As more companies work to transition their Sarbanes-Oxley (SOX) compliance efforts from a project to an ongoing, sustainable and cost-effective process, they are assessing strategies to better leverage the SOX technologies they've acquired and implemented. Protiviti Inc. has addressed the growing need for substantive and practical guidance in this area with the release of its new publication, Guide to the Sarbanes-Oxley Act: Managing Application Risks and Controls.
This reference tool provides guidance to generate more value out of technologies now that, for most organizations, year two of Sarbanes-Oxley compliance is coming to a close. Written by the leaders of Protiviti's Application Controls Effectiveness (ACE) practice, the guide offers detailed insights, ideas and concepts that should be of great interest to those responsible for internal control strategies within their organizations.
"Protiviti's ACE practice assists companies with their efforts to manage application risks, and the compliance challenges that accompany them, by defining and implementing internal control strategies," said Michael O'Donnell, managing director and global leader of Protiviti's Technology Risk Services. "While the broader context of this guide is the efforts of organizations to address Sarbanes-Oxley, the issues we address will be relevant to executives and audit committees interested in improving and managing the integrity of applications, regardless of a company's compliance initiatives."
The guide provides specific advice on how to identify relevant applications and the related risks that are important to Sarbanes-Oxley compliance, as well as how to most effectively test the controls that mitigate these risks. Additional topics addressed in this publication include:
- General application risk and control considerations for complying with Sarbanes-Oxley: Protiviti provides a detailed overview of application risk and control as it relates to Section 404. Topics include: benchmarking strategy and disclosure guidelines regarding ERP/application implementation.
- Application control considerations: Issues include how key applications are identified for documentation, and application control considerations for the order to cash, procure to pay, and close the books/financial reporting cycles.
- Access security considerations: Many security configurations create exposure relating to segregation of duties issues or excessive access to sensitive transactions. The guide addresses processes that should be in place with respect to establishing proper user access security and segregation of duties, the roles of the business and IT organization in controlling user access processes, and how an organization can improve its ability to manage appropriate security without incurring excessive cost and time bottlenecks.
- General IT controls related to applications: Protiviti discusses evaluating application change controls, managing interface risks, and the elements of data management and disaster recovery that should be evaluated by compliance teams.
- Implementation controls and considerations: This section includes explanations of the primary risks associated with implementation of a new application, data conversions and functional testing.
- Documentation: Protiviti offers guidance on controls documentation at various levels, including the entity level and activity/process area level.
- Testing: As with other controls, IT controls must be tested to ascertain that they are operating as designed. The guide includes strategies for controls testing at the infrastructure and application levels.
- Addressing deficiencies and reporting: Protiviti discusses ideas for how management can address deficiencies and gaps in application controls, and how an external auditor views application controls during the attestation process.
- ERP compliance software and automated testing tools: Protiviti suggests Sarbanes-Oxley enablement software that companies should consider along with questions the organization should address with respect to evaluating an application's capability to support Section 404 compliance.