The IT Manager's Working Guide to Sustainable SOX Compliance

T H E I T M A N A G E R ' S
W O R K I N G G U I D E T O
S U S T A I N A B L E S O X
C O M P L I A N C E
Updated August 2006
P resented by :THE IT MANAGER'S WORKING GUIDE TO SUSTAINABLE SOX COMPLIANCEPresented by:SoftLanding Systems, Inc.
CONTENTS
Introduction.......................................................................... 2
A Brief History of SOX Compliance..................................... 3Other Deadlines, New Opportunities
Sarbanes-Oxley Basics....................................................... 6
SOX Mandates on IT........................................................... 7
Frameworks for SOX Compliance....................................... 8COSOCOBITIT Control Objectives for Sarbanes-Oxley
Suggested Course of Action ..............................................11
Toward Sustainable Compliance........................................ 12®Band-Aids and Manual ControlsAvoid Key Control OverloadTraining and AccountabilityCompliance is a Process
Using Technology to Facilitate SOX Compliance...............15
Change Management, Testing, and Security Solutions..................................................... 17
Summary............................................................................ 19
Resources.......................................................................... 19
Appendix A: COBIT Objectives Relevant to Sarbanes-Oxley IT Compliance......................................... 2 0
© SoftLanding Systems, Inc. 1THE IT MANAGER'S WORKING GUIDE TO SUSTAINABLE SOX COMPLIANCE
I N T RO D U C T I O N he IT Manager's Working Guide to Sustainable SOX Compliance isintended to aid IT professionals who are preparing for their company'sTfirst audit, as well as those who want to make ongoing Sarbanes-Oxley(SOX) compliance more cost-effective and less labor intensive. In the pagesthat follow, you will find:
an overview of the SOX Act that pinpoints sections applicable to IT departments,information on internal control frameworks, with a focus on COBIT,tips on overcoming challenges that companies encountered in YearOne and Year Two,suggestions on how to move toward sustainable compliance,a section on using technology to facilitate SOX compliance,and a list of 141 specific audit points that indicates where judicioususe of technology can support ongoing compliance efforts.
W H O S H O U L D R E A D T H I S PA P E RIf your company is subject to SOX compliance and you participate in ITfunctions, you could benefit from the information contained in this paper.
Companies affected by SOX include:
All publicly traded companies in the United States, each of theirdivisions, and all of their wholly owned subsidiaries.
Any non-U.S. public multinational company engaging in business inthe United States.
While not required by SOX as yet, private firms may also wish to complywith the spirit, intent, and letter of the law in preparation for initial publicofferings (IPOs), private funding, or simply to achieve a "best practices"benchmark.
© SoftLanding Systems, Inc. 2THE IT MANAGER'S WORKING GUIDE TO SUSTAINABLE SOX COMPLIANCE
A BRIEF HISTORY OFSOX COMPLIANCE t the beginning of this millennium, investors in U.S. stock markets lost$35 billion, caused in part by illegal manipulation of corporate finan-Acial reporting. A wave of corporate accounting scandals and a continu-al parade of C-level executives through various criminal courts shook thefinancial world. To restore investor confidence, the United States Congresspassed the bipartisan Sarbanes-Oxley Act (SOX), which requires internal "The ultimate controls over the creation of public companies' financial reports. objective is to improvethe quality of After the strict corporate governance law was enacted on July 30, 2002,affected businesses - domestic reporting companies that met the definition offinancial statements." 1"accelerated filer" under SEC rules (those with a capital valuation more than$75M) - struggled to meet the Year One compliance deadline. Given theSEC Chairman Act's civil and criminal penalties for CEOs and CFOs, management had a lotChristopher Cox, riding on their information systems. With the deadline for accelerated filersMay 17, 2006 approaching quickly, the pressure was on for Information Technology (IT)departments to prepare for the external a... [download for more]