Executive Papers
Working Papers
Executive Journal > Corporate Governance > CIO and Sarbanes Oxley Compliance CIO and Sarbanes Oxley (SOX) Act Compliance Project Management Best Practices
Executive White Paper Med Jones, International Institute of Management
What is Sarbanes-Oxley (SOX)?
-
SOX act of 2002 is a
-
"Internal control" requirements are achieved by integrating, documenting and testing three main enterprise functional areas, these are Financial Reporting, IT Security and Business Process controls (as shown in the figure below).
What is COSO & COBIT?
-
The SOX act recommends the use of COSO (The Committee of Sponsoring Organizations of the Treadway Commission) as the framework for auditing financial systems.
-
The Committee of Sponsoring Organizations (COSO) was formed by several professional groups, including the Institute of Internal Auditors (IIA), Financial Executives Institute (FEI), American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), and Institute of Management Accountants (IMA).
-
The COSO Report, as the framework became known, was the first-ever attempt in corporate America to establish a universal definition of internal control, along with proposed guidelines for governance, independence and quality assurance.
-
The Information Systems Audit and Control Association (ISACA) has prepared an industry accepted “mapping” of CoBIT (Control Objectives of Information and Its related Technology) to the COSO internal control model and the S-OX information system internal control requirements.
-
While CoBIT has a much broader scope in the audit process, INS core competencies align directly to the development of the support systems, processes, procedures, and controls identified under the GCCs (General Computing Controls.). The GCCs include controls for:
-
Software (Systems) Development Lifecycle (SDLC)
-
Change Management
-
Production Operations
-
Operations Security (Access and Vulnerability Management)
-
Systems Backup and Recovery
-
Specifically CoBIT focuses on the following internal control processes:
-
Acquiring or developing application system software
-
Acquiring technology infrastructure
-
Developing and maintaining policies and procedures
-
Installing and testing application software and technology infrastructure
-
Managing changes
-
Defining and managing service levels
-
Managing third-party services
-
Ensuring systems security
-
Managing the configuration
-
Managing problems and incidents
-
Managing data
-
Managing operations
What is SOX compliance project methodology and timeline?
SOX compliance is a program that includes multiple projects with typically 3 main players; an accounting audit firm, an IT security firm and the client’s business process management team.
Business Scope Identification, Project Plan and Client Training 2-3 Weeks
IT Scope Identification, Project Plan and Client Training 2-3 Weeks
Phase 2 Assessment
Enterprise Business Controls Gap assessment 6-8 weeks
Enterprise IT & Applications Controls Gap assessment 6-8 Weeks
Business Controls to IT Controls Mapping 2 to 4 weeks
Phase 3: Remediation
Business Process Remediation 2 to 4 weeks
IT Process Remediation 2 to 4 weeks
Phase 4: Internal Testing
Business Internal Testing 2 to 4 weeks
IT Internal Testing 2 to 4 weeks
Phase 5: Certification
SAS 70 Compliance 2 to 4 weeks
External Auditor Testing 2 to 4 weeks
Signoff and Certification 1-2 Weeks
What are the SOX compliance project deliverables?
SOX Project Deliverables
Phase 1 Discovery
Project Definition Document
Project Plan With Resources and Dates, Milestone
Executive and Managers Training Material
Business Compliance and Reporting Templates
IT Compliance Reporting Templates
Phase 2 Assessment
Business Transactions Control Process Flow Diagrams
List of mapping of all GL accounts to process flows
List of Business Controls & Risks for each business Cycle
IT Transactions/Process Flow Diagram
List of IT and Applications & Risks Controls
Mapping Biz and IT Controls ( in collaboration with business managers)
Phase 3: Remediation
Business Remediation Recommendation
IT and Applications Remediation Recommendation
Phase 3: Testing
Internal Testing Biz Controls Results
Internal Testing IT Controls Results
Internal Controls Best Practices
-
Establish an independent internal audit function (full-time) for both financial and non-financial areas (IT, operational and administrative controls and processes)
-
Internal Auditors to report directly to the audit committee of the board of directors, and administratively to executive management
-
Have board-approved charters for both their audit committees and internal audit departments
-
Involve your external audit firm at strategic points along the SOX project timeline to ensure that they could appropriately perform internal controls attestation work for the year-end audit.
-
Ensure continuous process improvement by performing enterprise/process-specific risk assessments/review once a year
-
Establish a project management function for the initial compliance project. The project manager's role is to help establish initial project scope, structure, time, resources quality standards and processes to meet minimum SOX compliance, which normally include documentation of each process or sub-process sufficient to support a walk-through from source transactions to the financial statements, along with the identification, documentation and testing of critical controls.
-
Identify significant processes and transactions outsourced to third parties. Determine their SAS 70 report will adequately support your organization’s SOX financial statement assertions. Get a review and opinion of your external audit firm for its review and opinion. Include that into the project scope, time and resources
-
Establish and continuously refine methodology of financial statement assertions, key control identification, documentation, testing and IT-based key controls.
-
Conduct internal audit test and report on the effectiveness of the existing control activities
-
Conduct management's review to correct deficiencies as noted
-
Educate the management team and work in partnership with them to develop and test the effectiveness of all pertinent policies and procedures, along with evaluating the efficiency and effectiveness of the overall control environment
-
Adopt COSO as the primary framework
Key Success Factors (KSF)
A successful program must be 4 dimensional
-
People (Organization, Roles, Skill-sets, Training)
-
Process (Business Operations; Engineering, Production, HR, IT, etc.)
-
Technology (Infrastructure, Applications, Tools)
-
Financial (Budget, TCO, ROI, Risk Management )
About the Author
Med Jones is the president of International Institute of Management. A management best practices education and consulting organization. IIM has 55 universities and research partners in 40 countries.
What are White Papers?
White papers provide businesses and government leaders with a list of questions, terminology and discussion points that can be used to address emerging challenges and opportunities. Unlike academic research papers, white papers are succinct work documents designed for problems solving and communication by the leadership team. Depending on the scope of the each paper, the document structure may include three to five sections: 1). A statement of the problem or opportunity 2). Analysis of root causes and underlying forces 3). Proposed solution and 4). A checklist of best practices for solution implementation and change management 5). Notes and resources.
Copyrights License
Royalty free License is granted for use or publishing for educational (not commercial) purposes provided the user/publisher include a clear reference to the author(s) and International Institute of Management, www.iim.education (please including the active hyperlink for electronic publishing). Licensing fee is required for consulting or commercial publishing
:::
Corrections and Updates
If we made an error in our papers or missed a reference to a major and direct contribution by earlier authors to the subject matter, please feel free to contact us with correction information and supporting evidence. Updates enrich our papers and ensure the integrity and accuracy of the shared knowledge. The updates and their dates will be listed in this section.
