SOX IT Compliance - Do we have enough IT Automation?

Do we have enough IT automation to avoid corporate frauds?
Following are certain IT SOX compliance areas which deserve to be prioritized for IT automation within each organization.

What is SOX?

Sarbanes Oxley (SOX) Compliance monitors controls for key enterprise-wide processes that have a direct impact on an enterprise's financial reporting. SOX Compliance documents, standardizes, tests and reports on these key controls in IT and the business to meet annual legislative requirements.The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. These scandals, which cost investors billions of dollars when the share prices of the affected companies collapsed, shook public confidence in the nation's securities markets.

The rules and enforcement policies outlined by the SOX Act amend or supplement existing legislation dealing with security regulations. The basic outline is as follows:

     1. Establishment of a Public Company Accounting Oversight Board, where public companies must now be registered.

     2. Strict auditor regulation and control by means of auditing committees and inspecting accounting firms.

     3. Heightened corporate responsibility for any fraudulent actions taken.

     4. Stricter disclosure within company financial statements, and ethical guidelines to which senior financial officers must adhere.

     5. Authorities available to the Commission and the Federal Court, as well as required broker and dealer qualifications.

What are Key Financial Controls?

§  Financial Controls are those controls that primarily:

Act as “checks and balances” to ensure that the information on a company’s financial statements is correct.

Relate to the preparation of reliable external financial statements as published in SEC filings (10Q’s, 10K’s, annual reports) or earnings releases.

§  Key Financial Controls (KFCs) are the Financial Controls deemed most essential to a process.

§  SOX compliance only requires documentation and testing of KFCs.

The controls are generally 'programmed' into application systems with the objective of ensuring integrity of transactional and master data related to financial reporting that is initiated, recorded, stored and reported on in the application system or between multiple systems by executing automated functions related to completeness, accuracy and validity of the data.

Application controls are classified into two types:

§  Combo controls: control activity includes both a manual portion and IT system dependent portion

§  Automated Controls: control activity is 100% IT system dependent (i.e. has no human involvement)

     General examples of application controls are:

§  Embedded controls: controls programmed into a system e.g. calculations, edit checks, automatic holds etc

§  Reports: system generated reports e.g. application custom reports or standard reports and business object reports

§  Interfaces: data transfer between systems

§  Workflow: system generated workflow specific to a business process e.g. transaction approval routing.

What is User Access Controls (UAC)?

User access controls protect organizations information resources and the integrity of financial data entered, authorized, stored, processed and reported on, in applications used for financial transactions and reporting.

What is Segregation of Duties?

Segregation of Duties (SOD) is a key internal control that, at the most basic level, attempts to ensure that a user’s access to two or more phases of a transaction or operation does not create risk.

Within any flow of transactions, the same person should not be responsible for conflicting tasks, because this creates RISK. By dividing responsibilities, no one person has the ability to perpetrate fraud or cause errors in the financial statements.

What is Restricted Access (RA)?

Many processes and controls are fully or partially automated. It is impossible to think about the division of responsibility without examining the power that is given through user access to applications. “Who has access to what” is a critical part of examining opportunities to commit fraud or cause errors in the financial statements.Through the proper restriction of access to applications by roles and job functions, an organization can help minimize these risks.