Aggressive Web Site Controls? 2766

  • Hello,
    I work at a large company that maintains a b2b web site. On the site we allow customers to search inventory and place orders. All information on the site especially anything financial in nature is a straight pass-through to our back-end ERP system, i.e. the web site is not a system of record for anything, much less anything that accounts for, stores, or processes money. The web site cannot violate any processing or integrity rules established by the ERP system (no back doors).
    Our IT governance committee maintains that the web site is under sox governance because it captures the orders. I’m having trouble with that. With that logic I should also be required to randomly audit end-user’s browsers because they also show screens that capture the order (which is of course preposterous). I maintain that just as the end customers’ browsers are passive, so is the web application itself.
    My previous employer (also large and public) having a very similar web site decided that their web site need not be under sox controls as it was a passive pass-through and that their ERP was where the focus needed to be.
    I know if I ask an auditor I’ll be told the desirable policy will be to put it all under sox and be safe. My problem is that a public-facing web presence really needs to move and respond very quickly, which is nigh impossible under sox controls, which can add several weeks to implement a simple change.
    Is my previous employer’s policy passable and is my current employer being a bit over-cautious?

  • Section 404 of the Sarbanes-Oxley Act deals with internal control over FINANCIAL REPORTING. In other words it deals with measures that try to assure the quality of quarterly and annual financial statements. Only risks of at least reasonably probable erroneous or fraudulent misstatements that are MATERIAL in relation to the consolidated financial statements matter (i.e. low risks of misstatements regardless of their magnitude and misstatement of an immaterial magnitude do not matter).
    The placing of customer orders itself does not trigger accounting postings in the ERP system and has no effect on the financial statements. Only the later shipping of the goods will impact the financial statements through debiting cost of goods sold and crediting inventory as well as debiting accounts receivable and crediting sales revenue.
    When you discuss it with them, ask them to specify which risks of an at least reasonably probable material misstatement to the consolidated financial statements they see. They will have a hard time.
    Of course if the web based customer order application has mistakes it could impact the business in several ways that would not MISSTATE the financial statements, but create a mess:
    e.g. inventory balance information in the web application does not match the balance in the ERP system and customer orders that cannot be fulfilled for a longer time due to lack of inventory are accepted, but the customer receives no warning because the system thinks there is enough inventory
    e.g. the price in the web based system does not match the one in the ERP system resulting in the wrong prices in the order and later in the invoice
    e.g. the order quantity does not get properly transferred from the web based system to the ERP system and results in the wrong quantity being shipped and the wrong amount being invoiced.
    Actually offering the wrong price in the web based system to the customer and accepting an order at this wrong price in the web based system would be the only risk that COULD hit the financial statements. If the price is so low that it is below the full product cost, you would need to post a provision for future losses immediately after accepting the order (i.e. even before shipping). So the system should be thoroughly tested that it properly retrieves the price from the ERP system and that direct changes to prices are prohibited in the web based system.
    In conclusion, the web based application is not in the scope of SOX, but there should be some minimum software quality controls.

  • Hi TF – In addition to the EXCELLENT advice offered by gmerkl, I’ll share some additional thoughts:

    1. SOX represents minimalist standards for security compliance to ensure IT based Financial systems are well controlled. Other standards like PCI/DSS, HIPAA, SOX-70, etc., could require higher levels of control. As gmerkl shares, SOX 404 states that IT Financials will be properly reported on the company filings. The ‘how’, ‘what’, ‘when’, ‘where’ are what we all wrestle with doing well 🙂
    2. SOX is subject to human interpretration as they are written as high-level goals that sometimes 2 companies will interpret them differently. Many SOX auditors use COBIT 4 as an IT guideline for SOX compliancy.
      Free copy can be found here:
    3. When it comes to protection of sensitive customer information or financial transactions, err on the side of caution. Your company could have a serious material liability if it were hacked and customer information like SSNs, credit cards or bank account #s were extracted by the bad guys.
    4. I’ve always advised folks to check with their SOX auditors to get a 2nd opinion, as they will be evaluating the process later and certifying controls to senior management

  • Of course you should always ask the opinion of your registered public accounting firm over SOX matters because they will later audit the effectiveness of your internal control over financial reporting.
    However, since they receive an audit fee from your company for their work, they have a monetary interest in doing as much work as possible (i.e. they have an interest to be overly cautious because it limits their own possible liability and generates higher audit fees for them). In the interest of your company and your shareholders you should try to minimize your own internal cost of assessing the effectiveness of internal control over financial reporting and to minimize the work of the external auditor and thus the audit fee.

  • ^ Definitely agree with this good advice 🙂
    Esp. in light of audit costs DOUBLING in many companies with the advent of SOX . In my past experiences, it’s been basically a quick phone call with no charges for advice or opinion but ‘your mileage may vary’ based on the SOX Audit professionals who are assigned to your account. We also had great internal auditors who helped guide us in these situations as well.
    If you don’t feel you’ll get ‘free advice’ or that you may be ‘opening up Pandora’s box’ by sharing too much information that could be misinterpreted – then you’re better served by NOT sharing too much detailed information. In that case you can do your own research and take your best shot at ensuring you are in compliance with SOX 404 IT based controls.

    web site is not a system of record for anything
    P.S. In re-examining the original post, I also see a fairly good design principle of not storing any sensitive or accounting info on the web servers and this system is basically a ‘means to an end’ (or tool) rather than a financial system per se. You’re most likely safe in not having full blown SOX requirements surrounding it (but certainly you want to keep good security and e-commerce type controls in place - as you would for any front-end system.

Log in to reply