Manage Learn to apply best practices and optimize your operations.

Five tips to prep for a Sarbanes-Oxley audit

For IT organizations in public U.S.-operating companies, SOX audits are a fact of life. Look forward to a compliance audit with these immediate and long-term preparations.

All data centers benefit from log collection and monitoring -- they make troubleshooting and performance optimization...

easier. But public organizations in the U.S. require that these logs and organizational standards pass muster -- or face legal reprecussions.

The Sarbanes-Oxley Act (SOX) protects financial data from erroneous or malicious manipulation by enterprises in the U.S. All public companies must comply, substantiating legal practices with demonstrable internal controls and logs of network, database, login and account and user activity with every quarter's financials. IT teams must also show how they control information access.

The SOX compliance requirements are complex and detailed. If you have an annual Sarbanes-Oxley audit on the horizon, brush up on your responsibilities and prep work in five steps.

  1. There are ways to streamline compliance efforts for the biggest SOX hurdle: SOX 404. For example, test only the internal controls that could lead to a material misstatement -- a punishable misrepresentation of financial data -- if they failed. By filtering out just this subset of controls, you'll save time and effort in the long run. Create a flow chart of processes, procedures and related activities in the organization so you know where to place controls to prevent errors. Other critical areas to work on include communication, training on SOX requisites, and education about elements of internal control.
  2. Review your data governance and security protocols. With big data projects underway in the enterprise, the volume and variety of data coming into databases and communicated among business units introduces new complexities to compliance.
  3. Most SOX-regulated IT organizations use COBIT, ITIL or another governance methodology to ensure consistent practices. Review if established strategies for document and content management work with big data and new business concepts, and make use of tools that automate records management and archiving.
  4. All this internal SOX audit preparation is a gateway to compliance best practices and easier protection of new IT initiatives, such as virtual desktops or cloud.
  5. Don't forget about software as a service (SaaS). Sensitive data frequently resides off-site on these third-party SaaS applications, and auditors are adapting to fetter out non-compliance. If your organization relies on SaaS vendors, verify that they keep data SOX-compliant with SAS 70 reports.
  6. The right auditor makes the entire process run more smoothly. Choose a company that has experience in your specific industry. Pick one of the bigger-name firms, unless there's compelling reason -- like a noteworthy audit expert at a small firm -- to go with another company. Auditors cannot provide other accounting services to your company, and will not provide deep support on corrective actions. During the company evaluation, speak with the auditors, not sales people and senior staffers. Know who will actually perform your audit.
  7. There's nothing wrong with asking questions about what you'll be audited on and what the auditors' methods will be. It will help your IT organization prepare -- perhaps even run a Sarbanes-Oxley internal audit -- and avoid common mistakes.
  8. Compliance, governance and security all break down in the same places for most IT organizations. This is good news because you can identify and remediate problem areas before the audit process begins.

Five quick facts about the Public Company Accounting Oversight Board:

1. The board has five members, each serving five-year terms.

2. The SEC, in concert with the Federal Reserve and other bodies, appoint board members.

3. PCAOB penalizes firms and individuals for SOX audit violations and can dictate improvements.

4. PCAOB conducts inspections annually if a company has 100+ users.

5. PCAOB conducts inspections once every three years for companies with fewer than 100 users.

Not surprisingly, automated tools outperform manually maintained audit trails. Even without specialized software, however, you can bring rigorous discipline and diligence to top trouble spots: access permission changes, separation of privileges and vendor management.

Next Steps

Small business? Read this analysis of the JOBS Act and SOX

How VDI administrators see IT audits

Outside the U.S.? Read up on ISAE-3401, a global standard similar to SOX

This was last published in February 2015

Dig Deeper on IT compliance and governance strategies

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What's your tip for other IT organizations preparing for a Sarbanes-Oxley audit?
Cancel
The Sarbanes-Oxley Act audits businesses and organizations to ensure that there are no accounting practices that infringe the public. It is thus important to prepare for it. You need proper experience as an auditor because what is provided is wholly dependent on you. Documenting applications, passwords and user names is key. You ought to research on Frameworks and put the best ones into practice. You could also perform a self-analysis prior to the audit.
Cancel
One thing that I’ve seen when we are audited by an external company is that you need to know when to say that enough is enough. I recently saw an audit that lasted for more than three months, as the auditors kept trying to dig deeper and deeper. Granted, we wanted them to thoroughly assess our compliance to SOX controls, but it reached the point of diminishing returns long before we called a stop to the audit. While that instance was rather excessive, it serves as a good example that, when testing or auditing for SOX compliance, use common sense and establish guidelines with the auditors prior to starting the audit.
Cancel

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseLinux

SearchServerVirtualization

SearchCloudComputing

Close