Friday, June 6, 2008

The Challenges of a SOX Implementation

Sometime earlier in this decade there were some financial irregularities that resulted in some major upheavals in the corporate world. Some organizations went down while others had to realign. What came out of the irregularities in financial reporting was a legislation passed by the US Govt. as recommended by Sarbannes and Oxley. This came to be known as the SOX Compliance guideline. What this essentially requires is for any company that is listed on the US stock exchanges has to necessarily submit to an audit and have the management of the company and the auditors independently attest to the fact that the company has sufficient internal control over financial reporting. This means that the necessary processes and procedures and systems are in place that will prevent any unauthorized intentional or unintentional tampering of any financial data that will be used for reporting. It necessitates that all manual processes have to be automated and that the systems have sufficient security and controls built in to allow secure use of the systems which can be audited independently. The two main aspects are Change Management and Access Control.

Any change to any system, be it a new deployment or an enhancement or maintenance to an existing system, has to be authorized and follow a proper change management procedure as laid down in the change management policy of the company. This should ensure that all change is authorized, managed and tracked to completion.

Access control should exist to ensure that only authorized personnel are allowed access to systems that are critical to the functioning of the business and which have a direct impact on financial reporting. There should be a documented access control policy which should be implemented across the organization without any exceptions.

Information security is of paramount importance and should ensure that no data is allowed to be tampered with. All access to data should be controlled as well as proper backups and archival of critical data. All business critical systems should be secured against unauthorized access.

A critical part of SOX is the periodic internal audits and reviews that need to be carried out of the critical operations and systems that directly impact all financial reporting. These audits and reviews should detect any unauthorized or suspicious activity, errors or other attempts at compromising system security and immediate remedial action needs to be taken. The findings of the review as well as the action taken should be documented.

Reviews and documentation plays a vital role in a sox compliance initiative. If there are no reviews and there is no documentation supporting any of the required activities then that is considered a violation of the sox compliance. It is absolutely essential that periodic log reviews and reviews of user activity and system activity is carried out and the findings as well as the action taken be documented for submission to the auditors.

Policies and procedures need to be documented and implemented as per the documentation. If there is any deviation, it should be documented. If there are any exceptions they need to be documented. All deviations and exceptions need to be documented and authorized by the proper authorities.

The biggest challenge of implementing SOX in any organization is not the setting up of, or documenting any of the processes or procedures. It is not the setting up of and implementation of the systems themselves or the access control and change management processes around them. The greatest challenge in the implementation of sox 404 guidelines is very simply that. The implementation of the policies and procedures throughout the organization and ensuring that they are followed on an ongoing basis is the greatest challenge of a SOX implementation. Getting the organization to follow the policies and procedures and use the systems as they are supposed to be used and having them move away from the manual procedures and way of doing things is the challenge. This is something that needs top management involvement. There has to be a clear top management initiative in driving this downwards through the organization. Unless this happens, all the policies, procedures, and systems deployments will not necessarily comply with all the guidelines as laid down by the SOX 404 standard.