This paper lays out the challenges with complying with SOX and suggests a radical solution: build a self-service, automated IT control framework in which all the information required to verify compliance is available in a single reporting system.
SSSSSSSSSSeeeeeeeeeellllllllllffffffffff----------SSSSSSSSSSeeeeeeeeeerrrrrrrrrrvvvvvvvvvviiiiiiiiiicccccccccceeeeeeeeee SSSSSSSSSSOOOOOOOOOOXXXXXXXXXX AAAAAAAAAAuuuuuuuuuuddddddddddiiiiiiiiiittttttttttiiiiiiiiiinnnnnnnnnngggggggggg
WWWWWWWWWWiiiiiiiiiitttttttttthhhhhhhhhh SSSSSSSSSS3333333333 CCCCCCCCCCoooooooooonnnnnnnnnnttttttttttrrrrrrrrrroooooooooollllllllll
The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporategovernance norms. As corporations come to terms with the implications of SOX to their businesses, one thing is clear:a SOX compliance program is not a one-time project but a sustained effort to gain visibility and accountability intobusiness processes that affect the accuracy of financial reporting. Most IT controls are manual, error-prone andresource intensive. This paper lays out the problem and suggests a radical solution: build a self-service, automated ITcontrol framework in which all the information required to verify compliance is available in a single reporting system, atthe click of a button. Solidcore S3 Control has helped a large number of customers do just that, and we explain howwe helped them do it.
Complying with Sarbanes-Oxley.
The Sarbanes-Oxley Act (SOX), passed by the US Congress in review of the effectiveness of those controls. In other words,2002, represents the most fundamental shift in corporate achieving compliance is not a one-time event; rather it must begovernance norms for many decades. In particular, section part of an ongoing process that needs to be sustained over404 is often talked about as being the core provision of SOX as time. Corporations that view the compliance provisions ofit deals with executive management's responsibility for Section 404 as a burdensome legislative mandate may not beestablishing and maintaining adequate internal control over making the necessary investments for a sustained compliancefinancial reporting for the company. It requires management to program. Corporations that view compliance as a means tocertify the adequacy and effectiveness of its internal controls establish and maintain good process through a well definedand to disclose any material weaknesses found. set of internal controls and the automation of those controls arethe ones that will be more likely to have a successful long-termThe key to a successful compliance program is to recognize compliance program.the fact that Sarbanes-Oxley (SOX) does not simply requirethat adequate controls be established - it requires the annualSelf-Service SOX Auditing with S3 Control
IT Controls Testing and Verification are Largely Manual Requirements for self-service compliance.
The conventional approach to establishing and maintaining IT Meeting the IT requirements for compliance is an onerous task.controls is to exhaustively document IT processes and policies The information required to verify IT controls is unavoidablyand increase the frequency of review. This approach is costly, very large, exists in many different forms and is scattered widelyinefficient and error-prone. A sustainable compliance program across a complex IT infrastructure. Reconciliation across thesewill need to automate the verification and enforcement of IT information sources is a largely manual, tedious, error-pronecontrols in a manner that causes low operational overhead and and expensive process. In general, it is very difficult for the ITdecreases the documentation burden on systems personnel to use such scattered information to constructadministrators and audit personnel. documentation demonstrating the capability to detect policyviolations. For example, leaders in SOX compliance practicesThe primary issue faced by IT departments in meeting their include large financial services companies in which every fiscalcompliance requirements today lies in the difficultly of controlling quarter, dozens of people suspend their usual job duties forIT systems. Most companies have some form of change several days in order to collect data and create documentationapproval process, whether formally captured in a workflow in the "quarterly compliance fire drill."system, or informally captured via email exchanges. However,there is a gap between the changes documented through the In order to get to the automated control fra... [download for more]
