Sarbanes-Oxley Act of 2002 and Technology Advances
Technology is advancing at a rapid pace resulting in both challenges and opportunities for Sarbanes-Oxley (SOX) compliance. One of the key areas is compliance with management’s assessment of internal controls, SOX 404 requirements. This article will discuss challenges and opportunities, as well as define some best practices to turn any challenges into opportunities.
Challenges and Opportunities
Managed properly, technological challenges become opportunities to mitigate risks and build a stronger system of internal controls. A few examples include:
- Cloud Services: Moving to the Cloud can result in increased data security and cybersecurity risks, or it can improve an organization’s security posture and reduce their risk.
- Automated Processing of Financial Information: The sheer volume of data generated from today’s automated systems increases the complexity of the financial reporting process, but it can also provide automation opportunities to strengthen one’s SOX 404 compliance.
Technology SOX 404 Best Practices
Vendor Management
When relying upon third-party vendors, especially those providing cloud services or other technologies, it is important to perform due diligence. Strategic use of third-party vendors can improve one’s system of internal controls, if the proper due diligence is performed. Here are some risk areas that should be reviewed prior to contracting with third-party vendors and at least annually, thereafter.
- Financial Stability: Have financial professionals review financial information and credit ratings.
- Reputation, Experience, and Operational Viability: Assess reputation, market position, references, and ability to deliver services.
- Compliance: Assess all areas where an organization requires compliance and verify the vendor will provide the necessary independent assessments. For SOX compliance, if the vendor is processing data that will impact the financial statements or the security posture of the organization, look for the following:
- SOC 1 Type II report for the design and operating effectiveness of the controls of the service organization. This report includes controls selected by management and limits scope to selected business functions, services, processes, and/or systems. Verify the vendor will provide a report that covers the financial period in a period that will meet the SOX due dates, and it is a Type II report. One will want a Type II report, since a Type I report does not test the operating effectiveness of the controls. Review the report to verify that that the scope includes the controls necessary for the financial data they provide. Assess the user controls to verify the organization can implement or has implemented the controls relied upon by the third-party vendor. Review the security controls to verify that they are sufficient to support the organization’s required security posture.
- SOC 2 Type II report based upon the trust services criteria. There are five trust services: security, availability, confidentiality, processing integrity, and privacy. Security is the only trust service that is required to be included in the SOC 2 report. Generally, a SOC 1 report includes sufficient security controls for SOX compliance.
- Cybersecurity: The Security and Exchange Commission (SEC) cyber disclosure rule requires financial statement disclosures, which define how the organization manages cyber risk. Cybersecurity risk can extend to third-party vendors and needs to be part of the initial due diligence and ongoing assessment of third-party vendors. Keep watch for an upcoming article on third-party cyber risks.
Continuous Monitoring
Assess opportunities to automate controls and perform data analytics on key information being fed into the financials. Set alerts for items that are outside of expected boundaries. Connect with the risk committee and assess risks that may impact the organization’s financial statement, including cybersecurity risks. Update policies and controls to address these emerging threats and technology changes.
Training and Awareness
Keep operational, financial, compliance, and IT staff updated on threats, recent technologies, and their implications for SOX compliance.
Regular Audits
Conduct frequent audits both operational and financial. Assess the effectiveness of controls and opportunities to automate the controls to adapt to technological changes. Keep watch for an upcoming article on operational auditing.
The above are only a few examples of the way SOX compliance is an ongoing effort. Maintaining an efficient system of SOX internal controls includes keeping abreast of organizational and technological changes.
To learn more about McKonly & Asbury’s SOX services, contact Elaine Nissley, Director, or Victor Kong, Senior Manager, who have been providing SOX 404 services for over twenty years. We would love to discuss how we can assist you with your SOX challenges.
About the Author
Elaine is a Director with McKonly & Asbury. Her primary responsibilities include management of the Internal Audit Services group. Elaine handles client relationships and is accountable for the delivery of high quality and timely d… Read more