SOX and IT (Section 404) 2149

  • Hello All,
    Clarification on detail of Section 404 or any other IT related SOX act (version 2) would be appreciated. Being new in this arena, I would like to thank all of you for your help in advance. If any link or doc that has more detailed information than just the act itself, would be highly appreciated.

  • Hi and welcome to the forums 🙂
    SOX 404 was written in a somewhat general and nebulus way, as it has to deal with all types and sizes of companies. Secondly, companies can have diverse hardware and software configurations (e.g., mainframe, AS/400, UNIX, Linux, Windows, etc).
    SOX 404 requires management’s oversight that all IT controls related to financial applications are being satisfied. Separation of duties, autonomy controls in the workflow, and strong security controls are examples of solutions. Also risk management, documentation, controls testing, and other activities tie into the process.
    Satisfying SOX 404 requirements in today’s environment is usually done by external auditor confirmations using COBIT checklists in some cases. It might be good to contact the external auditors for SOX 404 ideas and guidance as companies sometimes either implement too much or too little.
    Below are links within our forums that might help get familiar with SOX 404 and related issues. Many of these links are educational and have helped me gain a better understanding of requirements and ‘real world’ issues related to SOX. Good luck 🙂
    SOX Forums - IT Issues (numerous threads)
    SOX Other Legislation and Issues (look for articles often shared)
    Free COBIT 4 guidelines after registering at ISACA
    SEC approves Sarbanes-Oxley changes for section 404
    Article: Sarbanes-Oxley Standards for DBAs in plain English
    P.S. Below are a ton of links on SOX in this post … As linking outside the forums are prohibited, please copy the URL below to your browser and add www … I’ve found the sarbanes-oxley101 sites helpful in putting this more into plain English 😉

  • I would maybe step back a bit from there.
    SOX section 404:

    1. Outlines the responsibility for management to maintain an adequate system of internal control over financial reporting
    2. Requires management to make an assessment of that system of internal control and report it in the accounts.
      The Act requires nothing more specific than this, although guidance notes issues by the SEC indicate that Management should utilise a recongised ‘Framework’. This is generally take to mean COSO.
      That all said, typically what is required from in relation to IT is well referenced in Harry’s response. But please be clear that what is REQUIRED very much depends on the size and complexity of your business and the processes that you have deployed. There is no one right answer on any of this.

  • ^ One idea to complement Denis’ good response above …
    SOX 404 requirements are somewhat vague beyond the 2 points noted. However in practice, IT requirements have somewhat normalized over time around the COSO/COBIT framework, (e.g., YMMV, as these are no absolute standards … however, these PCAOB accepted checklists are often used by external audit firms that engage in SOX based audits).
    It would be worthwhile to touch base with the external auditors to see what they are looking for with respect to fulfilling SOX compliancy requirements.

  • Thanks all for your helpful responses.

  • this info was very useful, thanks 😄

Log in to reply