Home > Services > Other Services > Sarbanes-Oxley IT Consulting > Protect your IT systems with SOX safeguards

Services

Back to Services
Sarbanes-Oxley IT Consulting
Protect your IT systems with SOX safeguards
 
Protect your IT systems with SOX safeguards

Increased regulation and public scrutiny in the wake of a torrent of Enron-style corporate scandals have many publicly held companies scrambling to beef up their financial reporting capabilities as government deadlines loom.

Indeed, even companies thatare not bound by the stringent Sarbanes-Oxley Act of 2002 (SOX) are opting toadopt some or all of the SOX principles to improve transparency and increasecustomer and shareholder confidence.

While most corporate business and accounting departments are all too familiar with financial reporting requirements and audit trails, many IT departments are finding themselves in the audit spotlight for the first time ever. Many are struggling to define what their departments must do to comply and to implement the necessary procedures. The problems are compounded by a lack of qualified IT auditors to address IT departments’ unique needs.

Analysts say the shortage of IT auditors stems not only from a historical lack of demand for professionals in the role, but also from the sudden demand to meet both short-term and long-term reporting deadlines. The deadline for initial SOX compliance varies depending on the company’s annual revenue and fiscal year-end date. But unlike the Y2K projects of the late 1990s which for a short time put computer programmers in highest demand, few people see the need for IT auditors dissipating over time. On the contrary, ongoing audit requirements will secure the role of the IT auditor for the foreseeable future, experts predict.

SOX and IT
SOX has added a level of reporting complexity to even the most regulated industries. Most of the work pertaining to IT departments stems from SOX’s Section 404. This section requires companies to establish internal controls, document and test controls and warn shareholders of any control weaknesses. Companies must also take steps to ensure their audit processes are reviewed and approved regularly by an independent party.

For IT departments, complying with Section 404 can mean examining and documenting everything from who can access accounting data to how inventory is tracked, to what safeguards protect the network from internal or external security breaches. While IT departments may already be doing the right things to ensure system security and information integrity, a lack of corresponding documentation will result in noncompliance and could create the appearance of risk.

The SOX IT deadline for publicly held companies with annual revenues of less than $75 million is the end of their fiscal year after June 15, 2005. For companies with annual revenues of more than $75 million, the deadline is the end of the fiscal year after Nov. 15, 2004.

Whether or not your company is bound by SOX regulations, the following information will help you find an IT auditor, understand what’s involved with an IT audit, and learn how you can use the audit results to heighten your company’s security and efficiency, add trust and value to your company name, and even boost your bottom line.

Finding an auditor
Just because auditors are in demand and sometimes scarce doesn’t mean you should panic and enter a relationship with the first person whose business card says "IT auditor." It’s important to first define your criteria and then conduct a careful search for an auditor who is both experienced and knows the ins and outs of the IT industry and SOX requirements. Although time may be of the essence, settling for someone who won’t meet your needs will only drain your budget and hurt your business in the long run. Here are some important things to look for in a qualified IT auditor:

Experience. Some companies are reportedly snatching up new college graduates in desperation to fill IT auditor slots. While these new grads may have the smarts to do the job, they don’t have real-world job experience. Ideally, you need somebody who understands the complexity of the IT environment, has dealt with similar projects before and fully understands SOX requirements.

Certification. While specific accreditation is not required to be a SOX IT auditor, many organizations are developing their own certification programs specific to SOX. Certifications help establish a knowledge baseline and can be an important first step in selecting an IT auditor. Among the most sought-after IT audit certifications are Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP).

Methodology. SOX compliance is all about process, so it’s vital to find an IT auditor who has a proven, documented methodology that can carry over from company to company or project to project without major modifications.

Range. IT auditors must be versed in the complexities of the IT department as well as knowledgeable about where and how IT infrastructure can intersect with larger business and financial processes. Beware of auditors who are too narrowly focused, or look for a firm that can draw on multiple auditors to fill individual knowledge gaps and demonstrate broad, cross-functional expertise.

IT audits
What constitutes an IT audit? There is no single formula for conducting such an audit, but most analysts agree that a thorough audit addresses at least the following five areas:

IT operations. How are day-to-day operations handled? How are jobs processed? What backup procedures are in place?

IT security. What process sets up new users on a system? Who accesses the data? What authorization processes ensure sensitive information is accessible only to those cleared to access it? What risks and safeguards exist?

Change management. How is version control handled for product design, development, documentation or other iterative tasks?

New system development. What methodologies, processes and procedures are in place for the development and deployment of new systems?

IT governance. How is high-level administration of the department conducted? Does the department have a well-defined structure? Does the structure allow for good segmentation of information and good communication channels? What risk assessments are in place?

Ongoing costs and benefits
Whether your company must be SOX-compliant or simply chooses to adopt SOX-like safeguards, professionals warn that IT audits must be an ongoing process, not a panacea. Putting the initial analysis and documentation in place will help subsequent reviews go faster and more smoothly, but they are the beginning of the journey, not the end of it.

Rather than looking at the audit process as a series of procedural hoops to jump through, analysts urge officials to instead look to what the process offers in terms of increased trust from customers and shareholders, and increased internal productivity from establishing well-defined roles and well-documented procedures that ensure system and data security.

Adopting SOX or SOX-like safeguards can deliver peace of mind and assurance you are taking the necessary steps to ensure the security and integrity of important company data.

 
RSM McGladrey Inc. and McGladrey & Pullen LLP have an alternative practice structure. Though separate and independent legal entities, the two firms work together to serve clients’ business needs. RSM McGladrey is not a licensed CPA firm.

RSM McGladrey Inc. is a member of RSM International - an affiliation of separate and independent legal entities.

2007 RSM McGladrey Inc. All Rights Reserved. Contact us toll-free at 800.274.3978