Complying with the Sarbanes Oxley Act of 2002 (SOX) requires organizations to record, test, maintain, and review controls affecting financial reporting processes. These internal controls are mechanisms that can identify or prevent problems in business processes, which can affect the accuracy or integrity of financial reports.
Companies should apply and review these processes each and every cycle leading to their financial reports. Internal auditors should conduct regular compliance audits to ensure compliance to SOX requirements.
On the IT side, there are IT General Controls (ITGC) and application controls. A SOX ITGC audit aims to reveal whether the ITGC is sufficient to ensure that the financial reporting system is accurate, complete, and error-free. It is crucial to get ITGC right in order to support seamless SOX compliance efforts and successful audits.
Learn how Pathlock Automates Cross-App SoD & Transaction Monitoring
ITGCs ensure that the technology used by different parts of the enterprise is being used effectively, and not left open to unnecessary risks or vulnerabilities.
For example, a large company might have applications that support finance, purchasing, inventory, research, sales and marketing, and human resources. All of these teams use their own IT applications and rely on them to run in a specific way. In large enterprises, many of these applications are part of a central Enterprise Resource Planning (ERP) system.
ITGCs manage the operation of the ERP system. They control the following actions:
ITGCs are crucial to network security and compliance. Here are two examples of weak controls that can have catastrophic results:
When managing ITGCs, a pressing issue is that external audit firms regularly check ITGCs as part of SOX audits. So if your ITGCs aren’t up to standard, you will fail the audit. If an ITGC is cited in an audit, the details may be disclosed to investors as a material weakness, which can affect the company’s reputation and brand. Research shows that disclosure of material weaknesses can result in losses of up to 19% in stock price over the next 12-month period, and an over 60% increase in audit fees and costs.
Therefore, it is advised to take ITGCs seriously from the onset and build a strong, well-managed set of ITGCs, to prevent surprises at the audit stage.
The SOX Act affects all publicly traded US companies, regardless of industry. It relates to corporate governance and financial practices, with a particular emphasis on records. SOX contains 11 titles, but the main sections related to audits are:
As part of the SOX compliance audit, the auditor closely examines the company’s overall IT management. Given the critical role IT plays in operations and the regulatory body’s concern for security, IT management will undoubtedly be scrutinized for SOX compliance. So, you need to be able to demonstrate proper IT management, especially regarding the following controls:
Here are a few best practices you must consider as you implement ITGCs in a way that supports SOX compliance.
The scope of an IT system is generally determined by the reliability required for the data and the system’s ability to process transactions. However, manual controls that rely on IT systems require that the control owner verify the integrity of the data, by performing manual reconciliation, every time the control is executed. In other words, manually adjusting the data can adequately cover the accuracy and completeness of the data. The manager should evaluate whether the test requires IT general controls.
If the processes in multiple business units are the same, it is recommended that you use a similar test method for all departments rather than testing a separate sample for each process in each department.
For example, if Purchase to Pay is used in five different business units and all units run the same controls, a proportional sample can be applied to all five business units.
Alternatively, if all systems follow the same process for change management, you can apply a proportional sampling strategy that considers the relative number of changes in each system to obtain the sample size.
Managers and internal auditors may want to focus on detective controls rather than evaluating all preventive and detective controls. This can strengthen testing procedures of detective controls throughout the cycle.
Detective review controls can help prevent and detect errors by looking at “what might go wrong” instead of “what went wrong”. Adding detective review controls that ask “what went wrong” can make preventive controls easier to manage and operate, and requires limited testing of these controls.
Some automated controls are implemented as central components in an IT system, with consistent configuration and strong change management controls. The risk of issues with this type of control is very low, so you should check the possibility of establishing a baseline and reducing the frequency of auditing from once per year to once per three years.
As business operations change over time, controls increase and evolve. In many cases, controls are no longer needed but are not retired on time. Controls may have been added to address a specific situation or problem introduced by an external auditor. After the audit, managers should study the controls in more depth to identify and evaluate the appropriate controls based on their current environment and operations.
Reporting on ITGC SOX Audits is typically a manual, time-consuming process which happens once a year during audit season. It doesn’t have to be. Pathlock allows companies to transform into a continuous compliance mindset by monitoring ITGC in real-time, and reporting on compliance year-round. This way, there are no surprises when it comes time to audit season and any potential risks are captured before they become material.
Pathlock has integrations to all of your key financial applications to which ITGC SOX Audits apply – SAP, Oracle, Workday Financials, NetSuite, and many more. With Pathlock, simply deploy the out-of-the-box integration to your application and choose which of the 100’s of predefined rules you want to deploy. Pathlock has all of the key ITGC SOX controls covered, so you can focus your attention on value-added activities.
Pathlock automatically prioritizes your most critical violations by quantifying access risk by tying violations to real dollar amounts of the out-of-policy transactions
Pathlock’s catalog of over 500+ rules, Pathlock can provide out-of-the-box coverage for controls related to SOX, GDPR, CCPA, HIPAA, NIST, and other leading compliance frameworks.
Pathlock allows users to quickly investigate and respond to potential risky transactions by reviewing access, deprovisioning users, forcing 2FA, or even allowing Pathlock to respond intelligently in real-time, terminating suspicious sessions and blocking transactions in real time
Pathlock’s out-of-the-box integrations extend workflows to the provisioning and service desk tools you already have in place, such as ServiceNow, SailPoint, Okta, Azure AD, SAP GRC, and more
All entitlements and roles are correlated across a user’s behavior, consolidating activities and showing cross application SOD’s between financially relevant applications
Pathlock identifies the largest risks by monitoring 100% of financial transactions from applications like SAP in real-time, surfacing violations for remediation and investigation
Talk to our compliance experts today to find out how you can strengthen your internal controls and be audit-ready.
Share