To protect shareholders and the general public, the United States Congress passed the Sarbanes-Oxley Act back in 2002. In the IT world, the act of following rules outlined in this legislation is called SOX compliance.
In particular, IT and networking professionals have to worry about properly managing electronic records. Of course, there’s more to the act than handling and managing data. The legislation was primarily passed to improve the accuracy and reliability of corporate disclosures. The result is that enterprises, organizations and corporations must be more careful in their accounting, digital content handling and dealing with fraud.
In other words, everyone now has to dot their i’s and cross their t’s.
SOX Compliance and Corporate Electronic Records
Ultimately, the way IT professionals store corporate data changed considerably as a result of the act. It doesn’t expressly mention how those records should be stored, although it does mention what types of records must be preserved and for how long.
All business records, including electronic records and messages, must be stored for no less than five years. Companies or parties that fail to comply face heavy fines or imprisonment for their actions. So, it’s quite serious. Despite the severity of compliance, and the longstanding existence of this act—it’s been around for more than 10 years now—many still have trouble fulfilling the requirements.
Understandably, many IT professionals are concerned with passing the audits that monitor SOX compliance yet not necessarily with best practices to make the process easier. They just want to pass, so they take the fastest route to that goal. This approach can lead to some common mistakes.
It’s About More Than Security
So many IT professionals mistake compliance requirements for SOX as security—at least that’s what they feel is the primary goal of this initiative. That’s not the case. The act, rules and regulations weren’t written with IT or modern technology in mind. Instead, the idea was to limit fraud and provide contingencies for the future. Because much of the language is vague, it can change with the times. It also allows organizations to adopt new technologies while still maintaining SOX compliance.
In other words, it’s about looking at nearly all digital content your organization touches to ensure reports are accurate, complete and honest. Doing so requires setting up internal controls to ensure that all processes and applications are reliable and that your team accurately reports financial information. Changes must always be in compliance with laws and policies, no matter who is making amends.
Here is a quick checklist of everything IT professionals should be concerned with:
- Risk assessment
- The use, security and monitoring of system utilities and applications
- Security measures
- User identification and authentication
- Access controls or restricted user access where appropriate
- Security of online data and user access controls
- Review and monitoring of user accounts
- Security and surveillance
- Violation of security protocols, including activity reports
- Malicious-software detection and correction, as well as prevention
- Unauthorized and third-party software
- Problem management
- Problem tracking and audit references
You’ll notice security is an underlying factor and has to do with nearly every one of these elements. But it’s not the only concern.
Taking Into Account the Risk of a Material Error
SOX compliance—and subsequent audits—require you to consider and disclose failures that will result in a material error. This process is an effort to cut down on fraud. Some mistake it as the automatic percentage of net income. Instead, it refers to any details or trends that are critical to an investor’s buy or sell decision. It helps define this difference, and helps investors become familiar with what is and isn’t material.
It also means assessing risks before you encounter them because the risk environment is constantly changing. You can use mapping, flowcharts and similar diagrams to help team members and auditors understand the processes they’re working with.
Handle Red Flags as Soon as Possible
If you’re doing it regularly, risk assessment will turn up one or two things that constitute red flags. They may not be fraud, but making material misstatements or the like is easy.
Find a way to mark red flags, and then handle them as soon as possible—don’t put them off. Take action immediately to address exceptions, problems and concerns. If something sits on the boundary, play it safe and do what you can to remove all doubt. You can use technology to flag exceptions you would otherwise miss, but remain transparent while making the changes you need.
Document and Record Everything
There’s no better proof or record than a paper trail. Document everything you can to provide evidence for the work you’re doing, particularly when it comes to control efforts. You should also ensure your entire team understands the information provided in your records and documentation. If necessary, hold periodic meetings to cover and review the most important extensions.
Gone are the days when management can simply sign off on a control or process. Financial reports have always required an internal control report that allows management to affirm their responsibility for changing information. Now, the Public Company Accounting Oversight Board (PCAOB) wants to see clear proof that the manager actually reviewed the materials, and it wants to know exactly what that manager did. It’s therefore much more important to document the entire control and review process.
If it changes, document it—not just what changed, but also how and why. Also, ensure you’re including who made the changes and what department they’re from; also, track the result. This process may seem involved and complicated, but it’s thorough, and that’s most important. You want to remove all doubt and keep your company—and team—in the clear.
Your Tools Make a Difference
Control financial reporting. When everyone and anyone can access and make edits to reports, things can quickly get confusing. Excel and spreadsheet tools are excellent for financial reporting, but the act of rekeying data into a spreadsheet, especially by multiple parties, is risky. Even if all participants do their best to remain accurate, errors can happen. If you don’t catch those errors in time, you can fall out of compliance.
Some tools use a similar style but have processes in place to cut down on errors and mistakes; GL Excel is a great example. Whatever tools you team use, just know it makes all the difference.
COBIT Isn’t Required
COBIT, or the Control Objectives for Information and Related Technology, has been adopted by numerous organizations because SOX explicitly states that controls are necessary. Since the COBIT framework is one of the most popular to help define and document internal controls, it’s what most IT professionals stick with.
But it’s important to remember that SOX doesn’t say what controls are necessary or how IT should implement them. Remember, it’s not IT-oriented at all. Thus, you’re free to assess the situation and deploy a framework and system that works for you. Sometimes, it’s more beneficial to find your own way—as scary as that may be.
Remember, It’s a Joint Effort
You can choose all the right software, deploy all the right control processes and document everything, but SOX compliance is much bigger than you. Everyone needs to be on board, and everyone must be concerned with meeting guidelines and rules. You can only tell others to document and check accuracy so many times before it’s their responsibility to get things done right.
You shouldn’t shift responsibility or blame anyone else, but you do need to recognize that it takes more than one person or department to keep things in line. A critical aspect of this effort is detection and prevention.
Do what you can to educate other departments and team members. Work with them to adapt and evolve your control processes so things are easier and more comprehensive. Sometimes, we get so involved with our own IT tasks and responsibilities that we forget there are other people out there—those who have no idea how to use technology like we do.
It’s about understanding your entire team, even those who need a little more guidance or help. You can make things work much more smoothly if you take the time to educate everyone involved with your control processes, software and tools.
About the Author
Kayla Matthews is a technology writer and reporter, contributing to websites like VentureBeat, Vice, MakeUseOf and TechnoBuffalo. Visit ProductivityBytes.com to read more recent posts by Kayla.