SOX compliance continues to be a pain area for many smaller companies seeking guidance on how not to run afoul of the regulators.

There is a lot of debates in discussion forums, on consulting company newsletters on the approach and methodology and in boardrooms.

Its a good idea to start with the basics, and work top down, rather than bottom up. So if you’re scratching your head wondering what to do with your emails, voice mails and telephone records, its best to take a step back and look at things in perspective.

SOX can be broken up into 3 areas:

1. Financial Controls
2. Executive Liability
3. IT Controls (General and IT Security)

The objective is to demonstrate that your company has SOME SORT OF CONTROLS - i.e. adequate or inadequate (as the case may be) checks and balances in the financial reporting systems and conduct independent (read: external) risk assessments of the effectiveness of the controls and the reporting systems. Then you get the executive officers to sign a statement saying that all this has been done.

Where IT fits in is where financial reporting systems or business systems sit on technology platforms - this needs to be looked at objectively and a macro / micro level view taken on what Information Security controls can be built in to the IT function to support the compliance effort.

The internal team should comprise of - legal (in house or external), corporate (company secretary or appropriate nominee of the board and executive), external auditors who know your business and have a relationship with you and are reasonably competent in the area of establishing controls, and finally the IT team led or supported by someone who understands business controls, operational risk and can implement IT solutions and IT strategies.

Tip: Don’t get confused by the myriad of IT point solutions which say they’re SOX compliant. They won’t help you achieve compliance, no matter what area they specifically address - for example: an access control solution may claim to be SOX compliant, but it won’t help you unless authorization and access controls are part of the company infosec policy and then implemented with adequate management and reporting support to ensure that the infosec policies are complied with. Only then will you be okay from a SOX perspective. Same thing with Intrusion Prevention Systems (IPS) - the point is to demonstrate that you have done all you can through policies and then solutions to ensure that your financial data has not been tampered with or at least that you have systems in place to demonstrate that the integrity of the financial systems are preserved including change management tools. So, coming back to IT solutions and vendors, an IPS by itself isn’t going to get you anywhere.

More on this subject later - I will post details on the COSO and COBIT frameworks and controls, and how they can be tweaked to address the needs of a specific company in a case study.

The message we’e getting is that people are confused and don’t know how to approach the whole effort.

Its not that complicated really if you look into the spirit of SOX. To put the onus squarely on the executive for financial mismanagement, and to make sure that they can’t say in their defense that they didn’t know what transpired in their businesses.

Simple, ain’t it?

Rion