Implementing a SOX compliance
project in the IT world.
This article is for those of you
who are new to SOX and have to get a SOX compliance project up and running
quickly. The task of getting a SOX project off the ground can seem very
difficult but when you break it down into component parts, life gets a
1. Find out what SOX is and how
it affects your company.
There are lots of documents and resouces out there to help you learn
about SOX and how to implement it in your company. The references on this
site relate to SOX in the IT world. The very basics can be found here.
2. Staffing the project
Someone has to do it. This may range from just you to a dedicated
team of people brought in especially for the purpose. The most likely
scenario is that your company will reassign people to the task temporarily.
These people (person) have to come to grips with the project and what
is involved. So, get some staff.
3. Pick your standards
SOX compliance is all about comparing your company's controls against
some accepted standards. You could invent your own standards of what you
thing is right but they are unlikely to be comprehensive and you will
find it hard to argue the need for them when they only have your support.
Much better is to pick some internationally recognised standards such
CobiT - Control Objectives for Information
and Related Technology
COSO - Committee of Sponsoring Organizations of the Treadway Commission
These may already be accepted within
your company, in which case your work will be much reduced. More likely,
your company will have these as a sort of aim but have never been measured
There are other frameworks too such
as ISO7799, Hipaa
By far, the most comprehensive of
the frameworks in an IT environment is CobiT.
more about CobiT here
3. Identify people and guidelines
Begin collecting names of key players in the world of IT and those
around them. Whoare the main IT people, IT security people, auditors -
internal and external and most of all who are the main business people.
Now obtain the documents - the audit
guidelines, the management policies currently in place and any other documents
which define policies and procedures within the company.
4 Identify a test team.
SOX is all about identifying controls, documenting them and testing
them. This is the main part of SOX compliance and also the most time consuming.
Taking people from each of the business areas is a bad approach since
you lose independence. It may be better to get a small group from just
one area and then assign a coordinator - maybe you.
5 Define the roles and start working
Well, we have a coordinator - probably you. You will have selected
the framework to test against and have it agreed with your boss. There
is now a lot of work to do. The next job is to split your group up into
Testers and Documenters. There will be a lot of systems and procedures
to review and validate and you will need to keep the SOX work under control
to ensure that it is done properly and completely.
Sarbanes-Oxley seems quite an onerous
task when you start out but soon you realize that you are making a positive
impact to the control environment in you company.