Joomla TemplatesWeb HostingFree Money
Home IT controls and the Sarbanes-Oxley Act - SOX

IT controls and the Sarbanes-Oxley Act SOX [1]


SOX requires the chief executive and chief financial officers of public companies to attest to the accuracy of financial reports (Section 302) and require public companies to establish adequate internal controls over financial reporting (Section 404). Passage of SOX resulted in an increased focus on IT controls, as these support financial processing and therefore fall into the scope of management's assessment of internal control under Section 404 of SOX.

The COBIT framework [2] may be used to assist with SOX compliance, although COBIT is considerably wider in scope. The 2007 SOX guidance from the PCAOB [3] and SEC [4] state that IT controls should only be part of the SOX 404 assessment to the extent that specific financial risks are addressed, which significantly reduces the scope of IT controls required in the assessment. This scoping decision is part of the entity's SOX 404 top-down risk assessment. In addition, Statements on Auditing Standards No. 109 (SAS109) [5] discusses the IT risks and control objectives pertinent to a financial audit and is referenced by the SOX guidance.

IT controls that typically fall under the scope of a SOX 404 assessment may include:

  • Specific application (transaction processing) control procedures that directly mitigate identified financial reporting risks. There are typically a few such controls within major applications in each financial process, such as accounts payable, payroll, general ledger, etc. The focus is on "key" controls (those that specifically address risks), not on the entire application.
  • IT general controls that support the assertions that programs function as intended and that key financial reports are reliable, primarily change control and security controls;
  • IT operations controls, which ensure that problems with processing are identified and corrected.

Specific activities that may occur to support the assessment of the key controls above include:

  • Understanding the organization’s internal control program and its financial reporting processes.
  • Identifying the IT systems involved in the initiation, authorization, processing, summarization and reporting of financial data;
  • Identifying the key controls that address specific financial risks;
  • Designing and implementing controls designed to mitigate the identified risks and monitoring them for continued effectiveness;
  • Documenting and testing IT controls;
  • Ensuring that IT controls are updated and changed, as necessary, to correspond with changes in internal control or financial reporting processes; and
  • Monitoring IT controls for effective operation over time.

To comply with Sarbanes-Oxley, organizations must understand how the financial reporting process works and must be able to identify the areas where technology plays a critical part. In considering which controls to include in the program, organizations should recognize that IT controls can have a direct or indirect impact on the financial reporting process. For instance, IT application controls that ensure completeness of transactions can be directly related to financial assertions. Access controls, on the other hand, exist within these applications or within their supporting systems, such as databases, networks and operating systems, are equally important, but do not directly align to a financial assertion. Application controls are generally aligned with a business process that gives rise to financial reports. While there are many IT systems operating within an organization, Sarbanes-Oxley compliance only focuses on those that are associated with a significant account or related business process and mitigate specific material financial risks. This focus on risk enables management to significantly reduce the scope of IT general control testing in 2007 relative to prior years.

302 Corporate Responsibility for Financial Reports Certifies that financial statement accuracy and operational activities have been documented and provided to the CEO and CFO for certification
404 Management Assessment of Internal Controls Operational processes are documented and practiced demonstrating the origins of data within the balance sheet. SOX Section 404 (Sarbanes-Oxley Act Section 404) mandates that all publicly-traded companies must establish internal controls and procedures for financial reporting and must document, test and maintain those controls and procedures to ensure their effectiveness.
409 Real-time Issuer Disclosures Public companies must disclose changes in their financial condition or operations in real time to protect investors from delayed reporting of material events
802 Criminal Penalties for Altering Documents Requires public companies and their public accounting firms to retain records, including electronic records that impact the company’s assets or performance.

Fines and imprisonment for those who knowingly and willfully violate this section with respect to (1) destruction, alteration, or falsification of records in federal investigations and bankruptcy and (2) destruction of corporate audit records

Real-time disclosure

Section 409 requires public companies to disclose information about material changes in their financial condition or operations on a rapid basis. Companies need to determine whether their existing financial systems, such as enterprise resource management applications are capable of providing data in real time, or if the organization will need to add such capabilities or use specialty software to access the data. Companies must also account for changes that occur externally, such as changes by customers or business partners that could materially impact its own financial positioning (e.g. key customer/supplier bankruptcy and default).

To comply with Section 409, organizations should assess their technological capabilities in the following categories:

  • Availability of internal and external portals - Portals help route and identify reporting issues and requirements to investors and other relevant parties. These capabilities address the need for rapid disclosure.
  • Breadth and adequacy of financial triggers and alert - The organization sets the trip wires that will kick off a Section 409 disclosure event.
  • Adequacy of document repositories – Repositories play a critical role for event monitoring to assess disclosure needs and provide mechanism to audit disclosure adequacy.
  • Capacity to be an early adopter of External Business reporting language (XBRL) [6] - XBRL will be a key tool to intergrate and interface transactional systems, reporting and analytical tools, portals and respositories.

 Section 802 & Records retention

Section 802 of Sarbanes-Oxley requires public companies and their public accounting firms to maintain all audit or review work papers for a period of five years from the end of the fiscal period in which the audit or review was concluded. This includes electronic records which are created, sent, or received in connection with an audit or review. As external auditors rely to a certain extent on the work of internal audit, it would imply that internal audit records must also comply with Section 802.

In conjunction with document retention, another issue is that of the security of storage media and how well electronic documents are protected for both current and future use. The five-year record retention requirement means that current technology must be able to support what was stored five years ago. Due to rapid changes in technology, some of today’s media might be outdated in the next three or five years. Audit data retained today may not be retrievable not because of data degradation, but because of obsolete equipment and storage media.

Section 802 expects organizations to respond to questions on the management of SOX content. IT-related issues include policy and standards on record retention, protection and destruction, online storage, audit trails, integration with an enterprise repository, market technology, SOX software and more. In addition, organizations should be prepared to defend the quality of their records management program (RM); comprehensiveness of RM (i.e. paper, electronic, transactional communications, which includes emails, instant messages, and spreadsheets that are used to analyze financial results) , adequacy of retention life cycle, immutability of RM practices, audit trails and the accessibility and control of RM content.

End-user application / Spreadsheet controls

PC-based spreadsheets or databases are often used to provide critical data or calculations related to financial risk areas within the scope of a SOX 404 assessment. Financial spreadsheets are often categorized as end-user computing (EUC) tools that have historically been absent traditional IT controls. They can support complex calculations and provide significant flexibility. However, with flexibility and power comes the risk of errors, an increased potential for fraud, and misuse for critical spreadsheets not following the software development lifecycle (e.g. design, develop, test, validate, deploy). To remediate and control spreadsheets, public organizations may implement controls such as:

  • Inventory and risk-rank spreadsheets that are related to critical financial risks identified as in-scope for SOX 404 assessment. These typically relate to the key estimates and judgments of the enterprise, where sophisticated calculations and assumptions are involved. Spreadsheets used merely to download and upload are less of a concern.
  • Perform a risk based analysis to identify spreadsheet logic errors. Automated tools exist for this purpose.
  • Ensure the spreadsheet calculations are functioning as intended (i.e., "baseline" them).
  • Ensure changes to key calculations are properly approved.

Responsibility for control over spreadsheets is a shared responsibility with the business users and IT. The IT organization is typically concerned with providing a secure shared drive for storage of the spreadsheets and data backup. The business personnel are responsible for the remainder.


[1] From Wikipedia Content available under the Creative Commons Attribution-ShareAlike License

[2] The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management, created by ISACA and the IT Governance Institute (ITGI) in 1996. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices, to assist them in maximizing the benefits derived through the use of information technology, and developing appropriate IT governance and control in a company

[3] The PCAOB is a nonprofit corporation established by Congress to oversee the audits of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, accurate and independent audit reports. The PCAOB also oversees the audits of broker-dealer compliance reports under federal securities laws.

[4] Securities and Exchange Commision.

[5] The requirements set forth in SAS 109 require auditors to gain a more thorough understanding of the client and its environment, internal control components, and other issues that may indicate risk of material misstatement.

[6] XBRL (eXtensible Business Reporting Language) is a freely available, market-driven, open, and global standard for exchanging business information. XBRL allows information modeling and the expression of semantic meaning commonly required in business reporting. XBRL is XML-based. It uses the XML syntax and related XML technologies such as XML Schema, XLink, XPath, and Namespaces to articulate this semantic meaning. One use of XBRL is to define and exchange financial information, such as a financial statement.