HomeTechnology SolutionsSOX-IT Controls

SOX-IT Controls

Author: Ramya Koppolu

sox-it-controls

Article Context:

  1. SOX IT Control
  2. Risk Assessment

The Sarbanes-Oxley Act (SOX) is a U.S. law that was passed in 2002 to protect investors by preventing fraudulent accounting and financial practices at publicly traded companies. The law's purpose is to improve the accuracy and reliability of corporate disclosures, brought about significant changes in corporate governance and financial reporting, including new provisions for Information Technology Controls.

SOX IT controls seek to ensure that the systems are accurate, complete, and free from errors that impact financial reporting. IT General Controls (ITGC) and IT Application Controls (ITAC) are different but equally necessary to the organization's security and an essential part of maintaining IT Compliance.

IT GENERAL CONTROLS (ITGC)

Understanding SOX and ITGC

The first step is to understand the requirements of SOX and how ITGCs are related. SOX 404 emphasizes the importance of internal control over financial reporting, which includes ITGC. These controls affect the organization's financial data and Application controls.

Identify Relevant Systems and Processes

Identify all systems that store, process, or transmit financial data. This includes not only your primary accounting system but also any supplementary systems that feed data into it. These may include sales, inventory, payroll, and other systems.

Risk Assessment

Once the relevant systems are identified, perform a risk assessment to identify the risks to financial reporting in these systems. This process should help you identify where controls are needed.

Create a risk control matrix (RCM) which helps organizations identify, rank, and implement controls to mitigate risks. It is used to determine the scope and required evidence to support management's testing of its internal controls under SOX404. It is also used by the external auditor to issue a formal opinion on the company's internal controls. It involves applying specific risk factors to determine the scope and evidence required in the assessment of internal control. At each step, qualitative or quantitative risk factors are used to focus the scope of the SOX404 assessment effort and determine the evidence required. The use of risk and control matrices is central to this whole process. Internal auditors can also use the risk and control matrix as a valuable tool when approaching an internal audit project to focus scarce audit resources on the key areas within a process.

Here are some steps to create an RCM:


  1. Identify the risks like financial risk, operational risk, and strategic risk.
  2. Determine the risk controls like preventive controls or detective controls.
  3. Assess the risk (e.g.) Severe, High, Moderate, Low, or Negligible.
  4. Assign ownership to risk elements. This ensures that someone is responsible for monitoring and managing each control.
  5. Review and update the risk model. The RCM will be a living document and it should be reviewed and updated regularly to reflect changes in your organization’s operations, risk environment, or regulatory requirements.

Design and Implement ITGC

Based on the risk assessment, design and implement your ITGC. These controls generally fall into five categories:

  • Change Management Controls: These ensure that changes to IT systems which fall under ITGC controls are properly evaluated, prioritized, authorized, tested, approved, documented and monitored.
  • Access Controls: These controls ensure that only authorized individuals can physically and electronically access financial systems and data.
  • Data Backup and Recovery Controls: These controls ensure that financial data can be recovered in case of system failures.
  • System Operations Controls: These controls ensure that application and system processing are monitored for successful completion and errors are corrected and resolved.
  • IT Security: These controls ensure that the organization identifies sensitive data, protects against cyberattacks, and detects security incidents. In case of an issue or incident, the company must be able to take corrective action in a timely manner.

Testing

After implementing the controls, they must be tested to ensure they are working effectively. This can involve a combination of automated testing tools, manual testing, and review of system logs and other documentation. Both Scripted and Unscripted testing methodologies may be utilized depending on the needs of the business.

Documentation

SOX requires extensive documentation of ITGC controls. This should include the design of each control, the risks it mitigates, the procedures for operating the control, and the results of control testing.

IT APPLICATION CONTROLS (ITAC)


  • IT Applications facilitate an organization's key business processes including finance, human resources, case management, licensing, and billing.
  • Application controls are specific to the application and relate to the transactions and data from that application. The objectives of application controls are to ensure the completeness and accuracy of records and the validity of the entries made to each record. Common application control activities include:

    • Determining whether sales orders are processed within the parameters of customer credit limits.
    • Making sure goods and services are procured with an approved purchase order.
    • Monitoring for segregation of duties.
    • Determining whether there is a three-way match between the purchase order, receiver, and vendor invoice.

ITACs are more specific than ITGCs and focus on a more limited scope of the IT system function. ITACs consists of three methods of control:

  • Input and access controls.
  • Processing controls.
  • Output controls.

Continuous Monitoring and Improvement

SOX compliance is not a one-time event but an ongoing process. IT Controls should be regularly reviewed and updated to aliress new risks and changes in the IT environment. This involves regular audits, either internal or external, to ensure compliance.

Here at Compliance Group, we’re dedicated to helping you achieve frictionless quality by incorporating your SOX Controls into an integrated SDLC Framework. To find out more about how are consulting experts can help, email us at sales@complianceg.com.

FAQ's

What are examples of IT General Controls (ITGCs) under SOX?

ITGCs under SOX include several critical areas. Access controls ensure that financial systems can only be entered by authorized users. Change management controls dictate the software update to prevent unauthorized changes. Program development controls are used for new application development. Lastly, computer operations controls cover data backups and disaster recovery planning. These controls form the basis for accurate financial reporting. They ensure that the foundational IT infrastructure is secure and accurate.

How should IT access controls be designed for SOX compliance?

The IT access controls for SOX compliance must follow the principle of least privilege, meaning users receive only those access needed to perform their job functions. The design must include strong password policies and multi-factor authentication. Access reviews should be regular to remove permissions of former employees or changed roles. Segregation of duties has to be strictly implemented to prevent a single person from obtaining full control over a financial process.

What best practices improve SOX IT control effectiveness?

SOX IT control best practices include automated control monitoring to eliminate manual testing. Having regular internal audits to identify vulnerabilities before the end-of-year review, documenting control activities is vital for use during the time of audits and providing training to the staff on their responsibilities in SOX compliance are important. Ensuring the integration of SOX compliance with the software development lifecycle and having a positive relationship with the auditors are good practices.

What happens if an IT control fails during a SOX audit?

When an IT control fails during a SOX audit, determining the nature of the deficiency of the issue becomes necessary. It can be a deficiency, a significant deficiency, or a material weakness. The management must establish a plan to address the problem. Additional testing of the financial statements may have to be conducted. Material weakness can cause legal consequences and negative investor perception.

How does SOX impact third-party IT systems?

SOX requires that third-party IT systems used for financial reporting by companies are also compliant. Companies should evaluate the controls of their service providers, often with SOC 1 or SOC 2 reports, to ensure that a vendor maintains proper security and integrity for data. If a third party does not have adequate controls, this presents a risk to compliance. Therefore, thorough vendor risk management is necessary.

ramya-koppolu

Author:
Ramya Koppolu - Sr. Validation Lead - Validation & Compliance

Ramya Koppolu is an experienced validation professional with a strong background in quality, regulatory compliance, and IT risk management across the life sciences industry. She has led key validation initiatives and consistently delivers high-quality, audit-ready solutions in regulated environments.

Submit the form below, and our expert will reach out to assist you!

Hello, how can we help you?
claire-chat-icon