The role of technology in the Sarbanes-Oxley Act compliance.The Sarbanes-Oxley Act See SOX. and subsequent rulemaking commenced by the SEC is effecting far-reaching changes in corporate government, financial statement disclosure and auditor independence. Specifically with sections 302 and 404, companies need a repeatable and persuasive basis for their disclosures on the status of internal control environment. External auditors of corporations must also provide an annual opinion on the reliability of the control representations made by the companies. While the compliance activity appears to be a financial and audit issue and not a systems issue, it is important to understand the role that technology plays in achieving sustainable compliance. After all, the essence of the Act is all about ensuring that internal controls are in place to create and document information for financial disclosures. And which organization today does not depend on technology to create, modify and manage information? The key activities in preparing for SOX (1) (Schema for Object-oriented XML) An XML schema developed by Veo Systems and Muzino Communications, which was submitted to the W3C. SOX is based on DTD, but adds data typing and reuse mechanisms. compliance: Documentation involves putting together all the procedures, policies, risk areas, controls and objectives in a systematic and structured way. The process and control documents should be accessible to relevant employees across the organization. Monitoring of the control environment includes verifying systemic controls within the financial systems and the associated actions for remediation of any control violations. Internal Control Assessments is a process by which management assesses the health of the controls across the organizations for each of entities and processes. Measurement of control health is an ongoing process by which management benchmarks their progress and identifies laggards. Communication is underlying glue across all activities of the compliance system. Management, Audit Committee, Audit teams and Process owners are all connected to achieve the corporate compliance goals. Reporting is the activity under which relevant compliance reports are published for assisting in attestation. We can now identify the key role that technology plays in each of the above activities: Documentation: Organizations need a centralized system In telecommunications, a centralized system is one in which most communications are routed through one or more major central hubs. Such a system allows certain functions to be concentrated in the system's hubs, freeing up resources in the peripheral units. to document their internal control environment. Policy documents, process flows, organizational objectives, risk identification on these objectives and the controls planned need to be well documented under a secure and auditable environment. Management and Process/ Control owners across the organization should have anytime and anywhere access to these documentation elements. Technology solutions exist to centrally create and manage digital documents allowing worldwide access via the corporate intranets with a single authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. and access control security. Monitoring: Monitoring of controls is required at entity and process levels. Management designs entity-level monitoring to implement controls for each of the identified processes. Process owners or Control owners evaluate the effectiveness of the controls. Best practices suggest that internal control and data integrity check points must be embedded Inserted into. See embedded system. into the financial systems. However an external monitoring system should be in place to assess these system level controls. This is accomplished by integrating the monitoring system with specific event based controls within the financial IT systems. Depending on the technology used in the financial systems, the integration is done either as an event based programming interface at the transaction level or as an analytical integration with the reporting system. Application Programming Interfaces offered by the Financial Systems vendors, Connectors and XML XML in full Extensible Markup Language. Markup language developed to be a simplified and more structural version of SGML. It incorporates features of HTML (e.g., hypertext linking), but is designed to overcome some of HTML's limitations. are some of the key technologies used here. Internal Control Assessments: For management to assert the internal controls, assessment and evaluation of design and operational effectiveness is required. Management and audit teams plan the assessments, but individual process owners provide the actual assessments. Strong IT tools are thus required to design and program the assessment questionnaires and to conduct periodic programs to capture the assessments from distributed functional owners within the enterprise. Integration with internal HR systems, LDAP (Lightweight Directory Access Protocol) A protocol used to access a directory listing. LDAP support is implemented in Web browsers and e-mail programs, which can query an LDAP-compliant directory. databases, corporate email systems are some of the key technologies used during this activity. Measurements: A unified measurement system is pivotal in evaluating the controls. The measurement system should facilitate in aggregating the health of the controls across each of the entities and processes. Under COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) framework, the measurement system should provide means to measure the status of control information across Strategic, Financial & Compliance Objectives. The measurement system should also facilitate identification of laggards within the organization to implement changes for process optimization Process optimization is the practice of making changes or adjustments to a process, to get results. Optimization is the use of specific techniques to determine the most cost effective and efficient solution to a problem or design for a process. . The financial dashboards that the management reviews should show the overall maturity of the organization for corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. and should facilitate drilling down to individual processes and systems. Technology plays a key role again in this area. The measurement system of internal controls should seamlessly integrate with Corporate Performance Management tools, Scorecard systems and other analytical applications. Communication: Allowing constant communication among the various entities involved in the compliance activity is a key part of the overall compliance system. Corporate email systems, alerts with web URLs and escalation processes are some of the technologies used in implementing the communication requirements. Reporting: Many enterprises today have standardized on reporting and Business Intelligence systems to centralize cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. report generation and dissemination. The reports generated from internal controls and assurances applications should seamlessly integrate with these reporting standards. Conclusion: The role of technology in implementing sustainable compliance systems across the enterprise is multi fold. All aspects of compliance: Documentation, Monitoring, Assessments, Measurements, Communication and Reporting involve deep integration with corporate IT systems. Document management systems, ERP (Enterprise Resource Planning) An integrated information system that serves all departments within an enterprise. Evolving out of the manufacturing industry, ERP implies the use of packaged software rather than proprietary software written by or for one customer. systems, Intranet portals, HR systems, CPM (1) (Critical Path Method) A project management planning and control technique implemented on computers. The critical path is the series of activities and tasks in the project that have no built-in slack time. systems, Scorecards, Email tools and Business Intelligence tools are some of the key IT systems that the compliance system would take information from or feed information into. A scaleable, open and secure technology platform is thus a necessary requirement to build the compliance applications. An ongoing partnership between the IT departments and the audit departments is thus needed to achieve sustainable compliance. www.infostep.com http://harmony.elustro.com Sagar Sagar (sä`gər), city (1991 pop. 257,119), Madhya Pradesh state, central India. Sagar is a regional market for wheat, cotton, and oilseed. Such industries as sawmilling, oil, and flour milling are important. Anisingaraju is the CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of InfoSTEP (Santa Clara Santa Clara, city, Cuba Santa Clara (sän`tä klä`rä), city (1994 est. pop. 217,000), capital of Villa Clara prov., central Cuba. , CA) |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion