard Operating Procedures for IT
At its core, SOX is about documenting who can do what.
- Who can access the server room (Physical Controls).
- Who can access the servers via remote login (Logical Controls).
- Who has authorized access? Who can grant access? To which resources?
- What procedures to follow for IT management & cybersecurity.
Once done, you have standard operating procedures that make sure your officers and employees have the IT access they need to do their jobs, and nothing more.
SOX also mandates documentation of the IT procedures used while onboarding/offboarding employees. These procedures help maintain IT security, provide records to verify who had access to a server if a breach occurs, and create a hierarchy for approvals to help identify appropriate access levels for company data.
#2 – Solid Backup Procedures in Place
SOX requires accessible backups, both to ensure business continuity, and in case federal regulators need to examine past records. We cannot emphasize strongly enough how important good backups are to SOX compliance.
Not only do you need to set up reliable backups, but also put procedures in place to maintain those backups. Answers to all of the following must be in company documentation:
- What’s the procedure for restoring backups?
- What happens if a backup fails – is it rescheduled? Re-run automatically? Who’s notified?
- What security is in place around critical data?
- Are backups tested on a routine basis, to make sure you can successfully restore data later?
The good news is, once you have all of these covered? You have a peace of mind that only solid backups can bring.
#3 – Minimized Chance of Fraud
Let’s picture a scenario. Say you’re a SOX expert checking though a business’ access levels. You find that the business’ CFO can:
- Add a vendor to the ERP system
- Issue projects for that vendor
- Cut checks to that vendor
Sounds efficient, right? It is…but it’s also a fraud risk.
To avoid any abuse of power, the business must divide the capabilities listed above. One person (even the CFO) can’t do all of them. In IT, this is called the “Principle of Least Privilege.” In the SOX world it’s called SOD, or Segregation of Duties. Users only get the minimum level of access needed to do their job.
In this scenario, the responsibility for cutting checks should belong to another Finance employee. That way, the likelihood of fraud is reduced.
#4 – Checks & Balances Shared between Finance and IT
SOX makes the IT Department take a step back from day-to-day support work. In order to meet SOX 404 requirements, IT must take on a more supervisory role over Finance systems.
This isn’t a huge stretch. It merely involves monitoring Finance’s activity, limiting their access to protected data, and exercising oversight on business IT systems.
Which financial apps are approved for use? How are they secured? Who has access to them? At what levels? These are all questions IT has to answer for Finance.
Finance, in turn, verifies that IT’s purchases go along with its stated objectives. It creates accountability for both departments, to one another.
#5 – A Business Focused on What Matters
Here’s a funny result: SOX can complicate a process to the point where it narrows a business’ focus!
SOX creates an environment where people must ask, “Do we need to spend the time to do Project X? Is it really necessary?”
If you have to call up IT and ask for X, they have to open a project, get approval from the IT Steering Committee, document it, etc. Lots of time-consuming work.
(An IT Steering Committee reviews, monitors and prioritizes major IT projects from a cross-functional perspective. The IT Steering Committee helps ensure that the IT strategy aligns with the company’s business goals.)
Complying with SOX forces consideration on which projects are truly needed. The project will have to pass inspection by others, and fit with the company’s big-picture objectives. Unless it’s REALLY worth it, SOX will weed out a bunch of unnecessary busy-work.
SOX = Hard Look at Your Business as a Whole, But You Come Out Stronger in the End.
SOX demands a hard look at your IT (and financial) processes. Once you take that hard look, and make the needed changes, you’re left with:
- A more secure,
- Sharper-focused business.
That’s the kind of improvement SOX compliance provides.
Many private companies can benefit from the premises of Sarbanes-Oxley, not just the huge enterprises. These are common-sense tenets of running a successful business, but less expensive for non-compliant organizations to implement and maintain.
Have an IT question you’d like us to tackle in 2017? Email us at firstname.lastname@example.org and we’ll put it on the WOOF! topics list.