SOX

The Corporate Accountability Bill sponsored by Senator Paul Sarbanes and Representative Michael Oxley was passed into law in 2002. It contains a number of provisions that impose obligations on public corporations designed to ensure transparency of operations and accountability. These provisions are designed to address specific business processes and ensure that auditable records are retained. Business Records today are heavily digitized, the result is a considerable impact upon the IT environment, particularly in storage processes.

Benefits

Benefits of Implementing SOX include:

• A more engaged control environment – with active participation by the board, the audit committee and management.
• More thoughtful analysis of monitoring controls, along with recognition that monitoring is an integral part of the control process.
• More structure year-end closing process and recording of journal entries Thus recognizing the extent to which theses areas have increased in complexity.
• Implementation of anti-fraud activities with defined processes in place, including responsibility for follow-up by defined parties and resolution approaches.
• Better understanding of the risks associated with general computer controls, and the need to improve both control and audit procedures to gain assurances that the risks associated with computer systems are mitigated.
• Improved documentation of controls and control processes that can serve as the basis for training practical day-to-day guidance and management evaluation.
• Improved definition of controls and the relationship of controls and risk across the organization.
• Control parameters becoming embedded into the organization with a broader understanding by operating personnel and management of their responsibility for controls.
• Improvements in the adequacy of the audit trail as a basis to support operations as well as to support audit assessment of control adequacy and financial reporting.

The Challenge

SOX primarily targets financial documents and financial reporting but it is clear that the overflow effect will be to include an ever-increasing variety of data that may be used to support those materials.

SOX has an immediate impact within the data storage area, which provides penalties for destruction, alteration or falsification of records. It prohibits destruction of corporate audit records. The records covered are as broadly defined as any that may be required in a federal investigation or bankruptcy proceeding. While financial records are the principal interest, other records such as communications regarding transactions and documents relating to projects may also fall within the Act’s purview.

The effect upon data storage processes is that all documents must now be protected against willful deletion, alteration or destruction, with the burden of proof on the corporation to prove that alterations have not taken place. Documents that are relevant to an audit or review need to be retained for a period of seven years. Since the scope of a review cannot be determined in advance, this could potentially include communications, project documents, memos, plans, specifications, and pronouncements.

To accelerate SOX compliance as well as safeguard confidential information, companies need automated solutions and processes that provide full visibility into all activities and automated workflows for distributing reports and getting sign-offs from compliance oversight teams. In addition, they need a unified approach that provides auditing, as well as real-time security capabilities such as policies, alerting and blocking of unauthorized activities.

SoftExpert GRC Suite is easy-to-use, comprehensive compliance software for automating and managing business processes. It also controls documents, projects, changes, risks, and related activities in a secure environment. SoftExpert Excellence Suite provides an automated, searchable system for documenting internal controls and business processes to help ensure SOX compliance.

With SoftExpert GRC Suite, users can create, collaborate, log, execute and conclude business transactions in a structured, efficient environment. Through SoftExpert Excellence Suite, users across an organization can immediately access information regarding a process or project, including all outstanding issues, approvals, statuses, discussions, and communications.

 

SoftExpert GRC Suite offers automated controls in the areas of:

Module	SOX Compliance and Requirements
SE Document	Maintains SOX documentation in a secure, centralized system that can be accessed by users and auditors from virtually anywhere. Automated task assignments, routing, escalation, review, and approval increasing efficiency for the internal compliance team. Changes are automatically tracked and approvals are streamlined. Enables external auditors to search and retrieve documents quickly and easily, resulting in savings of billable hours used. Compliance history always accessible. Retains documents according to company policy, anywhere from 24 hours to several years or longer. Retention can be configured by document category.
SE Process	Ensure processes are defined, planned, and documented. Ensure processes are monitored and controlled. Creation of approval cycles to enable full visibility and accountability for executive management. Advanced tracking and reporting capability. Real-time view of a company's SOX environment, allowing continuous monitoring and processes improvement, increasing confidence among executives, process owners, and auditors. Processes can be carried out under controlled conditions: documented instructions, in-process controls, and approval of processes and controls.
SE Project	Automated task assignments, routing, escalation, review, and approval, increasing efficiency for the internal compliance team. Compliance history always accessible. Ready to use, proven project management process aligned to de facto standard PMBOK approach. Provides tailoring of additional and organization unique processes and reporting capabilities. Provides project classification schemes. Projects associated with or impacted by Sarbanes-Oxley can be tracked and managed. Templates and checklists for tracking and managing changes. Provides project and product development processes. Provides stage-gates approach for projects, including scorecard criteria and criteria for a "go/no-go" decisions.
SE Risk	Manages enterprise and operational risks. Risks, controls, and tests are linked for traceability. Risk framework can easily be configured to a variety of organizational structures or methodologies, enabling organizations to adapt the solution to their unique systems and processes. Supports a top-down risk assessment approach and a process level risk assessment approach that analyzes business process across the organization. Automates the tracking of inherent, target and residual risks. Identifies and scores enterprise-wide risks based upon significance and likelihood, and tracks controls related to each risk. Provides a framework for establishing risk management goals and priorities, identifying action plans and ownership, and monitoring progress against goals. Robust reporting features such as dashboards, heat maps, and key risk indicators enabling executive monitoring of critical risks.
SE Audit	Audits are planned and performed. Results of audits are communicated to management. All findings are corrected and registered. Manages any required corrective action. Ensures corrective actions are carried out on time.
SE Action	The causes of problems in processes or controls are identified and registered. Specific problems and their causes are corrected. Effectiveness of corrective actions assessed. Review and disposition of nonconforming processes or controls is formalized. Ensures that appropriate corrective action is decided upon and implemented. Ensures that responsibility for corrective action is clearly defined. Keeps records of all complaints and follow-up actions. Corrects any deficiencies before they can cause defects in products or processes. Keeps records of defects, the investigation of their cause and the corrective actions.