The law was enforced as a reaction to many large bankruptcies. Now the CEO and the CFO of the companies are forced to formally document that all accounting processes are correct (including subsidiaries and partnerships). Incorrect information can result in penalties of up to five million dollars and up to 20 years of imprisonment. This sets quite a new standard for visible management processes, verifiable routines and checkpoints.
On the IT manager’s table
It may appear that SOX is the concern of economist and company management only, but since almost all financial information is managed and communicated electronically, the IT infrastructure of the company always plays an essential role in all SOX projects. The question is therefore also found on the IT manager’s table. From here the question is likely to pass on to the person responsible for the company security who will soon ascertain that the old security slogan of structure, responsibility and order is still of current interest.
Directives instead of requirements
There are no correct answers to the SOX requirements, just directives in the form of different frameworks. Among others the IT Governance Institute has published ”IT Control Objectives for Sarbanes-Oxley” which includes severak pieces of good advice and which is based on the frameworks COBIT and COSO.
Does it sound like mission impossible? To the core it is about being in control of your company, including the IT business. If you are in control of your security, e.g. through working with ISO/IEC 17799, you are on the right track.
Parts of the company are given priority
All SOX-projects normally start by defining which parts of the company to include (so-called scoping). After scoping of economics and finances by every trick in the book, the following parts must be identified according to COSO (the areas are usually given priority according to the size of turnover so that at least 80 per cent of all costs are covered):
- Company description
- Risk assessment
- Control activities
- Information and communication
- Surveillance
The areas to which COBIT attaches special emphasis are the following:
- Planning and organisation
- Program/system development
- Procurement and implementation
- IT operation and competence control
- Monitoring and evaluation
Clear IT organisation and IT documentation
SOX audits prove that it is crucial that the company management sets up a clear IT organisation, IT and security policy and strategy regarding the IT operation and an acknowledged and tested continuation plan. The practical IT work must include documented descriptions of the following:
- Risk assessments
- Routines for system development and maintenance
- Change control
- Security backup
- A model for classification of information
- Competence systems and competence assignment
- Logging of changes to the financial system or the competence system.
Find more information on SOX on Wikipedia.