IT SOX Compliance: Requirements, Tips & Challenges

Programmers cooperating at information technology company

Establishing and maintaining a SOX program can be a difficult and complicated task.

To add to the complexity, SOX programs are commonly established and directed by individuals within a company’s finance and accounting department, and requiring more responsibilities to evaluate information technology controls can create even more complexity for finance professionals. 

Whether or not your finance and accounting team is familiar with IT controls, they can still achieve SOX compliance requirements with a purposeful strategy.

5 Tips to Meet IT SOX Compliance Requirements

1. Partner with your CIO and/or CTO 

Most technology leaders have been exposed to controls around data security and system development during their careers. 

Your CIO or CTO is a valuable resource to assist with identification and design of controls, and they may already have processes and tools in place that you can leverage for SOX compliance. 

Questions to ask technology leaders about SOX compliance: 

  • Do we have existing IT controls for other compliance requirements, such as HIPAA, PCI, or ISO 27001? 
  • Does the company have a SOC 1 or SOC 2 report where we could leverage existing IT controls? 
  • Do we have tools in place to assist with access management, change management, and system monitoring? 

2. Identify in-house IT vs. outsourced IT 

It is important to distinguish between internally developed systems and systems that are outsourced to third-party, or SaaS, providers. 

The same IT control coverage should be in place regardless of whether it was developed in-house or outsourced. However, the responsibility for operating the controls is a key difference.   

Internally developed systems will require processes to be established to ensure proper security, infrastructure, IT segregation of duties, system development and testing, and proper approvals and change management. 

For SaaS solutions, on the other hand, many of these controls are handled by the vendor. However, you are still responsible for some areas, including access management and monitoring. 

These required controls are typically outlined in the Complementary User Entity Controls (CUEC) section of your vendor’s SOC report.    

3. Document data flow and identify interfaces 

A solid starting point to determine in-scope systems involved in financial reporting is to visualize the data flow. 

This involves identifying initial data sources for areas around procurement, sales, HR and payroll, financial reporting, and other business processes.  

Create a map that follows the data through each system while identifying how the systems interface with each other.

Questions to ask when documenting data flow for SOX compliance: 

  • Is the data manually exported from one system to another? 
  • Is there an automated interface via API or SFTP? 
  • Are database accounts used to directly load data? 

When you have a visual representation of the data flow from the source system through to financial reports, you can start identifying in-scope systems and design interface controls to ensure that data is transferred completely and accurately between systems. 

4. Establish future state IT general controls and application controls 

Once you have identified the systems and interfaces in-scope for IT SOX, document your controls and establish a roadmap or action plan for implementing those controls.

Even if you do not currently have processes in place to support your future-state IT controls, set a target to work towards. 

Common IT General Control areas include access management, change management, computer operations and system development.

Common application and interface controls include: 

  • Workflow approvals 
  • Three-way match 
  • System checks and comparisons 
  • Job processing and error checking

5. Stay organized and document everything

During this entire process, organization is one of the main keys to success. 

  • Stay Organized – You may choose to use a tool like MS Teams, FloQast, SharePoint, or other file sharing platforms to store your control documentation and evidence. 
  • Use Templates – Do not rely on email or chat messages as audit evidence when performing controls, such as access provisioning. Develop set templates for access requests, change requests and other repeatable processes to maintain consistency. 
  • Document Everything – When making system changes, modifying access or IT decisions, make sure all supporting evidence is documented and retained — this will be crucial during future audits.  

Final Thoughts on Meeting IT SOX Compliance Requirements

IT SOX requirements are not as intimidating as they might initially seem. 

By partnering with technology-minded teammates and taking a methodical approach, any organization can succeed in establishing and maintaining a successful IT SOX program. 

Need SOX Compliance Support?

Bridgepoint Consulting is the strategic partner you need to make sure you are navigating the SOX Compliance process with ease. For more than two decades, our team of experienced business consultants and industry veterans have been streamlining different phases of business’ lifecycles. To start simplifying your process, get in touch today.