The Sarbanes-Oxley Act of 2002 has been in effect for 15 years now, and many companies have embraced it due to the benefits they have noticed within their IT security software. This all despite the rising price of the SOX compliance audit and the increased hours spent on it. According to Protiviti’s annual SOX compliance survey, in 2016, 48% of non-accelerated filers and 63% of emerging growth companies spent more time on SOX compliance than in 2015.
From our previous blog, we know what a SOX compliance audit entails and what you can expect. With the looming cost of a SOX audit, you'll want to make sure you are fully prepared and can get the most from your compliance audit for your organization. That's why we've compiled resources and best practices to not only help you prepare for an audit but to also help ensure you're compliant for years to come.
Performing a self-audit has become an integral part of preparing for a SOX compliance audit. You can even set up an audit committee within your company which can only enhance the integrity of your company’s audit process.
A self-audit provides you with a look into the future, bringing to light any issues you can take care of prior to your external audit.
Review Employee Training/Educate Staff
Is your staff trained? One way to prepare: Make sure all users are trained on your organization’s security policies. Your employees should understand the basics of SOX compliance. When employees are knowledgeable of what is SOX compliant, they are less likely to engage in fraudulent activities. In addition to educating staff, you may want to monitor the activity of privileged users, business users, and vendors.
If there is still a concern on whether or not your staff understands SOX compliance, the option of finding SOX experts for training programs exist.
Document/Have an Audit Trail
One of the best things organizations can do when preparing for a SOX compliance audit is to document. Having an audit trail is essential to ensuring your company is secure with its financial assets. There should be a record of everything that happens and the information must be coherent enough for employees to understand.
Your company should be able to track exact actions and have user activity logs for reporting. The Public Company Accounting Oversight Board (PCAOB) now requires more in-depth documentation and proof that upper management has reviewed said materials.
Having an audit trail supports the prevention of suspicious activity occurring by being proactive.
Many companies ensure they are SOX compliant by having a supportive file integrity monitoring software (FIM). The Sarbanes-Oxley Act specifies there must be documentation of changes made, ideally in real-time. This is where FIM comes into place.
SOX 404 covers the management of internal controls which includes:
Risk Assessment: The identification and analysis of relevant risks to the achievement of objectives, forming a basis for how the risks should be managed.
Information and Communication: Systems or processes that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.
Control Activities: The policies and procedures that help ensure management directives are carried out.
Monitoring: Processes used to assess the quality of internal control performance over time.
These can all be recorded using file integrity monitoring software, such as Cimtrak to guarantee your company is SOX compliant for your next external audit. For more on how to prepare, it may help to review a SOX compliance checklist for more information.
While the SOX section 404 does not specifically mention the tools used to stay compliant, it does state that management is responsible for “establishing and maintaining an adequate internal control structure and procedures for financial reporting”. This of course can be done with the support of file integrity monitoring.
Integrate File Integrity Monitoring
With the capability to monitor any changes made to files, a file integrity monitoring tool can provide real-time data from your company’s network and user roles, all while validating the integrity of the applications and operating systems. Integrating file integrity monitoring into your preparedness supports not only your end goal to be SOX compliant, but also keeps all changes made recorded to aid in your audit trail.
Now that you hold the knowledge to prepare for your upcoming SOX audit, you can begin to ensure you’re compliant with the above-mentioned tips. If you are not 100 percent sure of your organization’s SOX compliance status, a great first step is to make sure your IT security software is up to date. With that behind you, you can begin to plan the self-audit and more.
August 31, 2017