An Automated Approach To SOX TestingPublished April 10, 2018 by Karen Walsh • 4 min read
The Sarbanes-Oxley Act of 2002 implements regulations on publicly traded companies. In 2002, the United States Congress passed the Sarbanes-Oxley Act (SOX) after a series of public scandals by large corporations such as Enron Corporation, Tyco International PLC, and WorldCom that led to a stock market plummet only a few months before the 2002 elections. The legislation intended to quell public fears of corporate misconduct and to require greater accountability by management and Boards of Directors for financial reporting. However, Sarbanes-Oxley turned into a larger and more complex piece of legislation than initially planned due to the integration technology in creating financial statements.
What is SOX Compliance Testing?
Sarbanes-Oxley compliance requirements fall into several different areas. Within the discussions of corporate responsibility and governance, some information security issues exist. Despite feeling overwhelmed by SOX compliance, organizations using automation can focus best on what pertains to them. Thus, SOX testing should center on those areas most important to your organization.
What is the PCAOB?
SOX established the Public Company Accounting Oversight Board (PCAOB) and imposed restrictions on public accounting firm auditors including independence standards. Since SOX views IT controls as the foundation for financial reporting controls, the auditing standards incorporate IT assessments as part of the regulatory requirement.
The PCAOB standards, however, offer little to help individual IT practitioners. The audit requirements specifically note the importance of using a risk-based, individualized approach to establishing controls. Therefore, unlike ISO 29001 or PCI DSS, SOX controls remain primarily individualized.
What benefits does COSO provide?
In the Committee of Sponsoring Organizations of the Treadway Commission (COSO) established the COSO framework to address areas of compliance such as information security controls, control environment, risk assessment control activities, information and communication and monitoring. In 2017, COSO updated its enterprise risk management (ERM) framework to address changes in the risk environment. The COSO update intended to helps align performance strategies to risk modeling. Since COSO and its framework act as the lynchpin for any SOX compliance program, reviewing the COSO Framework’s suggestions provide insight into compliance steps.
How do organizations establish internal controls?
The first step to appropriate SOX scoping involves performing a risk assessment focused on the organization’s ITGC. To appropriately assess risk, organizations must start by determining the purpose of the assessment. Each control should be evaluated based on confidentiality, integrity, and/or availability then defined with the risk criteria/parameters.
Establishing an internal control means reviewing an organization’s landscape. Not all areas need to be SOX compliant, thus focusing on areas of highest risk ease the burden of creating a program. Organizations, therefore, must find those areas within their IT landscape with the most significant threat and develop individualized controls to mitigate the risk involved.
How organizations engage in meaningful control objectives
Control owners must incorporate control awareness to understand not only how the controls work but why they matter and where they fit into the big picture. Thus, auditors want executives to recognize that the SOX assessment matters to the organization’s financial success otherwise the internal controls lose value.
Documentation, therefore, becomes essential. The executive suite must be able to articulate their decisions for acceptance, transference, mitigation, or denial of risk. They cannot explain their reasons for control choice if they do not understand its impact on their financial and reputation risk.
Why SOX compliance testing matters
Identifying risks and establishing controls under Section 404 only begins the long process of compliance. Effectiveness requires gathering evidence that controls work. Although the material misstatements may concern CEOs, CISOs and ISOs worry more about control failures.
Control failures that risk misstatements in financial reports should be those tested most strenuously. These controls, therefore, require more testing and more documentation. For example, access control failures make organizations vulnerable to misstatements in financial reports. Thus, they need more testing.
Continuously reviewing access controls becomes more overwhelming as organizations scale. A manageable review for 100 employees becomes more burdensome at 1000 employees. Therefore, automated role-based access controls provide companies a semblance of assurance that individuals will have the least amount of access needed to do their jobs. However, a single access control may not mitigate risk for sensitive data. Therefore, incorporating additional data access controls such as multifactor authentication may be necessary. While the SEC does not require automation, removing manual processes also acts as a control alleviating human error.
These controls and control testing require documentation that internal stakeholders must share across the organization.
How automating SOX testing documentation streamlines audits
Audits require a constant flow of information and documentation between internal and external stakeholders. ZenGRC’s SaaS platform provides organizations with multiple tools to enable efficient SOX audit tracking.
Internally, the ZenGRC platform allows organizations to map controls across frameworks to maintain consistency. For example, HIPAA compliance and SOX compliance both require user-access controls. However, while SOX controls focus on financial reporting, HIPAA focuses on privacy. Therefore, when a HIPAA compliant organization needs to become SOX compliant, the company needs to evaluate any control gaps. ZenGRC’s ability to map controls across multiple frameworks, regulations, and standards provides insight for organizations who want to implement additional compliance requirements.
Meanwhile, external auditors require proof that an organization has tested controls while compiling documentation in an easy-to-access single location. ZenGRC provides a single source of truth enabling streamlined audit information gathering. Rather than reaching out to multiple stakeholders who access information based on their roles, organizations using ZenGRC’s role-based authorization platform allows workforce members access to information they need to do their jobs. These authorizations enable compliance managers access to the IT department’s documentation but limit their ability to make changes. Not only does this maintain the data’s integrity, but it eases cross-departmental communication and saves time.
Finally, the ZenGRC risk heat maps provide easy-to-digest risk analyses that allow the Board of Directors to meet their oversight requirements. When the Board of Directors can articulate their decisions, they can prove to auditors and regulators that they have met their due diligence requirements.
Automating SOX control testing means more than automating the controls, it means automating the documentation that proves the controls work.
For more information about how ZenGRC enables agile compliance, schedule a demo.