A gray area (maybe stupid): Question about IT purchases 611

  • I am doing a SOX engagement on a medium size manufacturer. My question is should I consider IT purchases as a SOX issue? Like I am saying there should be feasibility study on all software and hardware purchases.
    Am I just being picky and should even consider IT purchases as a SOX issue?
    Please, help and turn on the light for me.

  • HI,
    IT purchases should be considered in the Procurement process where you will cover subprocesses as purchasing, receiving, accounts payables, liabilities accruals and payments.
    Note that IT as long as it gets capitalized, it will also be considered in the fixed asset processes.
    If IT acquisitions flows differently than any other asset acquisition then you always may include a special paragraph in one of these processes where it is explained.
    In my point of view, it should not be require separate process

  • Procurement processes have always a direct impact on financial reporting. Effective procurement internal controls are required to support your efforts to achieve compliance with Sarbanes-Oxley.

    Common deficiencies in the procurement control environment
    We follow COSO framework, so we look for:
    *Design deficiencies (controls missing or not properly designed) like a missing approval
    *Operating deficiencies (controls are not operating as originally designed) Test and test again You will hate sampling but…
    There are a lot of important deficiencies in the procurement control environment.
    Key Controls
    System permission rules
    Segregation of duties
    Purchase order approvals and authorizations
    Purchase order limits
    Limitations by clerk
    Purchased goods and services must be properly classified
    Approved and not approved suppliers
    Duplicate payment review
    Invoice processing dollar
    Charges to the right accounting code
    Processes communicated and followed
    Track of delivery, fulfillment and receiving of purchased goods
    and services
    Measurements adequately defined and supported by the
    process and the transaction systems

  • Mostly agree with the previous comments, however I would caution you to be clear on the difference between procurement and purchasing as these terms can mean different things to different people.
    Purchasing is typically the process from Purchase Order through Receipt of Goods to Invoicing and Payment. This is clearly and in-scope SOX process and is usually referred to as Purchase to Pay.
    Procurement is largely about the sourcing of purchases and this can often be outside the scope of SOX - except insofar as it impacts Purchase to Pay. There is no SOX requirement that Companies go through tendering processes or evaluate 3 potential quotes or anything like this - although it would be good practice to do so.
    IT purchases would, generally, be no different from other purchases.
    That said, implementation of IT systems, which naturally follows on from the purchase, does not to be controlled using the CONIT objectives or similar

  • Hi Denis,
    What do you mean about CONIT objectives?

  • Typo - should say COBIT :oops:

  • Hey Guys and Gals,
    Thank you very much for all the comments. They were all very constructive and very useful. I have a meeting with all the BIG IT GUYS today and that is some great ammo. to backup my concern regarding purchasing/procurement of IT software and hardware. I guess it was not a stupid question afterall 🙂
    Again, thank you very much for your contibutions.

  • One follow on thought to this:
    Our auditors were very keyed into IT understanding business requirements and having business ‘buy-in’. For purchases like business applications, they want to see such processes be part of an SDLC (doesn’t need to be big and onerous) where the business needs are evaluated and the health and security of the vendor are considered (especially if it’s an outsourced deal) It would be hard to consider a gap here to be a real deficiency, I would imagine - though auditors are a fickle bunch.

  • From what I understand, when purchasing new equipment, especially if it is to run software that has an impact on the financials, you have to make sure it is resilient and will meet the business needs.
    I’m half new to SOx and auditing, although I do have a business degree…this is a learning experience for me.

  • Just for the record, I posted the above…wasn’t logged in.

Log in to reply