SOX Directors/Managers and a corporate SOX compliance plan 1706

  • Hello all.
    This question is geared towards those in the position of managing a company’s SOX compliance effort.
    I was hoping to get some opinions on what a SOX Compliance Director/Manager should consider regarding a complete SOX compliance plan for their company. I know this is a very broad question, and there are the obvious basics such as tone at the top, management certifications, testing of controsl, SAS 70 evals, and so forth.
    However, I’d like to hear others opinions on their outline of the SOX compliance plan for their company, both short and long term. I’m interested in the areas or steps you feel are important to perform and how you plan to accomplish that.
    Thanks for reading.

  • Hi and welcome to the forums 🙂
    Below is a cut/paste of some general recommendations previous shared … The cornerstones for success include: Planning, Education, Training, and Commitment … Good luck to you 🙂

    1. Set up a Project Plan for meeting SOX compliancy requirements (Research and explore what is needed prior to doing anything). Good planning will pay dividends for establishing this process.
    2. Get training right away. The core team and especially the leader of the process should invest a week or so in training. Consider attending a formal seminar away from work where you can focus and interact with other participants. This will create a good foundation for what’s required.
    3. Perform an inventory of all your IT applications. Identify all of your financial systems and look for any indirect relationships.
    4. In conjunction with the inventory, examine the workflow and human factors surrounding financial processing.
    5. After the inventory, perform a Risk Management study on all your financial applications (looking at possibilities that someone could either accidently or alter financial records)
    6. Look at ways of strengthening the Financial process and implement new controls (e.g., versioning, change management, and security)
    7. Evaluate random sampling controls and requirements for your financial applications to setup a testing/sampling program on controls each quarter or month, depending on the needs.
    8. Evaluate the SOX 404 standards for best practices associated with IT control improvements . Set up a plan to implement and improve standards. Evaluate the COBIT 4.0 standards for IT controls over financial applications (note that COBIT 3.0 is the minimal acceptance level)
    9. Work closely with both internal and external auditors and gain their approvals for the work that will be done.
    10. Setup an e-Library (electronic documentation library) to include all your SOX documents, test plans, communications, etc.
    11. Make sure you obtain senior management support for the process. It is an important aspect for implementing change. They must also support the additional work, human resources, and costs that will be needed to gain compliancy.
    12. After the initial process is implemented, continue to improve the SOX controls and keep up-to-date with changes in business and legal requirements.

  • Thanks Harry. I appreciate your input.

Log in to reply