Sometime earlier in this decade there were some financial irregularities that resulted in some major upheavals in the corporate world. Some organizations went down while others had to realign. What came out of the irregularities in financial reporting was a Compliance Act passed by the US Govt. This came to be known as the Sarbanes-Oxley Act. What this essentially requires is that any company listed on the US stock exchanges has to necessarily submit to an audit and the management of the company and the auditors have to independently attest to the fact that the company has sufficient internal control over financial reporting. This means that the necessary processes and procedures and systems are in place that will prevent any unauthorized intentional or unintentional tampering of any financial data that will be used for reporting. It necessitates that all manual processes have to be automated and that the systems have sufficient security and controls built in to allow secure use of the systems which can be audited independently. The two main aspects are Change Management and Access Control.
After obtaining a thorough understanding of what constitutes effective Internal Controls, an evaluation process has to be followed that will identify financial reporting risks and Controls that will address them and reporting on the overall effectiveness of the existing controls along with the deficiencies identified. Based on this conclusion a remediation process needs to be initiated which will address the deficiencies and put the required controls in place.
Any change to any system, be it a new deployment or an enhancement or maintenance to an existing system, has to be authorized and follow a proper change management procedure as laid down in the change management policy of the company. This should ensure that all change is authorized, managed and tracked to completion.
Access control should exist to ensure that only authorized personnel are allowed access to systems that are critical to the functioning of the business and which have a direct impact on financial reporting. There should be a documented access control policy which should be implemented across the organization without any exceptions.
Information security is of paramount importance and should ensure that no data is allowed to be tampered with. All access to data should be controlled as well as proper backups and archival of critical data. All business critical systems should be secured against unauthorized access.
A critical part of SOX is the periodic internal audits and reviews that need to be carried out of the critical operations and systems that directly impact all financial reporting. These audits and reviews should detect any unauthorized or suspicious activity, errors or other attempts at compromising system security and immediate remedial action needs to be taken. The findings of the review as well as the action taken should be documented.
Reviews and documentation plays a vital role in a sox compliance initiative. If there are no reviews and there is no documentation supporting any of the required activities then that is considered a violation of the sox compliance. It is absolutely essential that periodic log reviews and reviews of user activity and system activity is carried out and the findings as well as the action taken be documented for submission to the auditors.
Policies and procedures need to be documented and implemented as per the documentation. If there is any deviation, it should be documented. If there are any exceptions they need to be documented. All deviations and exceptions need to be documented and authorized by the proper authorities.
The biggest challenge of implementing SOX in any organization is not the setting up of, or documenting any of the processes or procedures, or the implementation of the systems themselves or the access control and change management processes around them. The greatest challenge in the implementation of sox 404 guidelines is in ensuring that the policies and procedures are followed throughout the organization on an ongoing basis. This to me appears to be the greatest challenge of a SOX implementation. The organization has to follow the policies and procedures and use the systems put in place and move away from manual procedures. This is something that needs top management involvement. There has to be a clear top management initiative in driving this downwards through the organization. Unless this happens, SOX compliance cannot be maintained.
