This white paper outlines the issues faced by IT managers in meeting their compliance requirements and explains how Solidcore can be a core component of a sustainable and cost-effective SOX compliance program.
Sustainable Sarbanes-Oxley Compliance
A Solidcore White PaperThe Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental
shift in corporate governance norms. As corporations come to terms with the implications of
SOX to their businesses, one thing is clear: a SOX compliance program is not a one-time project
but a sustained effort to gain visibility and accountability into business processes that affect the
accuracy of financial reporting. This white paper outlines the issues faced by IT managers in
meeting their compliance requirements and explains how Solidcore can be a core component
of a sustainable and cost-effective SOX compliance program.Sustainable Sarbanes-Oxley ComplianceA Solidcore White Paper
Complying with Sarbanes-Oxley. Note that SOX is the most visible of a number of regulatorystandards that have emerged in recent years. While we focusThe Sarbanes-Oxley Act (SOX), passed by the US Congress in on SOX in this white paper, information about other standards2002, represents the most fundamental shift in corporate is available in Appendix B.governance norms for many decades. In particular, section 404is often talked about as being the core provision of SOX as itdeals with executive management's responsibility for IT Controls are central to SOX Complianceestablishing and maintaining adequate internal control overfinancial reporting for the company. It requires management to In today's corporate environments, control over IT systems iscertify the adequacy and effectiveness of its internal controls critical to a sustainable compliance program. The US Publicand to disclose any material weaknesses found. Company Accounting Oversight Board (PCAOB), which providesguidelines for auditors, issued a statement (Auditing StatementThe key to a successful compliance program is to recognize the No. 2) that made this very clear:fact that Sarbanes-Oxley (SOX) does not simply require thatadequate controls be established - it requires the annual "The nature and characteristics of a company's use ofreview of the effectiveness of those controls. In other words, information technology in its information system affect theachieving compliance is not a one-time event; rather it must be company's internal control over financial reporting."part of an ongoing process that needs to be sustained overtime. Corporations that view the compliance provisions of In the same document, the PCAOB goes on to stress theSection 404 as a burdensome legislative mandate may not be centrality of IT controls in an audit of SOX compliance:making the necessary investments for a sustained complianceprogram. On the other hand, corporations that view compliance "To identify relevant assertions, the auditor should determineas a means to establish and maintain good process through a the source of likely potential misstatements in eachwell defined set of internal controls and the automation of significant account. In determining whether a particularthose controls are the ones that will be more likely to have a assertion is relevant to a significant account balance orsuccessful long-term compliance program. disclosure, the auditor should evaluate the nature andcomplexity of the systems, including the use of informationThe standard that most auditors use to determine adequacy of technology by which the company processes and controlsinternal controls is the standard of due care. A company information supporting the assertion."exercises due care if it follows current best practices forestablishing accountability and measurability over its internal The remainder of this white paper will focus on building andcontrols. If there is an incident in which an internal control is maintaining effective IT controls to meet Sarbanes-Oxleycircumvented in spite of measures that meet the test of "due requirements.care", then the company is not liable for regulatory penalties(fines and other sanctions). However, the precise definition of The conventional approach to establishing and maintaining IT"due care" is amorphous and changes over time. It simply controls is to exhaustively document IT processes and policiesrefers to a standard of feasibility (most people should be able and increase the frequency of review. This approach, while itto do it) and reasonableness (the benefit should justify the cost may meet the "due care" standard today, is costly, inefficientfor most people) by eno... [download for more]
