How do you write a IT SOX Narrative? 2133

  • How do you write a IT Narrative?
    What needs to be included in the narrative?
    Are there any forms or templates I can download?
    What is a good site to help me write IT SOX narrative?

  • Before you start trying to write a narrative, you will need to understand what controls you do or should have in place. The narrative explains how information flows and processes / controls operate.
    In addition to general IT controls, you will need to identify significant financial applications that reside within your IT infrastructure. Quite often, the identification of these systems is performed by the finance team and communicated to the IT team to ensure that proper application controls are in place.
    Your narrative should cover both the design of controls (are the right controls in place, are they system or manual controls, etc.) and the operating effectiveness of those controls. Both general IT controls and application-specific controls (financial) should be covered.

  • Well said Kymike.
    IT narratives for SOX should not include everything but mention the process for Program Development, Program change, access and operations followed for only in-scope IT applications and systems.
    Select one of the process say Program change and capture in detail (including the who, when, where, why and how) how change management is handled for each in-scope application and system. Identify in this description the various controls that are built in the process and policies which are used as a guidance.

  • ^ Adding to the excellent recommendations made above
    A picture is worth a '000 words … I’d recommend some Visio diagrams (or another drawing/flowchart tool) for items like work flows, procedures, IT financial system processing flow, etc. Most auditors I’ve worked with prefer flowcharts to help complement narrative text info. Good luck in your documentation efforts 🙂

  • Also remember to include details for Interfaces between the Sox system for which Narrative is being written (e.g. Legacy system or ERP like SAP or JDE) and others which has financial impact.
    In case of Sox narrative for EDI , it will be the interfaces via VAN or VPN
    with Trading Partners and customers.

  • Part of the question that I did not see an answer for was ‘is there a template’ or samples that can help us newbies? I have one left from the previous consultant but it doesn’t make sense to me and I’d like to craft one that does- but like you said, a picture is worth a thousand words therefore seeing a sample(s) would really help.

  • I have seen more than one organization use only and ONLY excel templates for IT SOX. In most of the cases, the policies and procedures maintained by the IT organization acts as the Narrative.
    Most organizations getting certified under SOX would already be ISO9000 or CMM or BS7799 compliant. They would have created process flow documents for this and the same can act as a narrative.
    Again, these documents will act as a supporting for the SOX assessment and will not be the narrative by itself.
    Assess your organization against COBIT for sox released by ISACA. That would be an easier way to carry out our SOX assessment.

Log in to reply