An Automated Approach to SOX Testing

The United States Congress passed the Sarbanes-Oxley Act in 2002 to enforce regulations on publicly traded companies. This legislation passed after numerous scandals by public companies such as WorldCom and Enron Corporation that caused a stock market decline prior to the 2002 elections. Congress passed the legislation in order to compel accountability by management and board of directors on financial reporting. With the incorporation of technology in financial reporting, the Act became more complex than originally intended.

SOX Compliance Testing

Sarbanes-Oxley Act regulations pertained to different areas. The discussions of corporate responsibility and governance brought about concerns of information security. Complying with regulations set by the SOX act can be overwhelming for organizations. SOX testing should focus on the areas that are crucial to your organization.

What is the PCAOB?

The SOX act created the Public Company Accounting Oversight Board (PCAOB) and instituted limitations on public accounting firm auditors including independence benchmark. The auditing standards implemented IT reviews as part of the mandatory regulations, as IT controls have become part of financial reporting.

The board requirements for auditing emphasized the importance of using a risk-based, individualized approach to determining controls. SOX, therefore, remains individualized unlike the ISO 29001 or PCI DSS.

Benefits of COSO

The Committee of Sponsoring Organizations created the COSO framework to include areas of compliance such as data security controls, risk review control activities, data and communication and oversight. Last year, COSO improved its enterprise risk management (ERM) framework to respond to variations in the risk environment.

The committee intended the update to assist companies align performance strategies to risks they faced.

COSO and its framework are the lynchpin for any SOX compliance program and assessing COSO framework offers awareness into conformity procedure.

How organizations institute internal regulations?

The first step to SOX compliance is performing a risk review on the organizations ITGC. Performing an appropriate risk review requires organizations to determine the objective of the assessment. The controls should be assessed depending on confidentiality, integrity, and availability defined with the risk standards.

Establishing internal controls refers to the review of an organizations structure. Not all areas if the organizations need to comply with the SOX act. Organizations should, therefore, focus on high-risk areas to ease the task of creating a program. Organizations must, therefore, find areas in their IT landscape that have significant risks and develop distinct controls to mitigate the risks identified.

How firms can employ significant control objectives

Engaging in meaningful control goals means integrating control awareness to recognize how the controls work, why they matter and how they fit into the end goal. Executives should, therefore, acknowledge that SOX reviews matter to an organization’s financial success or the internal controls become useless.

Documentation has therefore become important. Management must therefore be able to define their choices for accepting, transferring, mitigating or avoiding risk. They must understand the impact of their controls choices on their economical and reputation risk.

Why SOX compliance testing is significant

Before compliance can begin, it is important to identify risks and establish controls. Effective compliance is about collecting affirmation that controls work.

Control failures that risk errors in financial reports should be tested more strongly. Such controls, therefore, need more testing and documentation.

Consistently reviewing access controls become overwhelming as firms grow. A convenient assessment for 100 employees becomes difficult at 1000 employees.

An automated-role based access controls offers companies a pretense of surety that employees have the least amount of access to do their job. However, a single access control may not mitigate risk for important information. Integrating additional data access controls such as multiple authentications may be vital.

These controls and control testing need documentation that internal stakeholders should share across the firm.

How automating SOX testing documentation streamlines audits

The auditing process needs a consistent flow of information and documentation between all stakeholders. Various platforms such as ZenGRC offer organizations numerous tools to enable SOX audit tracking.

The programs like ZenGRC allow firms to map controls across frameworks to sustain consistency. This capability to map controls across multiple frameworks offers valuable insight for firms that want to execute increased conformity requirements.

External auditors need evidence that a firm has tested controls while organizing documentation in an easy access single location. Software that offers an individual source of proof enables simplified audit data collection.

In addition, the ZenGRC provides an easy to follow risk analysis that allows the board of directors to meet their supervisory role. When the board of directors can express their choices, they can prove to auditors they have met their due diligence obligation

Automating SOX controls testing goes beyond automating the controls to include automating the documentation that affirms the controls function.

Author Bio

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.  Learn more at ReciprocityLabs.com.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.