As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Sarbanes-Oxley Act Forum: Forums
The Sarbanes Oxley Act :: View topic - System Deployments in 4th Quarter
Posted: Mon Nov 16, 2009 2:36 pm Post subject: System Deployments in 4th Quarter
At a prior company I worked for, I have had experiences where the CFO has stated that we cannot deliver systems changes in the 4th quarter that have a direct impact on financials, all in the name of SOX. In reviewing the SOX regulations I did not find any restrictions around deploying financial systems in the fourth quarter; therefore, I am under the impression that this was just a preference of the CFO in order to reduce the risk of significant or material issues arising in the last quarter of a financial year from the implementation. So I have the following questions:
1) Is this just the preference of the CFO or did I miss something in the SOX regulation indicating that implementation in the 4th quarter is not allowed.
2) If this is just personal preference, has anyone been in this situation before and how did you address it?
My thought would be to a two fold approach:
1) Evaluate the risk of implementation against the risks associated with not implementing the system in the 4th quarter and base the decision to implement on this review.
2) Discuss the topic of implementation with our external auditors to understand what there concerns would be.
Joined: May 26, 2008 Posts: 187 Location: Switzerland
Posted: Tue Nov 17, 2009 4:12 am Post subject: System deployment in the 4rth quarter
There is no requirement, it is just the preference of the CFO.
Section 404 of the Sarbanes-Oxley Act requires an issuer of securities that use the public capital market of the US to
(a) have its management evaluate the effectiveness of the issuer's internal control of financial reporting
(b) have its registered public accountant to audit the effectiveness of the issuer's internal control over financial reporting.
Both opinions on the effectiveness of ICFR are provided as of the end of the financial year, but in practice they also test controls that relate to transactions that occur during the financial year. In order to have a sufficient degree of assurance that controls were operating effectively as of the end of the year, it is usually necessary to test their operating effectiveness over a minimum time period before the end of the year. Otherwise they may have worked by pure chance at the end of the year, but may have not worked before and probably may not work afterwards.
There are no details concerning IT security of the deployment of new IT systems or changes to IT systems in the law, the rules of the US Securities and Exchange Commission (SEC), or the Public Company Accounting Oversight Board's auditing standard.
Keep in mind that the registered public accountant will be risk averse and will probably also tell you not to do the system implementation in Q4.
In principle, an IT system that has a material impact on the consolidated financial statements can be implemented in Q4. However, you would need to assess risks that have an at least reasonably probable likelihood to result in material misstatements to the consolidated financial statements. As long as you come up with controls, which may also be compensating controls that mitigate those risks, you are fine. The main question is whether management and the auditor have enough time to come up with an test the effectiveness of those controls before the annual financial statements need to be filed with the SEC.
Last edited by gmerkl on Tue Nov 24, 2009 1:53 am, edited 1 time in total
Joined: Jan 12, 2006 Posts: 849 Location: Roanoke, Virginia
Posted: Mon Nov 23, 2009 3:00 pm Post subject:
As gmerkl shares, freezing system changes in the final quarter is more for stability and organizational preferences to avoid impact. SOX 404 doesn't specify these types of freezes as companies must continually meet changing business and regulatory requirements.
Hopefully in the Project Management system or SDLC, there are existing risk management techniques and contigency plans to reduce potential exposures during that last quarter. Preferably major financial system changes or new system implementations should be done outside the final quarter -- but a company has to do, what it has do for business survival as well.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.