While perusing a draft of "IT Control Objectives for Sarbanes-Oxley, 2nd Edition", I discovered several profound statements in the section on compliance and IT governance: "There is no such thing as a risk-free environment, and compliance with the Sarbanes-Oxley Act does not create such an environment. . . . Good IT governance over planning and life-cycle control objectives should result in more accurate and timely financial reporting." This thinking lets today's IT auditors focus on the key controls posing the most risk, rather than those on the fringe.
This tactic is having a major impact on management -- substantially reducing the cost of the SOX audit by limiting testing to key controls -- and on soft costs -- reducing the amount of time IT groups spend compiling voluminous amounts of evidence for auditors. More important, we are seeing more knowledgeable internal SOX teams working in an environment with external accountants that's friendlier, in part because all parties have more experience working together.
This situation can save companies money, but only if their outsourced and in-house auditors understand the intent of the IT control objectives. Companies must address the controls accurately and be diligent about staying within their scope. Without strict adherence to the intent of each control activity's description, teams often move in different directions. By the time a description is reviewed and people realize what happened, time has been wasted and the project is delayed.
Change management poses one of the most difficult challenges possible to IT staff, because many companies don't have formal policies or procedures in place - a major requirement of SOX. When asked how they manage changes, most IT groups reply, "We know what needs to be done, and everyone works as a team." One of the most frequent questions I get from IT groups is, "When can I use an [IT change request] instead of a very detailed change management policy?" A proper answer is that an IT change request is used for standard IT maintenance performed during regularly scheduled maintenance. Usually change requests do not have a substantial effect on the company's financial results.
A change-management policy is used for projects that could have a major effect on a company's financials. In the policy, the business process owner should describe what action is planned, the effect it will have, the benefits it will provide and the resources it needs, as well as the timeframe to complete it (including a back-out plan), a plan for user acceptance, and any other particulars. The policy is sent to all involved parties and a detailed plan is laid out that must meet everyone's approval. When a project has a major effect on financials and requires several groups to participate to ensure a successful completion, the risk level is high. The change management policy must be followed, and the IT auditors will be testing to see whether your organization adhered to its written procedures.
Kamens has a law degree, is a certified information security manager and is director of IT at Accume Partners. He can be reached at firstname.lastname@example.org.