What defines a Key Financial System? 1443



  • Within my job as an IT Service Continuity Analyst we have a remit to Disaster Recovery test and prove the integrity of all ‘Key Financial Systems’ to ensure the organisations SOX complaince.
    So far I have not been able to find a clear definition of what constitues a ‘Financial System’ or ‘Key Financial System’ in relation to the Sarbanes Oxley Act.
    For example is a ‘Key Financial System’ one that reports on financial data or manipulates financial data or both?
    Is it one that deals with ledger amounts of greater than 40,000,000 or greater than 20,000,000 or neither?
    Can anyone help with this and define or point me in the direction of a clear definition in relation to SOX?



  • Hi Dave and welcome to the forums 🙂
    As a starting point in meeting DR requirements, I’d recommend taking an inventory of all of your various systems (e.g., even those indirectly related to ‘finance’). Typically, in business applications the outputs of your sales or other applications become the input to your backend accounting systems.
    I’m more of an IT person and less versed on the legal requirements. With that caveat, to me a ‘key’ financial system is any application which has data that will utilimately be reported to meet SEC filing guidelines and that corporate executives must signoff on, to meet SOX 302 requirements.
    These key systems must have assurances of ‘checks and balances’, ‘separation of duties’, and all the great classical IT controls in place. With SOX you’ll need to develop special tests and look for ways to assure audit professionals that there’s no opportunities to ‘cook the books’. This is where the SOX 404 standards and other controls factor in.
    Thus, it’s important to ascertain your entire flow of financial transactions regardless of size (e.g., if a small system feeds your accounting process it is still important).
    From a DR perspective, you don’t want to loose anything anyway. Any application that’s in the critical path for financial statement reporting flow is important to consider in addressing these needs. This includes your front-end customer service/sales apps all the way through your back-end accounting/reporting systems.



  • To identify yuor key financial systems, you have to work backwards from your financial statements.
    What general ledger accounts feed your financial data?
    What processes drive information feeding those GL accounts?
    What systems support the processes driving the information?
    While taking an inventory of all systems and trying to make the determination as to whether or not the system is a financial system ensures that all systems have been considered, you must map all of your processes to supporting systems in order to make your final determination.



  • Protiviti Consulting addresses the question to determine if an IT application is considered in scope for SOX purposes.
    See Question #42 on page 25:
    ‘…How does the Section 404 project compliance team determine the critical applications for each key business process?’
    The resource document may be found at:
    protiviti.com/downloads/ProtivitiSOA_ITRiskControls.pdf
    The document cointains alot of other useful information and guidance for professionals interested in a SOX IT implementation.
    Hope this helps,
    Milan



  • We prepared a system mapping chart which maps various business processes to applications and related systems. The systems and application included were all taken as financial systems for the purpose of SOX irrespective of the quantum of D, SD or MW they can introduce.
    Once you have made the mapping you can easily identify the significant systems . Many applications are inter related with interfaces to each other and this sometimes makes singling a system out a diffcult job. This is the reason we took all of them.
    As kymike said u have to work backward. i would suggest you talk with the business process owner and refer to the process narratives for guidance.
    Calvin


Log in to reply