Table of Contents
As part of your overall corporate governance and SOX compliance objectives, designing, implementing and monitoring robust IT General Controls (ITGC) are key factors.
Once your ITGC standards have been comprehensively implemented, your internal audit serves as a measure of their effectiveness for ensuring the integrity of your financial and accounting information.
What We’ll Cover In This Guide to IT General Controls for SOX Compliance
In this 7-minute guide to ITGC for SOX compliance you’ll learn the process for creating robust ITGC standards that external auditors will smile about.
Here’s what we’ll cover:
- Who is legally responsible for ITGC?
- ITGC for SOX compliance checklist
ITGC GUIDE:
- Establishing your controls environment
- Conducting an ITGC risk assessment
- Implementing controls activities
- Implementing information & communications systems
- Monitoring your ITGC
BONUS STEP: Automating IT General Controls monitoring
Who Is Legally Responsible for IT General Controls?
Because SOX compliance requirements are ultimately assessed by external auditors, it’s easy for organizations to slip into a mode of complacent thinking that assumes ITGC are the responsibility of auditors and accountants.
The first step to establishing ITGC is to avoid such assumptions. Designed to protect investors from fraudulent financial reporting by companies, The Sarbanes-Oxley Act of 2002 (SOX Act) enforces that ITGC are very much the responsibility of senior management.
As such, it’s vital that newly-listed companies (or companies made public through merger or SPAC acquisitions) empower senior managers at all levels to integrate standards of ITGC responsibility into their daily roles.
ITGC Checklist
For those doing SOX compliance and ITGC research on-the-fly over lunch, here’s an at-a-glance checklist of SOX compliance goals and actions for building ITGC standards.
| # | GOAL | ACTIONS TO TAKE FOR SOX COMPLIANCE |
|---|---|---|
| 1 | Prevent data tampering | Implement access tracking to detect suspicious login attempts to systems with financially sensitive data. |
| 2 | Record timelines for key activities | Implement methods for applying timestamps to financial and other data relating to SOX provisions. Store such data at remote, secure locations with encryption to prevent tampering. |
| 3 | Build verifiable controls to track access | Implement systems able to receive data from any source. For example files, FTP, and databases. Track who accessed or modified these data. |
Establishing Your Controls Environment
When we say ‘controls environment’ we’re referring to more than just a data or IT environment. Your controls environment also includes your organization’s values, culture and collective expectations.
How can you establish and cultivate a positive controls environment?
Set your mission: This should include ITGC goals and strategic planning so all stakeholders are clear on what they need to accomplish.
Advocate for the mission from the top: Senior management must become ITGC advocates who promote and maintain the ethical standards, integrity and policies that trickle down into teams.
Hire for compliance: Part of your HR and hiring process should include interviewing for at least base-level ITGC and SOX compliance awareness in candidates—gaps can always be filled.
Provide leadership & governance: Ensure leaders remain on top of operations and performance considerations relating to ITGC, correcting controls issues that are identified.
Promote accountability: Position ITGC and SOX compliance as inherent (not separate to) people’s daily roles, and integrate ITGC standards as part of performance appraisals.
It’s worth noting that sustaining a strong controls environment as part of an integrated culture of compliance diligence will bring many more benefits than SOX compliance readiness—ultimately, ITGC are also about maximizing business performance and cost-efficiency.
Conducting an ITGC Risk Assessment
Legacy thinking behind risk management has typically focused on financial threats. Modern Enterprise Risk Management (ERM) has in recent times shifted toward a risk assessment standard that factors for anything that could affect the organization.
When designing and implementing ITGC for SOX compliance, your more of thinking should follow this all-encompassing thinking.
Match risks to performance: Each control owner should be able to identify each risk they’re accountable for may negatively impact operations and performance.
Collaborate on risk assessment: Meet with ITGC stakeholders and identify potential external risks such as leadership gaps, HR gaps of inadequate hiring and training standards, potentially ignored or unresolved auditing and monitoring findings, emerging laws and legislations and poor safeguards of physical assets.
Rate and rank risks identified: Prioritize attention toward resolving critical risk, and strategize with ITGC collaborators how less immediate risks will be mitigated.
Develop corrective actions: Assign clearly defined actions to identified controls owners who’ll become accountable for implementation of controls standards that fall under their remit.
Implementing Controls Activities
Your ITGC risk assessment should have resulted in a comprehensive framework for implementing airtight ITGC standards that leave nothing to chance. Now, your controls activities implementations should aim to practically apply that framework.
Establish clear responsibilities: Assign each critical ITGC task to only a single person, and ensure structure and hierarchies are in place for effective reporting and delegation.
Apply separation of duties: Avoid making any one single stakeholder responsible for every part of any given process. Instead, diversify process ownership between individuals and use compensating controls, such as additional monitoring or secondary sign-offs when separation of duties isn’t possible.
Restrict access: Avoid allowing systems or data access permissions unless a clever ‘need-to-know’ purpose has been identified and authorized.
Create policies and procedures: These should be clearly written instructions and directives on how they should be followed.
Keep accurate records: Document all expenditures and their justifications.
All project expenditures in your company or organization should be backed by a clear statement of purpose and objectives as part of controls activities designed to leave a clear audit trail of transparency and accountability.
Implementing Information and Communication Systems
At this stage, your ITGC standards for SOX compliance should have taken shape.
To ensure standards don’t regress and deteriorate, it’s now crucial that ITGC be maintained with the backing of quality information and dissemination of effective communication.
Establish reliable information systems: Information systems that track operations relating to ITGC progress should be available and secure. Don’t leave spreadsheets laying around on desktop hard drives, for example.
AudITech helps ITGC stakeholders automate IT General Controls and IT audits that make up a critical part of ITGC standards. Through a single, powerful dashboard you’ll run IT audits in minutes (instead of weeks), view alerts of control gaps, and cues on how to easily close them.
Distribute ITGC information throughout your organization: Ensure critical information is reaching the right compliance stakeholders in a timely way, and ask them what information they need but may not be receiving.
Monitoring Your IT General Controls
Congratulations! If you followed the guidance above diligently, then you just established and implemented a coherent framework for ITGC. But the hard work isn’t over—senior management teams need to continually verify their effectiveness.
Conduct ITGC performance reviews: These reviews should seek to compare your actual performance vs your defined goals and budgets to assess if controls are being followed.
Conduct independent management reviews: Further test your ITGC with the help of impartial management stakeholders able to offer objective perspective on whether controls are working as intended, or if they should be redesigned.
Arrange external audits, and respond to findings: Solicit the help of external auditors to vet your ITGC and your IT General Controls that are a subset of IC relating to the integrity of your IT environment and data systems.
Track all corrective actions: If controls gaps are identified, address them and document how you addressed them. Make sure also that the corrective actions were sufficient to close controls gaps that were spotted.
Monitor your ITGC continually: SOX compliance is part of a continual process of ITGC standards monitoring. This means you’ll need to find effective ways of linking corrective actions back to improvements in your Controls Environment and Control Activity standards to confirm that standards are actually being maintained and improved.
BONUS STEP: Automating IT General Controls Monitoring
One of the core pillars of ITGC are your IT General Controls that govern the effectiveness of your IT systems in maintaining the integrity of financial reporting. If your ITGC aren’t implemented and monitored, then ITGC will be judged as ‘weak’ by external auditors.
Once ITGC are implemented, your Internal Audit is the means by which their effectiveness is tested.
Imagine running IT audits in minutes from your browser
The good news is that you can use AudITech to automate away weeks of complex collaborations, human-error risk and IT department interventions usually involved in IT audits. Contact us and schedule an AudITech demo to discover the simple route to smarter, more valuable audits.
Read AudITech’s ITGC Guide for Newly Listed Companies CFOs and SOX Compliance Officers
For SOX compliance professionals, newly-public companies seeking SOX compliance and their CFOs, this guide will help improve your understanding of how to advocate for and maintain continual IT General Controls standards as part of your push for SOX compliance certification.
