List of IT Applications out of Sox Scope 1390

  • Any application that is not related to internal controls over financial reporting (ICFR) is out of the scope of Sarbanes-Oxley.
    e.g. CRM , Bill of Materials, Replenishment Planning , Product Design etc.
    If these applications are not interfacing any Cost/Price information to the main ERP system, then they are out of Sox scope.
    Can we enlist such applications here?

  • Bill of materials in scope because this Bill of materials is used in the valuation of Finished Goods and Work-in-process.

  • This list would be informative, however as a precaution I still think that all applications should be subjective to best practices and SOX 404 compliancy where possible for the following reasons:

    1. Non-Sox applications can feed or interface with SOX applications . There are always lots of indirect ‘intra-system’ relationships where one input system feeds another. For example, you might have a notepad or diary system that has no financials on it. It’s used for notes, action lists, or next steps and interfaces with another system that is supposed to be SOX compliant.
    2. Sox compliant apps need to be addressed 1st, but it’s good to have universal standards for everything. It takes hard work to comply with SOX standards and you have to address the mission critical ones 1st. However, operating under 2 sets of standards creates confusion and would weaken your primary SOX approach if developers or control folks start seeing 2 sets of standards. I’m thinking this way because we’re an insurance company and every system is almost of a financial nature. To me, only a few things like our company Intranet (where you might have departmental home pages, a phone directory, etc.) might be seen as ‘non-SOX’ to me.
    3. There’s goodness in being SOX compliant everywhere. If it’s done right, SOX has all the good controls auditors and IT professionals desire in application systems. Even though I’m an IT guy, I have the utmost respect for auditors and the value-added benefits they bring to the company. Yes, sometimes they’re like the traffic cop that gives you a ticket for doing 66mph in a 65mph zone 😉 🙂 What I’m trying to say here is that if an auditor finds a total lack of control in a non-SOX compliant application, they may still make comments to the executives and board, in the context of a SOX audit. Since SOX interpretations are more of an art than science in the judgement of interpreting rules I’d recommend looking for indirect relationships and single standards for everything.
      I hope this isn’t getting off-topic here, as truly non-SOX applications don’t need to be rigorously sampled/tested and have the 1st priorities in being made SOX compliant. However, to me if an application has a ‘money field’ or other accumulator in it, I’m thinking SOX compliancy right away. This concept may be more applicable for insurance companies, and just wanted to share some ideas to look for those indirect relationships.

  • Harry makes some good points:

    • It is important to consider the interdependencies among the IT applications at the company to assess if an IT application is within scope for SOX purposes.
    • Development and implementation of general control standards may not have a direct impact on SOX compliance initiatives for IT applications that are clearly determined to be outside the scope of SOX.
      However, effective general control standards have an impact on the general control environment–and this is clearly within scope and generally accepted by professionals to be an integral part of the IT governance framework.
    • Recent statistics have shown that the number of financial restatements has significantly increased for US registered companies from the previous year. Similar data is surfacing as well for companies in the UK. Thus, a direct correlation seems to exist between complying with SOX requirements and the production of accurate and reliable FS.
      As for compiling a list of non-SOX IT applications, this exercise would raise more issues than it would resolve for the following reasons:
    • Companies use IT applications differently, in varying business models, and the relevance of which to the financial reporting process, is dependent on the company’s specific use and reliance on the IT application. Thus, at one company, Bill of Materials might be considered to be within scope, at another, out of scope.
    • An IT Risk Assessment can be helpful to compile an inventory of IT applications, link the applications to the FS assertions, IT control objectives, etc. Again, the results of the IT Risk Assessment will drive whether the IT Application should be considered within scope for SOX purposes.
      It might be helpful to also consider the established guidance and definition of ICFR to assess if an IT application should be considered in scope:
      Internal Control Over Financial Reporting
      In the SEC’s Final Rule on Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, the SEC has defined internal control over financial reporting as
      ‘a process designed by, or under the supervision of, the registrant’s principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
      (1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant;
      (2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant; and
      (3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant’s assets that could have a material effect on the financial statements.’
      In short, if a nexus can be established in the definition of ICFR and the IT Application considered for scoping purposes, a high likelihood exists that the IT Application may be considered within scope for SOX purposes.
      Hope this is further help.

  • There is a SOX application called Conformus by a company Stridus which can interface any Cost/Price information with the main ERP system and has all the integrated features for the SOX Audit and Controls management.
    So I don’t agree that all solutions are out of Sox scope.

  • The Stridus Conformus solution seems to be a SOX Tool which extracts info;
    What is its relevance here for out of sox scope applications?

  • Oops… yes I got your question wrong but…
    Any application that is not interfacing cost/pricing to the main ERP system also falls under the Assets management which is pertinent to SOX.
    The point I’m trying to make here is that an application or software is a cost or investment of time and resource to the company which is measurable. So no application is beyond the scope of SOX

  • Any application that is not related to internal controls over financial reporting (ICFR) is out of the scope of Sarbanes-Oxley.
    e.g. CRM , Bill of Materials, Replenishment Planning , Product Design etc.

    About CRM, do you use your CRM system to take customer orders? I would imagine that the size and number of customer orders is somehow important for reporting.
    Also many CRM systems have the capability to make some sort of customer refund if there are failures; this refunding needs to be carefully controlled?

Log in to reply