Finding Solutions to SOX Compliancy in IT Architecture Planning

Finding Solutions to SOX Compliancy in IT Architecture Planning October 2006 Introduction Beginning as a swift response of legislative action, the Sarbanes-Oxley Act of 2002 lead us down the unlikely path from corporate ethics to IT implementations – demonstrating how inextricably linked business and IT are to each other in today’s corporations. Though SOX’s major provisions don’t mention IT controls explicitly, SOX has had wide-reaching implications for the IT department. Even audit results don’t reflect the enormous effort spent on IT in order to render an enterprise SOX- compliant. Indeed, in the first SOX reporting period only 3% of material weaknesses were IT related1. Yet, with IT being the underpinning of virtually all of a company’s financial reporting processes, it has the potential to be the cause of other material weaknesses. Thus the dive down to the roots is crucial. The SOX provisions having the most relevance for IT call for CEO/CFO certification of financial reports, and assessment and disclosure of internal controls for financial reporting. The processing, storage and harvesting of the data that finds its way into financial reports, as well as the operation of the infrastructure and workflow systems supporting control-targeted business processes are performed under the auspices Table 8. How Many Internal Hours Do You of IT. Thus IT has the task of scoping SOX-relevant systems, eliminating Estimate the IT Organization Will Spend on any risks posed to the systems, continuously monitoring, documenting Financial-Management-Compliance- and assessing the SOX-relevance of system changes, and reporting Related Activities in 2005? (%) changes to the SOX project management office (PMO) as well as including the office in system change decisions. Hours 1,000- 2,000- 5,000- >10,000 1,999 4,999 9,999 empl. Whereas SOX has undoubtedly put strains on IT organizations in empl. empl. empl. companies of every size and in every industry (see sidebar), even IT <5,000 21 31 12 19 professionals are quick to admit that the ‘Clean up your Act’-Act has brought about important improvements, notably: 5,000- 32 27 30 18 recognition of vulnerabilities in the IT area 9,999 improved information system security 10,000- 32 14 22 18 better understanding and improvement of segregation of duties 19,999 improved access controls and access monitoring 20,000- 5 14 17 13 improved test procedures and program change management 49,999 improved processes to document policies, procedures, and controls2 50,000- 3 10 5 9 99,999 as well as the ability to leverage the same technologies used for SOX >100,000 0 0 5 7 compliance to support other compliance processes. Additionally, SOX has enhanced IT’s profile through recognition of its importance to business Don’t 8 4 10 15 and has raised awareness for IT governance in calling for defined know decision-making processes and documented plans, and in this context Notes: The size of the company was has lead to a more engaged control environment with active participation measured by the number of employees by board, audit committee, management and other stakeholders.3 worldwide. This survey question was asked only of IT professionals. There are still benefits to be realized as companies begin to understand that SOX compliancy is not a one-time project but an on-going exercise in Source: Survey on Sarbanes-Oxley controls assessment in the evolution of a corporation’s IT landscape. In Compliance Practices Within IT learning to anchor control processes and objectives in the IT architecture, Organizations and Businesses, Gartner, enterprises will be able to identify and assess risk more effectively and 14 September 2006. achieve greater efficiencies in compliancy control. © alfabet AG 2 Frameworks provide guidance for SOX compliancy COBIT HIGH LEVEL CONTROL OBJECTIVES What are the essential activities for SOX compliancy? A majority of corporations use the COSO and/or COBIT frameworks for guidance. The Plan and Organize COSO framework has been identified by the SEC as a methodology for PO1 Define a Strategic IT Plan and Direction achieving compliance. It defines internal control as a process designed to PO2 Define the Information Architecture provide reasonable assurance of achievement of a stated objective. It is PO3 Determine Technological Direction more general in its approach than COBIT and addresses the enterprise as Define the IT Processes, Organisation and a whole, yet includes five areas which impact the IT department: PO4 Relationships PO5 Manage the IT Investment Risk Assessment: Identification of any risk imposed by IT systems or by Communicate Management Aims and outdated system documentation which may result in incompleteness or PO6 Direction inaccuracy of financial reports PO7 Manage IT Human Resources PO8 Manage Quality Control Environment: Creation of an environment which promotes personal responsibility for the success of projects. Employees should PO9 Assess and Manage IT Risks cross train with design, implementation, quality assurance and PO10 Manage Projects deployment teams to better understand the entire technology lifecycle. Acquire and Implement A11 Identify Automated Solutions Control Activities: Definition and documentation of how each finance- A12 Acquire and Maintain Application SW related IT system is used. Projects should be clearly documented with regards to security protocols, technical specifications, business A13 Acquire and Maintain Tech. Infrastructure requirements and related documentation. Creation of an audit trail to A14 Enable Operation and Use monitor deviations from the norm. A15 Procure IT Resources A16 Manage Changes Monitoring: Performance of frequent internal audits by IT staff. External A17 Install and Accredit Solutions and Changes auditors should control at regular intervals, the interval length being appropriate to the level of risk. Deliver and Support DS1 Define and Manage Service Levels Information and Communication: All control-related information should DS2 Manage Third-Party Services be timely and accurate ensuring that IT management can proactively DS3 Manage Performance and Capacity identify and address areas of risk. DS4 Ensure Continuous Service DS5 Ensure Systems Security In comparison, COBIT is specifically focussed on IT controls and aids DS6 Identify and Allocate Costs management in defining a strategic IT plan, defining the information DS7 Educate and Train Users architecture and acquiring the necessary IT hardware and software to execute an IT strategy. It implies that controls and security are in place to DS8 Manage Service Desk and Incidents govern these processes and these activities are performed in a DS9 Manage the Configuration continuous cycle.