A major part of Sarbanes-Oxley compliance involves Information Technology.
If the 1990s were the age of the dot-com, then the 2000s can easily be considered the age of compliance. Government legislations like HIPAA, Gramm-Leach-Bliley and the Sarbanes-Oxley Act require businesses to adhere to strict regulations at the cost of millions of dollars in investment. The Sarbanes-Oxley Act was a reaction to scandals at Enron and Worldcom and addresses timely and honest financial reporting of public companies. And while it is focused on accounting practices and business processes, various technologies play a crucial role in complying with the Act.
Business and financial executives are well aware of the challenges presented by the Sarbanes-Oxley Act and the requirements of ensuring financial and system compliance. Organizations need to have comprehensive knowledge and understanding of relevant financial information. This may require new business policies and standardization of procedures as well as a thorough review of internal IT structures that support reporting and documentation.
While the compliance activity appears to be a financial and audit issue and not a systems issue, it is important to understand the role that technology plays in achieving sustainable compliance. After all, the essence of the Act is all about ensuring that internal controls are in place to create and document information for financial disclosures. And which organization today does not depend on technology to create, modify and manage information?
Rapid Stability Incorporated can work with YOUR Information Technology on the following tasks:
Documentation of Key Business and Technology Components |
Involves putting together all the procedures, policies, risk areas, controls and objectives in a systematic and structured way. The process and control documents should be accessible to relevant employees across the organization. |
Monitoring of the Control Environment |
Includes verifying systemic controls within the financial systems and the associated actions for remediation of any control violations. |
Internal Control Assessments |
A process by which management assesses the health of the controls across the organizations for each of entities and processes. |
Measurement of Control Health |
An ongoing process by which management benchmarks their progress and identifies laggards. |
Communication |
An underlying glue across all activities of the compliance system. Management, Audit Committee, Audit teams and Process owners are all connected to achieve the corporate compliance goals. |
Reporting |
The activity under which relevant compliance reports are published for assisting in attestation. |
The key assessment activities Rapid Stability Incorporated offers are:
Documentation: Organizations need to document their internal control environment. Policy documents, process flows, organizational objectives, risk identification on these objectives and the controls planned need to be well documented under a secure and auditable environment. Management and Process/ Control owners across the organization should have anytime and anywhere access to these documentation elements. Technology solutions exist to centrally create and manage digital documents allowing worldwide access via the corporate intranets with a single authentication and access control security.
Monitoring: Monitoring of controls is required at entity and process levels. Management designs entity-level monitoring to implement controls for each of the identified processes. Process owners or Control owners evaluate the effectiveness of the controls. Best practices suggest that internal control and data integrity check points must be embedded into the financial systems. However an external monitoring system should be in place to assess these system level controls. This is accomplished by integrating the monitoring system with specific event based controls within the financial IT systems. Depending on the technology used in the financial systems, the integration is done either as an event based programming interface at the transaction level or as an analytical integration with the reporting system. Application Programming Interfaces offered by the Financial Systems vendors, Connectors and XML are some of the key technologies used here.
Internal Control Assessments: For management to assert the internal controls, assessment and evaluation of design and operational effectiveness is required. Management and audit teams plan the assessments, but individual process owners provide the actual assessments. Strong IT tools are thus required to design and program the assessment questionnaires and to conduct periodic programs to capture the assessments from distributed functional owners within the enterprise. Integration with internal HR systems, LDAP databases, corporate email systems are some of the key technologies used during this activity.
Incremental integration testing is continuous testing of an application as new functionality is added; requires that various aspects of an application's functionality be independent enough to work separately before all parts of the program are completed, or that test drivers be developed as needed; done by programmers or by testers. Integration testing - testing of combined parts of an application to determine if they function together correctly. The 'parts' can be code modules, individual applications, client and server applications on a network, etc. This type of testing is especially relevant to client/server and distributed systems.
Measurements: A unified measurement system is pivotal in evaluating the controls. The measurement system should facilitate in aggregating the health of the controls across each of the entities and processes. Under COSO framework, the measurement system should provide means to measure the status of control information across Strategic, Financial & Compliance Objectives. The measurement system should also facilitate identification of laggards within the organization to implement changes for process optimization. The financial dashboards that the management reviews should show the overall maturity of the organization for corporate governance and should facilitate drilling down to individual processes and systems. Technology plays a key role again in this area. The measurement system of internal controls should seamlessly integrate with Corporate Performance Management tools, Scorecard systems and other analytical applications.
Communication: Allowing constant communication among the various entities involved in the compliance activity is a key part of the overall compliance system. Corporate email systems, alerts with web URLs and escalation processes are some of the technologies used in implementing the communication requirements.
Reporting: Many enterprises today have standardized on reporting and Business Intelligence systems to centralize report generation and dissemination. The reports generated from internal controls and assurances applications should seamlessly integrate with these reporting standards.
|