ITGC SOX: The Basics and 6 Critical Best Practices
What Is ITGC SOX?
Complying with the Sarbanes Oxley Act of 2002 (SOX) requires organizations to record, test, maintain, and review controls affecting financial reporting processes. These internal controls are mechanisms that can identify or prevent problems in business processes, which can affect the accuracy or integrity of financial reports.
Companies should apply and review these processes each and every cycle leading to their financial reports. Internal auditors should conduct regular compliance audits to ensure compliance to SOX requirements.
On the IT side, there are IT General Controls (ITGC) and application controls. A SOX ITGC audit aims to reveal whether the ITGC are sufficient to ensure that the financial reporting system is accurate, complete, and error-free. It is crucial to get ITGC right in order to support seamless SOX compliance efforts and successful audits.
Why Do ITGCs Matter for a SOX-Audited Organization?
ITGCs ensure that the technology used by different parts of the enterprise is being used effectively, and not left open to unnecessary risks or vulnerabilities.
For example, a large company might have applications that support finance, purchasing, inventory, research, sales and marketing, and human resources. All of these teams use their own IT applications and rely on them to run in a specific way. In large enterprises, many of these applications are part of a central Enterprise Resource Planning (ERP) system.
ITGCs manage the operation of the ERP system. They control the following actions:
- Creating an administrator account or “super user”—administrator accounts can create different user accounts for each IT application.
- Managing the software lifecycle—this will determine how your business develops, tests, and implements new applications or features, to make sure changes are applied safely.
- Managing patches—this ensures rapid deployment of security or software upgrades to all systems that need to be upgraded.
- Managing passwords and other authentication measures—this helps ensure that each application has proper access control.
- Audit logging—this will record all transactions or changes made to the IT system and can be used for future audits or other inspections.
ITGCs are crucial to network security and compliance. Here are two examples of weak controls that can have catastrophic results:
- If all employees have permission to create new user accounts, anyone can create a covert user account, and use it to monitor sensitive data or even transfer company funds to their own bank account without permission.
- Ineffective patch management could expose systems to known vulnerabilities. Attackers can then exploit these vulnerabilities to break into ERP systems, steal data, or delete valuable intellectual property.
When managing ITGCs, a pressing issue is that external audit firms regularly check ITGCs as part of SOX audits. So if your ITGCs aren’t up to standard, you will fail the audit. If an ITGC is cited in an audit, the details may be disclosed to investors as a material weakness, which can affect the company’s reputation and brand. Research shows that disclosure of material weaknesses can result in losses of up to 19% in stock price over the next 12 month period, and an over 60% increase in audit fees and costs.
Therefore, it is advised to take ITGCs seriously from the onset and build a strong, well-managed set of ITGCs, to prevent surprises at the audit stage.
An Overview of SOX Compliance Audit Components
The SOX Act affects all publicly traded US companies, regardless of industry. It relates to corporate governance and financial practices, with a particular emphasis on records. SOX contains 11 titles, but the main sections related to audits are:
- Section 302—the company must provide periodic statutory financial reports. These reports must disclose any changes to the company’s internal controls, discovery of ineffective controls, and honestly describe its financial stability and any incidents of fraud.
- Section 401—the company must provide complete financial disclosures, including transactions, liabilities, and details of accounting practices.
- Section 404—analysis of internal controls and financial reporting procedures.
- Section 409—the company must notify the public of any change in the financial operations of the company or a major change to its financial situation.
- Section 802—stipulates the handling of counterfeit documents (e.g. falsification of records) and legal consequences.
SOX ITGC Controls
As part of the SOX compliance audit, the auditor closely examines the company’s overall IT management. Given the critical role IT plays in operations and the regulatory body’s concern for security, IT management will undoubtedly be scrutinized for SOX compliance. So, you need to be able to demonstrate proper IT management, especially regarding the following controls:
- Access—this includes physical access to doors, security badges, locked file cabinets, and electronic controls through login instructions, auditing permissions, and least-privilege access, which means that you only give users the access they need to complete the task.
- Security—how do you protect your data center and information systems from damage? SOX does not specify which security controls should or should not be used.
- Data backup—for financial documents, you must demonstrate maintenance of a remote SOX-compatible backup system.
- Change management—when changes occur, a clear process is required for adding and retaining users, implementing new software, or making changes to applications or databases related to financial records.
6 SOX ITGC Best Practices
Here are a few best practices you must consider as you implement ITGCs in a way that supports SOX compliance.
Prioritize Audit Efforts on Manual Controls
The scope of an IT system is generally determined by the reliability required for the data and the system’s ability to process transactions. However, manual controls that rely on IT systems require that the control owner verify the integrity of the data, by performing manual reconciliation, every time the control is executed. In other words, manually adjusting the data can adequately cover the accuracy and completeness of the data. The manager should evaluate whether the test requires IT general controls.
Test Using a Consistent Process
If the processes in multiple business units are the same, it is recommended that you use a similar test method for all departments rather than testing a separate sample for each process in each department.
For example, if Purchase to Pay is used in five different business units and all units run the same controls, a proportional sample can be applied to all five business units.
Alternatively, if all systems follow the same process for change management, you can apply a proportional sampling strategy that considers the relative number of changes in each system to obtain the sample size.
Prioritize Detective Controls
Managers and internal auditors may want to focus on detective controls rather than evaluating all preventive and detective controls. This can strengthen testing procedures of detective controls throughout the cycle.
Consider what Went Wrong
Detective review controls can help prevent and detect errors by looking at “what might go wrong” instead of “what went wrong”. Adding detective review controls that ask “what went wrong” can make preventive controls easier to manage and operate, and requires limited testing of these controls.
Create a Baseline for Automated Controls
Some automated controls are implemented as central components in an IT system, with a consistent configuration and strong change management controls. The risk of issues with this type of control is very low, so you should check the possibility to establish a baseline, and reduce the frequency of auditing from once per year to once per three years.
Rationalize Your Control Set
As business operations change over time, controls increase and evolve. In many cases, controls are no longer needed, but are not retired on time. Controls may have been added to address a specific situation or problem introduced by an external auditor. After the audit, managers should study the controls in more depth to identify and evaluate the appropriate controls based on their current environment and operations.
Automating ITGC SOX Auditing with Pathlock
Reporting on ITGC SOX Audits is typically a manual, time consuming process which happens once a year during audit season. It doesn’t have to be. Pathlock allows companies to transform into a continuous compliance mindset by monitoring ITGC in real time, and reporting on compliance year round. This way, there are no surprises when it comes time to audit season and any potential risks are captured before they become material.
Pathlock has integrations to all of your key financial applications to which ITGC SOX Audits apply – SAP, Oracle, Workday Financials, NetSuite, and many more. With Pathlock, simply deploy the out-of-the-box integration to your application and choose which of the 100’s of predefined rules you want to deploy. Pathlock has all of the key ITGC SOX controls covered, so you can focus your attention on value added activities.
Financial Impact Prioritization
Pathlock automatically prioritizes your most critical violations by quantifying access risk by tying violations to real dollar amounts of the out-of-policy transactions
Pathlock’s catalog of over 500+ rules, Pathlock can provide out-of-the-box coverage for controls related to SOX, GDPR, CCPA, HIPAA, NIST, and other leading compliance frameworks.
Real-time Access Mitigation
Pathlock allows user to quickly investigate and respond to potential risky transactions by reviewing access, deprovisioning users, forcing 2FA, or even allowing Pathlock to respond intelligently in real-time, terminating suspicious sessions and blocking transactions in real time
Pathlock’s out of-the-box integrations extend workflows to the provisioning and service desk tools you already have in place such as ServiceNow, SailPoint, Okta, Azure AD, SAP GRC, and more
Lateral SOD Correlation
All entitlements and roles are correlated across a user’s behavior, consolidating activities and showing cross application SOD’s between financially relevant applications
Continuous Control Monitoring
Pathlock identifies the largest risks by monitoring 100% of financial transactions from applications like SAP in real-time, surfacing violations for remediation and investigation