SOX-ITGC

Compliance
& PCI
Archisman Sen
Clément Renouvel
Deepa Pravinchandra Patel
Justine Merlet
 SUMMARY

1. Introduction
2. What is SOX?
3. Legal requirements for IT compliance
4. Methods of compliance
5. Frameworks
6. How can be SOX Helpful
7. Conclusions
1. Introduction - Information Technology

Responsible for the Maintain a correct

Important part of the
key business accounting
recent businesses
activities mechanism
ITGC
2. What is SOX ?

SOX
Why SOX ?

GOALS
Management rules
Security Controls

“The best plan of action for SOX compliance is

to have the correct security controls in place to
ensure that financial data is accurate and
protected against loss. “
 Data Protection And Compliance

- Data classification enables:

- security teams to more easily monitor
- enforce corporate policies for data handling

- It may need to be encrypted, compressed, or saved to

a different file format
Compliance And Audits

“Being in SOX compliance and complying

with other regulatory standards is nearly
impossible without the correct security
solutions in place”
3. Legal requirements for IT compliance
1. Section 302:

Companies need to put in place systems that protect against data tampering, provide the
ability to track timelines and are able to determine who had access to data and when.

-Data Tampering:. Organizations need to ensure that their access controls are
managed appropriately. A robust access control process is required. Additionally,
businesses must ensure that it is difficult for people to access data without proper
credentials (complex passwords…). Another part of preventing data tampering is
ensuring that records can be recovered if they are lost.
 -Timeline tracking: Section 302 compliance requires that companies keep track of when
changes were made to data. In addition to knowing when a file was last modified, companies
may also need to keep a log of when changes are made, what the changes were and who made
the changes

-Ensuring Safeguards are active and reporting on their effectiveness: Senior

management is required to verify the effectiveness and functionality of safeguards and
security systems in the 90 days prior to a financial report being made.

2. Section 404.

- Section 404 requirements are often met by using a remote and web based system that
allows access to outsiders which allows them to verify that the structures and processes in
place are appropriate and sufficient to meet Section 302 requirements.
3. Section 409:

-Deliver Timely Disclosure: SOX compliance mandates the timely disclosure of any
information that could affect a public company's financial performance.

4. Section 802:

-Ensure Records Retention: The IT team's role in SOX compliance to preserve records (IMs,
recorded calls discussing money, financial transactions…) with internal automated backup
processes and ensure the proper function of document management systems.
4. Methods of Compliance

- There is no one size fits all approach to complying with SOX requirements
- It may be best for businesses to start handling some tasks manually until it is determined
if they are actually effective.
- The initial costs of compliance can be high
- The first step for companies is to do an audit
- It's important that organizations verify that systems work as intended after changes are
made, it's important to ensure that existing processes are still running correctly.
Third party and SOX:

- Complying with SOX does not rule out having a third-party handle IT issues for an
organization, but any failures of a third party to comply with standards set out by SOX will
still be considered the fault and responsibility of the organization.
- When a company uses a third-party to handle their IT services, they will still need to verify
that they are in compliance with SOX regulations: assurance report, or by having the
testing done by an outside consultant.
5. Frameworks
COSO and COBIT PCAOB ITGI
- Help organizations determine how to - Created to develop auditing - Dedicated to helping
manage and run business processes. standards and train auditors businesses meet their
- Most companies end up using only objectives without
on the best practices for
COBIT or a combination of COSO and
COBIT. assessing a company’s internal compromising information
- COSO has the advantage of being a controls. security.
very robust framework for enterprise - It is here that the specific SOX - ITGI has independently
governance and risk management. published its own framework
requirements for information
However, COSO falls short in terms of IT
planning. security are spelled out. for SOX compliance, using
- COBIT complements COSO, as it - PCAOB publishes periodic both COBIT and COSO as
provides the IT considerations lacking in recommendations and guides.
COSO; the two frameworks are so - Unlike COBIT, the ITGI
changes to the auditing
complementary that COBIT
documentation refers to COSO. process. framework deals only with
security issues.

There are many frameworks and structures that could be followed or

adopted by organizations; it depends solely on the business area,
specificities of interests and cost efficient approach of selection.
 6. How can SOX be helpful?
1. Risk Triage
- Complying with SOX benefits
companies as it gives them a starting
point for asset analysis.
- ISACA states that the most appropriate
way to define the right scope and
extent of testing for each SOX in-scope
system is to perform a risk
assessment specific to SOX’s
requirements and ITGC
- These focused risk assessments
allows you to understand the entire
landscape of the organisations’
controls
2. Control Structure
Strengthening
- SOX is helpful in the context of
control structure, as SOX
compliance includes better control
awareness .
- SOX assessments also involve
additional scrutiny to ensure that
the financial reporting activities
are well-executed and well-
controlled.
- SOX compliance tackles problems
that may occur as a company
matures, at an early stage.
3. Better Audits
- More effective and efficient
operations under SOX lead to
better audit outcomes.
- With better internal audit
outcomes, external auditors
have a more efficient process.
- A more efficient process for
external auditor lowers overall
audit costs and the cost of
employee time when
responding to external audit
report results.

4. Efficient Financial Reporting
- Main goal of SOX was to provide
transparency in financial reporting.
- Complying with SOX when financial
reporting allows for more efficient
financial reporting, and makes
reporting easier as the
organisation matures.
- More accurate financial reporting
results in less time spent needing
to correct mistakes.
5. Peak Operational
Performance Early On
- Early SOX compliance benefits
companies by instilng a sense of
internal control
- By requiring organisations to
initiate controls at an early stage,
SOX compliance benefits
companies by requiring them to
assess their startng points and
their risk.
- Steve Guarini states a number of
benefits of complying with SOX,
among which are ‘utilising a top-
down approach to drive efficiency
and effectiveness’.
6. Team Collaboration and
Building Working Relationships
- SOX compliance requires
deeper and more frequent
collaboration among internal
stakeholders
- SOX provides the backdrop for
building stronger working
relationships among teams
(e.g. internal auditors and those
who oversee SOX
assessments)
7. Conclusions
- Although there is a rise in the application of SOX by the companies and there could
be a special cost involved in the process of doing so, studies from renowned firms
clearly indicate that SOX application has lead to betterment in the performance of
firms.

- One of the recent studies done by Protiviti in 2016, under the heading “Understanding
the Costs and Benefits of SOX Compliance” showed that companies are spending
more time and money but continue improving their internal costs and business
processes.
Faculdade de Economia, Administração e Contabilidade
UNIVERSIDADE DE SÃO PAULO

RELATÓRIO FINAL
Group Work

São Paulo
Semestre 2°, 2018

SOX ITGC COMPLIANCE

Docente: Prof. JOSHUA ONOME IMONIANA

Contributors::
Archisman Sen
Clément Renouvel
Deepa Pravinchandra Patel
Justine Merlet
DATA DA ENTREGA: 31/10/2018

1
CONTENTS :-
1. Introduction

2. What is SOX?
i. A Definition Of Sox Compliance
ii. Three Management Of Electronic Records Rules
iii. Sox Compliance And Security Controls
iv. Data Protection And Compliance
v. Compliance And Audits
vi. SOX Compliance Checklist

3. Legal requirements for IT compliance

i. Section 302
ii. Section 404
iii. Section 409
iv. Section 802

4. Methods of compliance

5. Frameworks
i. COSO
ii. COBIT
iii. PCAOB
iv. ITGI

6. How can be SOX Helpful

7. Conclusions

2
1. Introduction

Information Technology forms an important part of the recent businesses. They are not
only responsible for the key business activities, but also are used extensively in order to
maintain a correct accounting mechanism where the complexity is increasing everyday but the
chances of making a mistake is almost zero not just because of high penalties but also because
of heavy impacts on business interests and image of companies capabilities to its clients.
ITGC represent the foundation of the IT control structure. They help ensure the
reliability of data generated by IT systems and support the assertion that systems operate as
intended and that output is reliable. ITGC usually include the following types of controls:

• Control environment, or those controls designed to shape the corporate culture or

"tone at the top."
• Change management procedures - controls designed to ensure the changes meet
business requirements and are authorized.
• Source code/document version control procedures - controls designed to protect the
integrity of program code
• Software development life cycle standards - controls designed to ensure IT projects
are effectively managed.
• Logical access policies, standards and processes - controls designed to manage access
based on business need.
• Incident management policies and procedures - controls designed to address
operational processing errors.
• Problem management policies and procedures - controls designed to identify and
address the root cause of incidents.
• Technical support policies and procedures - policies to help users perform more
efficiently and report problems.
• Hardware/software configuration, installation, testing, management standards, policies
and procedures.
• Disaster recovery/backup and recovery procedures, to enable continued processing
despite adverse conditions.
• Physical security - controls to ensure the physical security of information technology
from individuals and from environmental risks.

2. SOX

Generally called as Sarbanes-Oxley Act (SOX) Sarbanes-Oxley, was adopted in 2002,

when the United States Congress passed the same. It consists of eleven titles:
• Many provisions phase in overtime and are dependent on SEC rulemaking
• No one escapes its long reach
• Public reporting is just one aspect of the Act

3
 – Management is required to file an internal control report with their annual report,
stating:
• Management’s responsibilities to establish and maintain adequate internal controls and
procedures for financial reporting
• Management’s conclusion on the effectiveness of these internal controls at year end
• The company’s public accountant has attested to and reported on management’s
internal controls and procedures for financial reporting
– Management must evaluate design and operational effectiveness of internal
controls for financial reporting (as well as its disclosure controls and procedures)
on a quarterly basis.

i. A Definition Of Sox Compliance

In 2002, the United States Congress passed the Sarbanes-Oxley Act (SOX) to protect
shareholders and the general public from accounting errors and fraudulent practices in
enterprises, and to improve the accuracy of corporate disclosures. The act sets deadlines for
compliance and publishes rules on requirements. Congressmen Paul Sarbanes and Michael
Oxley drafted the act with the goal of improving corporate governance and accountability, in
light of the financial scandals that occurred at Enron, WorldCom, and Tyco, among others.

All public companies now must comply with SOX, both on the financial side and on
the IT side. The way in which IT departments store corporate electronic records changed as a
result of SOX. While the act does not specify how a business should store records or establish
a set of business practices, it does define which records should be stored and the length of
time for the storage. To comply with SOX, corporations must save all business records,
including electronic records and electronic messages, for “not less than five years.”
Consequences for noncompliance include fines or imprisonment, or both.

ii. Three Management Of Electronic Records Rules

As a result of SOX, IT departments are responsible for creating and maintaining an

archive of corporate records. They seek ways in which to do this that are both cost effective
and that are in complete compliance with the requirements of the legislation. Three rules in
Section 802 of SOX affect the management of electronic records. The first concerns the
destruction, alteration, or falsification of records and the resulting penalties. The second
defines the retention period for records storage; best practices suggest corporations securely
store all business records using the same guidelines as public accountants. The third rule
outlines the type of business records that need to be stored, including all business records,
communications, and electronic communications.

4
iii. Sox Compliance And Security Controls

The best plan of action for SOX compliance is to have the correct security controls in place to
ensure that financial data is accurate and protected against loss. Developing best practices and relying
on the appropriate tools helps businesses automate SOX compliance and reduce SOX management
costs.
Data classification tools are commonly used to aid in addressing compliance challenges by
automatically spotting and classifying data as soon as it is created and applying persistent
classification tags to the data. Solutions that are context aware have the ability to classify and
tag electronic health records, cardholder and other financial data, confidential design
documents, social security numbers, PHI, PII, and other structured and unstructured data that
is regulated.

iv. Data Protection And Compliance

Data classification enables security teams to more easily monitor and enforce
corporate policies for data handling. Depending on the sensitivity of data and its applicable
regulations, it may need to be encrypted, compressed, or saved to a different file format. With
the correct policies in place, corporations can prevent unauthorized users, even those with
administrative rights to the system, from viewing regulated data. The best solutions also
prevent data egress through copying to removable storage devices. Another feature of security
solutions that are worth the investment is its ability to safeguard shared data. These so-called
“masking” features give users access to necessary information while ensuring compliance
with regulations.

v. Compliance And Audits

Being in SOX compliance and complying with other regulatory standards is nearly
impossible without the correct security solutions in place. Providing evidence of compliance
is even worse because evidence must prove written controls are in place, communicated, and
enforced while supporting nonrepudiation. The correct security software solution provides the
supportable evidence so that all of your compliance efforts are worthwhile.
A software solution for meeting compliance requirements should be able to monitor data,
enforce policies, and log every user action. With evidentiary-quality trails, all of the data
needed for compliance is in place. Protect your data and your business with a software
solution that ensures SOX compliance and rest a little easier during your next audit.

5
vi. SOX Compliance Checklist
Every organization and every audit is different, which is why the idea of a universal
SOX compliance checklist isn’t a particularly useful one. There are, however, a few general
questions every business should consider. Before an audit, ask yourself:

✓ Am I working from an accepted framework, whether it’s COSO, COBIT, ITGI or a

combination of all 3?
✓ Have policies been established that outline how to create, modify and maintain
accounting systems, including computer programs handling financial data?
✓ Are safeguards in place to prevent data tampering? Have they been tested and found
operational?
✓ Is there protocol for dealing with security breaches?
✓ Is access to sensitive data being monitored and recorded?
✓ Have previous breaches and failures of security safeguards been disclosed to auditors?
✓ Have I collected valid, recent SAS 70 reports from all applicable service
organizations?

2. Legal requirements for IT compliance

SOX mostly deals with financial issues, but sections 302 and Section 404 both include
language that relate directly to IT concerns. These sections outline the requirements that the
government has for collecting, storing and verifying the accuracy of financial records

i. Section 302

While there are no specified mechanisms for accomplishing these tasks, Section 302
requires that companies put in place systems that protect against data tampering, provide the
ability to track timelines and are able to determine who had access to data and when. Further,
companies must be sure that all safeguards are active and that any security breaches or
failures to protect data are reported.

Data Tampering
Data tampering protections prevent information from being edited by someone who should
not have access to financial records or should have read-only access to data. This requires not
only that a company protect information from outside interference, such as from malware or a
hacker, but that only individuals who should be able to edit data have the right to do so. In
addition to using security processes, like firewalls and antimalware software suites,
organizations need to ensure that their access controls are managed appropriately. Solutions
like BMC BladeLogic Network or Database Automation, a part of the BladeLogic
Automation Suite, make automating the audit and management of these controls simple and
effective.

6
A robust access control process will provide the correct levels of access to individuals as well
as ensuring that rights are limited or rescinded when appropriate, such as when someone
leaves a company or is transferred to a different division. Additionally, businesses must
ensure that it is difficult for people to access data without proper credentials. This often means
requiring complex passwords, mandatory password changes on a regular basis and
appropriate verification of someone's identity before passwords are reset or provided for
employees. Further, databases that store login credentials need to be properly encrypted and
safeguarded. Many organizations implement audit and remediation of these technical controls
using out of the box (OOTB) Compliance Content like that provided with BMC TrueSight
Server Automation. Regular, automated reports make the effort of sustaining and audit, not to
mention passing one significantly less painful.

Another part of preventing data tampering is ensuring that records can be recovered if they are
lost, so data backups are key. Financial data needs to be completely recoverable, which
ensures that companies always have the most recent and relevant financial records on hand.
This is likely to involve multiple and off-site backups, and to be sure of compliance with SOX
regulations, it is likely that backups will need to be done far more frequently than many
companies are accustomed to. In some cases, a copy of a file may need to be made and stored
every time it is changed.
Timeline Tracking
Section 302 compliance requires that companies keep track of when changes were made to
data. In addition to knowing when a file was last modified, companies may also need to keep
a log of when changes are made, what the changes were and who made the changes.
Depending on how data is stored and financial entries are managed, it may be easiest for
companies to make copies of files every time they are altered and update logs accordingly,
which will take care of both redundancy and timeline tracking at the same time.

Ensuring Safeguards Are Active and Reporting on Their Effectiveness

Senior management is required to verify the effectiveness and functionality of safeguards and
security systems in the 90 days prior to a financial report being made. So long as a system has
been installed properly, logs and reports of systems operating effectively are generally
sufficient to meet this standard. To ensure that a system is up to the task of protecting data
and tracking it, audits will need to be done occasionally. This can be done internally or
externally, but it is necessary to provide documentation that audits were completed as well as
the findings of the auditors.

Should anything go wrong, either due to outside interference or a problem with systems in
place, it is required that this is reported. If a system went down due to a denial of service
attack or a malware infection corrupting data, this needs to be included in a report. Even if
security breaches or problems were addressed, such as a hard drive failing and data being
recovered from a backup, information related to the incidents has to be disclosed.

7
ii. Section 404

This section deals more with transparency than specific objectives related to data
handling, and it requires that the efficacy of security systems, protections and data handling
methods are independently verifiable. All data must be made available to auditors, including
financial records as well as any potential security breaches.

Section 404 requirements are often met by using a remote and web based system that
allows access to outsiders. Auditors are given read-only access to files, documents and
systems, which allows them to verify that the structures and processes in place are appropriate
and sufficient to meet Section 302 requirements.

Since SOX compliance mandates that systems are proven to have been operating as
described by regulations for at least 90 days, businesses need to be able to provide reports and
logs that indicate system statuses during this time frame. Any security breaches or problems
also need to be disclosed along with information about how they were resolved. Most
organizations start with incident tracking and monitoring to document these processes and to
potentially share with auditors as needed. Organizations that want to get through their audits
more quickly and with lower overhead can demonstrate ongoing compliance through
meticulous record keeping, or by using an automated Compliance engine like TrueSight
Server Automation, and the detailed reporting it provides.

iii. Section 409

Deliver Timely Disclosure

Certain events — like mergers and acquisitions, bankruptcy, the dissolution of a major
supplier or a crippling data breach — can significantly shift a company's fiscal prospects.
SOX compliance mandates the timely disclosure of any information that could affect a public
company's financial performance.

The IT team's role is to support SOX compliance software that uses alert mechanisms
that could trigger this timely disclosure requirement, as well as mechanisms for quickly
informing shareholders and regulators of any changes in the company financial statement.

iv. Section 802

Ensure Records Retention

Today's SMBs keep both paper and electronic copies of sensitive records when
bookkeeping. Spreadsheets on an end user's computer, email messages, IMs, recorded calls
discussing money, financial transactions — all of these have to be preserved and made
available to auditors for at least five years.

8
The IT team's role in SOX compliance to preserve these records with internal automated
backup processes and ensure the proper function of document management systems (which
may or may not include an archive of email and related unified-communications content). IT
pros also have the organization control to maintain the availability of these records as they
migrate to new technologies, such as from old tape-based systems to cloud backup.

3. Methods of Compliance

It’s important to note that there is no one size fits all approach to complying with SOX
requirements. Businesses, even those in the same industry, may have vastly different ways
of handling their financial documentation and data entry, and organizations may not want to
start from scratch with these processes to make them fit a SOX compliant IT process.
Additionally, while automating these systems may provide cost savings over the long-term, it
may be best for businesses to start handling some tasks manually until it is determined if
they are actually effective.

It is important to note that the initial costs of compliance can be high since
organizations will need to put systems in place that are able to meet SOX guidelines, train
staff to use these new systems and review their effectiveness on a regular basis. As such,
most businesses will have to eventually transition to automated systems to keep costs under
control.

Generally speaking, the first step for companies who are not yet compliant or want to
ensure that they are compliant is to do an audit. Audits should focus on determining where a
system is lacking as well as potential security gaps. Once macro issues have been identified
and mitigated, minutiae can be looked at and processes refined. It is common to run quick
audits through an organization to assess the compliance posture, and determine where to
invest vs. what can remain as-is.

Since getting a company into compliance is likely to involve training people, changes
in the current processes, and technology (software and systems) that are being used, it's
important that organizations verify that systems work as intended after changes are made.
For example, if new accounting software is installed to beef up access control capabilities,
it's important to ensure that existing processes are still running correctly.

Complying with SOX does not rule out having a third-party handle IT issues for an
organization, but that does not mitigate a business' responsibility to ensure that they are
meeting regulations. According to interpretive guidance issued by the SEC, companies are
not allowed to issue reports on IT management or data control with limitations; any failures
of a third party to comply with standards set out by SOX will still be considered the fault and

9
responsibility of the organization. Therefore, it’s important to use a transparent audit
process, to have good visibility into the whole compliance picture.

When a company uses a third-party to handle their IT services, they will still need to
verify that they are in compliance with SOX regulations. Although this may not be possible
in-house, there are still ways to meet the Section 404 requirements for verifying that
services are working correctly. Companies have the option of obtaining an assurance report
that complies with a Statement on Standards for Attestation Engagements 16 report from
the third-party providing their IT services or by having the testing done by an outside
consultant.
We must remember that the methods are not to be forgotten after practice.

10
4. FRAMEWORKS

There are many frameworks and structures that could be followed or adopted by
organizations and it depends solely on the business area, specificities of interests and cost
efficient approach of selection.

COSO and COBIT

There are several existing standards and frameworks in place that may be helpful
when designing or updating systems to comply with SOX standards. Two in particular are the
Committee of Sponsoring Organizations of the Treadway Commission's Internal Control -
Integrated Framework, or COSO, and ISACA's Control Objectives for Information and Related
Technology, also referred to as COBIT.

Both COSO and COBIT are frameworks that help organizations determine how to
manage and run business processes. They broadly outline the ways that companies can
determine what needs to be done to accomplish their goals and how to identify and deal
with potential weaknesses. Neither specify the way that IT issues need to be handled;
however, this is beneficial since there is no single set way that will work for all businesses.

Using a framework is essential to being able to comply with SOX regulations because
the law leaves the method for proving a business' data is safeguarded up to the
organization. Therefore, a framework is needed to provide auditors with a way of
determining if what is being done to handle data is sufficient to the task and if it is working.
Compliance engines like TrueSight Server Automation make automating some of these
frameworks, and the attendant reporting required achievable with very reasonable Returns
on Investment (ROIs), often within 9 months of implementation.

In general, most companies end up using either COBIT on its own or a combination of
COSO and COBIT. COSO has the advantage of being a very robust framework for enterprise
governance and risk management while being particularly well suited for financial processes,
and it has been endorsed by the SEC.

Still, most organizations do not use COSO on its own is because it falls short in terms
of IT planning. However, COBIT fits together nearly perfectly with COSO, and it provides the
IT considerations lacking in COSO. COBIT was essentially built upon COSO, but COBIT has
fine-tuned COSO so that IT issues are taken into consideration. The two frameworks are so
complementary that COBIT documentation refers to COSO components. Other advantages
of COBIT are that the framework works well with a number of other established enterprise
frameworks, is freely available and has been developed and is still being maintained by a
trusted and established non-profit.

11
 COBIT offers a variety of processes and guidelines to help organizations determine
what their goals are as well as tracking them. IT control objectives aid businesses in
determining what processes need to be put in place based on an organizations particular
needs. Once objectives are put in place, they are tracked using the goals and metrics system
in COBIT based on IT goals, process goals and activity goals.

In addition to goals and metrics, maturity models show organization where they are
in terms of reaching specific objectives. This is a more granular approach to watching an
organization's progress, and it can help businesses ensure that they are focusing their efforts
on the most important processes as well as making steady progress on achieving their
implementation.

PCAOB
The Public Company Accounting Oversight Board was created to develop auditing
standards and train auditors on the best practices for assessing a company’s internal
controls. It is here that the specific SOX requirements for information security are spelled
out. PCAOB publishes periodic recommendations and changes to the auditing process. For
obvious reasons, being aware of the most recent iteration of these guidelines is essential to
passing an audit.

ITGI
The Information Technology Governance Institute (ITGI) is dedicated to helping
businesses meet their objectives without compromising information security. ITGI has
independently published its own framework for SOX compliance, using both COBIT and
COSO as guides. Unlike COBIT, however, the ITGI framework deals only with security issues.

12
5. How Can SOX be Helpful?

Six Ways SOX Compliance Benefits the Organization :

i. Risk Triage
Not all risks are created equal. SOX compliance benefits companies by giving them a
starting point for asset analysis. Bringing in the risk means being able to more effectively
manage your controls. The Information Systems Audit and Control Association (ISACA)
explains,

The most appropriate and effective way to define the right scope and the extent of
testing for each Sarbanes-Oxley in-scope system is to perform a risk assessment focusing on
the risks associated with Sarbanes-Oxley requirements and specific to ITGC. Risk assessment
is not a new buzzword—everyone in today’s world talks about risk-based approach, risk
assessments, etc., but few understand that for a risk assessment exercise to be successful, it
is extremely important to identify whether the focus of risk assessment is confidentiality,
integrity and/or availability, and then to define the risk criteria/parameters.
For example, a risk assessment exercise for Payment Card Industry (PCI) Data Security
Standard (DSS) compliance focuses on what should and should not be stored to ensure that
credit card information is not compromised and, thus, to ensure data privacy. However, for
Sarbanes-Oxley, the same approach cannot be applied because Sarbanes-Oxley focuses on
data integrity and misstatements to financial reporting. Therefore, the risk assessment
criterion shifts from data privacy to data integrity.

Focused risk assessments mean understanding the entire landscape of the

organization’s controls. By learning what areas do not need to be SOX compliant, the
company can focus on shoring up the areas that are the greatest risk. In addition, by learning
what areas apply to SOX and how they fit into the compliance profile, internal stakeholders
gain insight into how various types of compliance overlap.

ii. Control Structure Strengthening

Sections 302 and 404 require the documentation of controls including operations
manuals, personnel policies, and recorded control processes. With this kind of
documentation required, many organizations may find the process overwhelming.

SOX compliance benefits around controls include better Control Awareness by

Control owners. This means that how and why these controls are important and where they
fit into the big picture is more transparent. When auditors and management focus on
internal controls through a SOX assessment, the control owners quickly become more aware
of how important their activities are to the financial success of the organization. Additional
scrutiny provided by a SOX assessment directs its participants to put forth even more effort

13
to ensure that activities important to financial reporting are well-executed and well-
controlled.

Often businesses grow organically. This can mean that staff changes leading to
control changes may occur that cause problems as the company matures. SOX compliance
benefits even smaller organizations at an early stage. In 2006, The Harvard Business
Review’s writers Stephen Wagner and Lee Dittmar wrote,

PepsiCo has also benefited from updating its documentation processes. In the course
of making these updates, the company determined that inadequate controls existed for
pension accounting, a complex process that depends not only on the internal compensation
and benefits group but on external actuaries and asset custodians. Lardieri says with dismay,
“A lot of steps we assumed were being taken—account reconciliations and interest
calculations and data integrity checks—actually weren’t.”

For larger organizations just starting the process, SOX compliance benefits may be
surprising. However, as SOX compliance has progressed since 2006, the issue today more
often falls to the manner through which that documentation is done. For those using
spreadsheets to document their SOX compliance, information may end up being scattered
across an organization. Automated tools provide a single location for the documentation
providing the necessary visibility to ensure that all stakeholders are aware of controls.

iii. Better Audits

While better audits feels vague, the term encompasses many different aspects of the
audit process. The 2016 Protiviti Sarbanes-Oxley Compliance Survey research noted that For
a strong majority of public companies (85percent), either the audit committee or executive
management is the executive sponsor for SOX compliance efforts. The audit committee
should be responsible for the broad overview of the organization’s risk management, under
which SOX compliance falls. Executive management is speci cally responsible for the
accuracy and completeness of the organization’s internal control over financial reporting – a
key component of the SOX requirements. Therefore, it makes sense that executive
sponsorship falls under one of these bodies, particularly within a public company.
Internal audit is primarily responsible for the execution of these activities in one out
of three companies (35 percent). Within a majority of organizations, either internal audit or
management and/or process owners have this responsibility. When it comes to testing, two-
thirds of public companies rely on either their internal audit groups (46 percent) or
management and/or process owners (21 percent). Internal auditors performing and
supporting testing efforts is not surprising, given that they are well-suited to do it with their
skill sets and they are sufficiently independent to enable external audit reliance.
More effective and efficient operations leads to better audit outcomes. With better
internal audit outcomes, external auditors have a more efficient process. A more efficient

14
process for the external auditors lowers overall audit costs as well as lowering the cost of
employee time when responding to external audit report results. SOX compliance benefits
the audit process by specifying that it “creates better audit evidence collection, leads to
better user experience supporting auditors. Additionally, an automated platform like
ZenGRC provides dashboards that make Audit project management easy.”

iv. Efficient Financial Reporting

The main goal of SOX was to provide transparency in financial reporting. In doing this, the
regulation defined the process for determining reliable information. These early processes
looked similar to the COSO description management probably specified a high-level financial
reporting objective and sub-objectives related to preparing financial statements and
disclosures. In doing so, it identified significant financial statement accounts based on the
risk of material misstatement. Then, for each account or disclosure, management identified
relevant financial reporting assertions, including existence, completeness, rights and
obligations, valuation or allocation, presentation and disclosure, and the like. In addition,
management identified underlying transactions, events, and processes supporting the
respective accounts and disclosures. The result may have been a mapping of the design of
your company’s internal control environment, providing evidence that control activities are
in place for all relevant financial reporting assertions for all significant accounts and
disclosures. If there were any significant gaps, you remediated them accordingly.

Despite the perceived drudgery of documentation, completion of this process allows

for more efficient financial reporting in years two and beyond. Having the control
environment mapped meansthe documentation provides insight to track material changes.
This makes reporting easier as the organization matures. More accurate financial reporting
means less time spent needing to correct mistakes.

v. Peak Operational Performance Early On

Early engagement with SOX compliance benefits companies by instilling a sense of
internal control that eases growing pains. In his Institute of Internal Auditors North American
presentation, Steve Guarini, formerly with Rehmann Group now with Cohen & Company,
noted that SOX compliance would

• Utilize a top-down approach to drive efficiency and effectiveness

• Focus on areas of high risk, significant accounts, processes, and locations
• Take a practical approach to “right-sizing” documentation
• Focus on key controls versus all controls
• Integrate IT and business processes and to maximize the benefit of automated
and manual controls

15
 • Build the control structure with the goal of maximizing operational and
auditing efficiency and minimizing compliance costs

By requiring organizations to initiate controls at an early stage, SOX compliance

benefits the companies by requiring them to assess their starting points and annually assess
their risk. This means that controls cannot be haphazard. It also requires that organizations
begin with a streamlined approach to risk that integrates multiple business areas.

vi. Team Collaboration and Build Working Relationships

SOX compliance requires deeper and more frequent collaboration among internal
stakeholders. Ernst & Young note

As the IT risk profile and threat landscape rapidly changes and risks increase,
companies need to change their mindset and approach toward IT risk to address a new
normal. Now more than ever, IT issues are issues of importance to the C-suite. Boards of
directors, audit committees, general counsels and chief risk officers need to work alongside
IT leaders and information security and privacy of users to fully address their organization’s
risk management level of due care, approach and preparedness and to implement an IT risk
management program that is adequate and effective in managing cyber risks.

Internal auditors and those who oversee SOX assessments collaborate across
business lines to work with those who own or contribute to financial controls, such as
controls owners, IT, or HR. SOX provides the backdrop for building stronger working
relationships among teams. At the heart of this collaboration lies communication.
Automated GRC tools, like ZenGRC, provide ease of collaboration by creating a single,
accessible location where the stakeholders can meet. This location also can be controlled,
providing appropriate access based on compliance role.

6. Conclusions

Although there is a rise in the application of SOX by the companies and there could
be a special cost involved in the process of doing so, but studies from renowned firms clearly
indicate that SOX application has lead to betterment in the performance of firms.
One of the recent studies done by Protiviti in 2016, under the heading
“Understanding the Costs and Benefits of SOX Compliance” showed that companies are
spending more time and money but continue improving their internal costs and business
processes.

16
REFERÊNCIAS

1. http://www.bmc.com/guides/security-sox-compliance.html

2. https://blog.ipswitch.com/sox-compliance-what-is-the-it-teams-role

3. http://www.sfisaca.org/Presentations/C13.pdf

4. https://www.sans.org/reading-room/whitepapers/auditing/sarbanes-oxley-information-
technology-compliance-audit-1624

5. https://www.blackstratus.com/sox-compliance-requirements/

6. https://en.wikipedia.org/wiki/Information_technology_controls

7. https://www.protiviti.com/sites/default/files/united_states/insights/2016-sox-survey-
protiviti.pdf

17