ITIL/ITSM COBIT ISO/IEC 20000 METRICUS CAMPUS Shopping Cart RESOURCES ABOUT ITpreneurs
 
  Home
  News
  Success Stories
  Contact Us
WhitePapers
Trends
Articles
Product FactSheets
Brochures
Events
  Articles
 
SOX Compliance: How prepared is your IT organization for the long haul?
Part – I: Understanding SOX

Need for compliance:
 Large corporate failures have always drawn global attention. More so, when they deeply impact the significantly large investor capital involved. The dot com and Y2K bust followed by large corporate failures gave rise to an acute need felt by - The corporate to build up the rapidly waning faith of their investors; The investors to ensure maximum safety and reliability for their investments; and The auditing and governing systems to ensure improved quality of financial auditing and transparent business audits to mitigate executive fraud. Sarbanes-Oxley Act became the newer more stringent regulatory mandate that effectively addressed corporate governance and audit functions being complied to and practiced. Much has been written about SOX. However, some critical questions still remain unanswered. Let’s take a look at these.

SOX compliance:
Implications for the IT organizations
IT, over the years and as the underlying core function, has grown to have such a high impact on critical business operations and on competitiveness, that it has become imperative for IT related risks to be managed and for organizations to ensure that the value expected from IT is delivered. Application and data security, Systems management and operations, and Scalability of multi-tier application platforms are some of the most critical IT related risks that can have far-reaching and damaging consequences in the absence of effective controls.

Let’s take a reverse view now:
The overall financial and audit reporting of any business cannot be 100% accurate and reliable unless there are effective controls to monitor and audit the underlying IT systems. Without a well-defined and well-managed IT governance program, it is virtually impossible for IT organizations to mitigate IT related risks or attest to the quality of IT controls that are in place. And, that’s precisely what SOX compliance dictates. Total, accurate, and reliable corporate governance through greater accountability, internal controls, and transparency in Business and specifically IT operations.

SOX compliance:
Critical aspects you need to understand
As the new corporate governance standard, SOX is comprehensively drafted and covers in detail the entirety of business regulation areas through its various Sections. Out of these, Sections 302, 404, and 409 are of utmost importance as they address the regulatory requirements that directly focus on IT within your organization. As an IT professional, it’s vital that you understand these Sections to be able to translate them into a successful compliance process for your organization.

Section 302: Attestation of Financial Reports - requires a company’s annual report on internal control over financial reporting to:

  • State management’s (CEOs, CFOs, CIOs) as well as attesting auditors’ responsibility for establishing, maintaining, attesting and reporting effective internal control to provide reliability and authenticity of financial reporting.
  • Report any changes occurred in the fiscal quarter and which materially affect the company’s internal control over financial reporting.
Section 404: Attestation of Internal Controls - requires a company’s annual report on internal control over financial reporting to:
  • State and own responsibility for establishing and maintaining adequate internal control.
  • Report framework(s) used to conduct the required assessment of the internal control.
  • Assess and explicitly report the effectiveness of the internal control.
  • State that the registered public accounting firm has attested management’s assessment of the company’s internal control over financial reporting.
Section 409: Rapid, On-time Financial Reporting - aims at protecting the investors from delays in financial reporting which can/may impact financial performance and ultimately the equity value. Section 409 requires:
  • Public companies to meet regulatory deadlines in releasing information and informing investors about any/all material changes that have occurred in the company’s financial condition or operations “on a rapid and current basis”.
Important for you to remember
Sections 302, 404 and 409 directly impact IT within your organization and require organizations to declare their internal IT control framework and its effectiveness which in turn authenticates the declared financial reports.
  • More than implementing an adequate internal control framework the emphasis is on deploying robust reporting systems to assess its effectiveness on an ongoing basis.
  • Non-compliance or deliberate inaccuracies issued by the attesting authorities can now attract severe criminal penalties.
  • The financial reporting mentioned in the Sections refers to the IT control frameworks and systems deployed by organizations to enable effective, secure and reliable IT operations.
 
 
   
 
The products include COBIT® 3rd Edition, which is used by permission of the IT Governance Institute (ITGI). © 1996, 1998, 2000 IT Governance Institute. All rights reserved. COBIT® is a registered trademark of the Information Systems Audit and Control Association and the IT Governance Institute.

 

    

 
 
  Bookings and Enquiries
  North America:
1-800-214-6371
EMEA:
31-10-711-0260
  Course Information
  31-10-711-0260
  email us at
  info@itpreneurs.com
 
 
 
       
  CONTACT US I PRIVACY POLICY I SITEMAP Copyright © 2008 ITpreneurs Nederland BV. All Rights Reserved.