All you need to know in 10 simple steps
When implementing Internal Controls as part of SOX compliance readiness, taking risk with ITGC just isn’t something companies can afford to gamble on. That’s why we created this ITGC guide for SOX compliance.
We’ll explore step-by-step how compliance stakeholders of newly-listed companies can become the SOX leaders advocating for continual ITGC monitoring. If you’re new in your compliance role, or have just joined a newly-listed company, it’s natural to have unanswered questions about ITGC. In 2021 alone, there were almost 1000 newly-listed public companies facing critical ITGC and SOX compliance obligations. Add to that company mergers that also result in SOX compliance needs and it’s clear that defining and continually monitoring ITGC is a common challenge in many industries. Let’s dive right into it.
1. Do you really need ITGC?
Even if your company is not public yet, keeping internal controls in place is very important for the organization’s safety and performance. Moreover, the transition towards ITGC readiness will be much smoother when the day comes. These are the situations in which ITGC requirements will apply:
Mergers: When one of the merging companies becomes public.
Newly-listed companies: When a company goes public for the first time.
Special-purpose acquisition companies (SPAC): When an acquired company becomes public.
Each case and scenario can present different reporting rules of what ITGC reports will need to be presented, by who and when. Be sure to be explicitly clear on which reporting rules apply to your circumstances. For a detailed understanding of your ITGC obligations, you can consult an external auditor, a lawyer, or you can consult with AudITech.
2. Understand if you need to get an internal opinion, or both an external and internal opinions
Once you’ve established that you need ITGC, the first thing to do is to find out what regulatory requirements your formal, final ITGC opinions must meet. For example, your final ITGC opinion may need to come from your senior management only, or a combination of your senior management and an external auditor.
The purpose of these formal opinions is to align internally and externally on the health and status of your ITGC environment. Since you haven’t yet at this stage implemented robust ITGC, it is likely that the two opinions will converge around a verdict that your ITGC have either low weakness, or severe weakness. The amount of time that you will need in order to implement successful and ongoing ITGC and to monitor them, will depend on the outcome of your ITGC opinions gathering.
There are circumstances in which your company may be exempt from obtaining an external auditor’s opinion on the health status of your ITGC environment. These exemptions do not mean you won’t need to be ITGC compliant, it simply means you may not be obliged to obtain an auditor’s opinion.If you’re unsure, check with AudITech. We’ll tell you everything you need to know about your ITGC and ITGC opinions obligations.
3. Onboard the CIO
Ok, now that you understand that you need ITGC in place and which opinions you need to gather, it’s time for ACTION. Before rolling out your ITGC action strategy, you’ll need to build strong allegiance with the right stakeholders. This starts with your CIO.
For an effective ITGC and SOX compliance strategy to integrate into daily business operations, your CIO must be onboarded into the strategy, to become your co-advocate.
Build trust with your CIO: If you’re in a new role, or you’re not close to your CIO, take the time to break the ice. You need to get a trusted buy-in for this to work, so don’t just burst into their office with ITGC demands.
Educate your CIO on ITGC: If they’re unfamiliar with ITGC, tactfully share the right information. Educate them about the lasting organizational benefits, plus the compliance benefit to their role of making strong Internal Controls part of compliance culture and best practice.Give your CIO confidence: Show them that you understand the ITGC gaps in the organization, that you know how to fix them and that you know which tasks must be administered to which people.
4. Build your ITGC strategy A-team
Ok. Now that you’ve gained your CIO’s trust and understanding, it’s time to collaborate on building your ITGC A-team.
Your ITGC A-team could include:
- An IT department project manager
- IT Controls Owners with a heavy burden of controls
- IT security personnel
- Your Chief Information and Security Officer (CISO)
- Any other stakeholder of IT governance in the organization
To choose your ITGC and Internal Controls superstars, it helps to first define what each member’s ITGC superpowers should be, then you can decide which remits can best meet each need. To do this, you should follow these steps:
Define ITGC goals: and don’t just make it about ‘SOX compliance’. Make it about the benefit to data integrity and overall organizational performance.
Define ITGC actions that will fulfill each goal: and make sure the actions you define are sufficient to carry your ITGC goals forward continuously.
Define who needs to be responsible for each action: It could be your IT team, it could be your CIO, it could be your finance team, or it could be you—the CFO or Compliance Officer. Remember—building your ITGC and SOX compliance A-team is about fundamental change to certain roles and remits. Each new ITGC task delegated should become a continual part of a yearly ITGC process—not as part of a single project—so your ITGC strategy stakeholders must embrace this reality. Your IT team is crucial in facilitating system access and helping you perform IT audits.
Once you’ve mapped out your ITGC A-team, it’s time to connect them to the new, emerging ITGC strategy mindset, workflows and responsibilities. We highly recommend to personalizing your rapport with them, while emphasing on the unique value they can bring to ITGC implementation and monitoring. It’s incredibly important that you take the time and care to do this well. The long-term results of your ITGC strategy will depend on it. If you fail to build the right relationships, educate the right people on ITGC and achieve committed stakeholder adoption, then ITGC will become neglected. You’ll regress back to square one.
Gain their trust: Just as you did with your CIO, gain their trust first. Don’t do this by email. Meet with them at a time of their choosing. This doesn’t need to be first thing on a Monday morning, or in a formal presentation. Perhaps over a working lunch when the atmosphere may be more relaxed and less formal.
Empower and educate them: Work collaboratively on helping them fully understand importance to the organization’s overall success of integrating new ITGC responsibilities into their daily work.
Emphasise the personal value they’ll gain: Help them understand how adopting new ITGC-related responsibilities into their work can help raise their profile within the company, gain senior stakeholder trust and develop their career skill set.
Great. If you’ve built the right ITGC strategy allegiances well, you’ll be in a strong position to start actually implementing your ITGC strategy.
5. Roll Out Your New ITGC Strategy
Ok, ITGC advocacy over. If you advocate well, your ITGC strategy stakeholders should be onboarded, briefed, aligned and motivated. Now it’s time to get practical and understand the business processes and the associated IT systems. In order to help your newly-formed team of ITGC advocates and implementers succeed, you’ll need to have a firm grasp of how business processes are designed and how they combine with the IT environment. You may have internal documentation available on this, or you may have to coordinate with key stakeholders that can share granular details. The key theme is to be exhaustive in mapping business processes to associated IT assets.
6. Identify IT Systems’ Control Owners
Once you’ve mapped business process design and associated IT systems, you’ll need to discover who the Control Owners are for each IT asset and arrange to meet with them collectively.
Gain their trust and collaboration: It’s hard to overstate the importance of identifying and working closely with Control Owners. They are your ITGC front line. Without their collaboration, there is no ITGC.
Sell the value of ITGC to Control Owners: The best way to gain trust and collaboration from Control Owners in your organization is to help them understand the business value and personal value of ITGC—just as you did with your CIO.
7. Train Each Control Owner on New ITGC Controls Obligations
Following your personal meetings with IT-system Control Owners, you’ll need to arrange to meet with each of them for a full ITGC training. Each
Control Owner must be crystal clear on:
- The definition and control process for new ITGC that they must learn
- How the internal IT audit process works
- How ITGC are tested
- How to document ITGC
Don’t make your Control Owner ITGC training a one-way monologue of ITGC dictats. Make it interactive. Use it as an opportunity to learn what each Control Owner actually does. The last thing you want is for ITGC to be treated as unimportant or optional by Control Owners. Unless ITGC training is delivered thoroughly, with a shared vision of their paramount importance, Control Owners will lapse into poor ITGC habits.
8. Meet the External Auditor
Meeting your external auditor is the final step before gaining your ITGC and, eventually, SOX compliance certification. When you meet your external auditor, your ultimate goal is to leave them with the impression that your company is 100% ready for SOX compliance, with strong, continual ITGC firmly in place. Show your external auditor every step of your ITGC strategy design and implementation. To gain your external auditor’s trust, you’ll need to forensically present every stage of your ITGC implementation strategy.
Present everything—all the steps you’ve taken, your ITGC stakeholder team, processes, ITGC controls design, monitoring metrics—tell them your CIO, IT team and SOX compliance manager are all included in your ITGC A-team. Providing your external auditor with confidence will impact his/ her professional opinion. When the time comes, his/ her opinion on your ITGC will be more assured and more valuable.
9. Keep the Continuous Monitoring
The guidelines detailed here should be continually deployed in your organization. They also need to be continually maintained by the various ITGC stakeholders identified as responsible for new ITGC best practices long-term. You need to picture this as an ongoing strategy.
10. Bonus Step – Automate Your ITGC
Congratulations, you’ve completed your journey along the long, winding road to designing and establishing ITGC. However, there must be an easier way. Why not bypass complex IT interventions? Ask us for a demo or discover how to implement ITGC the simple way.
Traditional ITGC strategy involving heavy IT interventions can cause delays and loss of business continuity. Why not automate ITGC with AudITech? This way, your IT team doesn’t have to get involved. You’ll perform IT audits flawlessly and independently from your browser.
Let’s get IT audits done simply, so that you can spend more time getting things done.