il-fede - Fotolia


Five tips to prep for a Sarbanes-Oxley audit

For IT organizations in public U.S.-operating companies, SOX audits are a fact of life. Look forward to a compliance audit with these immediate and long-term preparations.

All data centers benefit from log collection and monitoring -- they make troubleshooting and performance optimization easier. But public organizations in the U.S. require that these logs and organizational standards pass muster -- or face legal reprecussions.

The Sarbanes-Oxley Act (SOX) protects financial data from erroneous or malicious manipulation by enterprises in the U.S. All public companies must comply, substantiating legal practices with demonstrable internal controls and logs of network, database, login and account and user activity with every quarter's financials. IT teams must also show how they control information access.

The SOX compliance requirements are complex and detailed. If you have an annual Sarbanes-Oxley audit on the horizon, brush up on your responsibilities and prep work in five steps.

  1. There are ways to streamline compliance efforts for the biggest SOX hurdle: SOX 404. For example, test only the internal controls that could lead to a material misstatement -- a punishable misrepresentation of financial data -- if they failed. By filtering out just this subset of controls, you'll save time and effort in the long run. Create a flow chart of processes, procedures and related activities in the organization so you know where to place controls to prevent errors. Other critical areas to work on include communication, training on SOX requisites, and education about elements of internal control.
  2. Review your data governance and security protocols. With big data projects underway in the enterprise, the volume and variety of data coming into databases and communicated among business units introduces new complexities to compliance.
  3. Most SOX-regulated IT organizations use COBIT, ITIL or another governance methodology to ensure consistent practices. Review if established strategies for document and content management work with big data and new business concepts, and make use of tools that automate records management and archiving.
  4. All this internal SOX audit preparation is a gateway to compliance best practices and easier protection of new IT initiatives, such as virtual desktops or cloud.
  5. Don't forget about software as a service (SaaS). Sensitive data frequently resides off-site on these third-party SaaS applications, and auditors are adapting to fetter out non-compliance. If your organization relies on SaaS vendors, verify that they keep data SOX-compliant with SAS 70 reports.
  6. The right auditor makes the entire process run more smoothly. Choose a company that has experience in your specific industry. Pick one of the bigger-name firms, unless there's compelling reason -- like a noteworthy audit expert at a small firm -- to go with another company. Auditors cannot provide other accounting services to your company, and will not provide deep support on corrective actions. During the company evaluation, speak with the auditors, not sales people and senior staffers. Know who will actually perform your audit.
  7. There's nothing wrong with asking questions about what you'll be audited on and what the auditors' methods will be. It will help your IT organization prepare -- perhaps even run a Sarbanes-Oxley internal audit -- and avoid common mistakes.
  8. Compliance, governance and security all break down in the same places for most IT organizations. This is good news because you can identify and remediate problem areas before the audit process begins.

Five quick facts about the Public Company Accounting Oversight Board:

1. The board has five members, each serving five-year terms.

2. The SEC, in concert with the Federal Reserve and other bodies, appoint board members.

3. PCAOB penalizes firms and individuals for SOX audit violations and can dictate improvements.

4. PCAOB conducts inspections annually if a company has 100+ users.

5. PCAOB conducts inspections once every three years for companies with fewer than 100 users.

Not surprisingly, automated tools outperform manually maintained audit trails. Even without specialized software, however, you can bring rigorous discipline and diligence to top trouble spots: access permission changes, separation of privileges and vendor management.

Next Steps

Small business? Read this analysis of the JOBS Act and SOX

How VDI administrators see IT audits

Outside the U.S.? Read up on ISAE-3401, a global standard similar to SOX

Dig Deeper on IT compliance and governance strategies