10 Tips for Managing 404 Compliance

It has been almost one year since the Securities and Exchange Commission implemented Section 404 of the Sarbanes Oxley Act (SOX). To many of you, compliance with this act means adding new 404 projects to your already overloaded schedules.

Furthermore, many of these projects, which involve review, documentation and testing of the procedures and controls, are redundant to the work you do each day to ensure your IT infrastructure is meeting business requirements.

Compliance with SOX, including Section 404, is required by both public companies and public accounting firms. Where the company is required to document, evaluate, test and report on the controls over financial reporting, the public accounting firms are required to perform their own evaluation and testing of the controls, plus they must review and evaluate the company’s 404 documentation, testing and reporting. This means that an IT department will have to satisfy multiple requirements and participate in at least two separate audits.

Sound complicated? It is.

Even if you are not a public company CIO, you still may not be free of the requirements of Section 404. SOX is a broad set of regulations put in place to govern public companies and public accounting firms. The SEC created the PCAOB (Public Companies Accounting Oversight Board) to govern and manage public accounting firms. New PCAOB standards apply to all areas of public accounting and range from SOX compliance to general audit practices.

This means that if you are managing an IT department in a private company that is audited annually, you may have to meet IT standards that were determined as a result of Section 404 audits.

How many of you have heard of the term “integrated audit”? This is an audit that integrates internal controls auditing into the standard audit procedures. A key component of an integrated audit is the review of IT general controls.

The review process for IT general controls involves documentation, evaluation and testing of IT controls. For public companies this typically takes place during the 404 process, but for private companies it will take place during the year-end audit.

Simplifying the Situation

In either case you will need to manage multiple requests to enhance IT documentation, provide documentation in specific formats, change your operating procedures and endure testing by multiple parties.

How do you avoid the costly task of reproducing documentation in multiple forms and formats and clearly link business units and their understanding and roles in SOX compliance? Here are 10 ways to ensure you won’t be lost in the translation:

Get educated. Ask your finance team to facilitate a meeting with your public company accountants so they can provide insights into IT general controls. In addition, there are multiple materials available on the Internet that specialize in SOX 404 for IT; like public accounting firms and ISACA.

Make sure you’re all on the same page. Be sure your team understands how SOX fits into the IT environment. You should make sure the IT group is involved from the beginning of the project and is updated and included in the review of business processes that rely on IT systems and infrastructure.

Be sure to leverage documentation you have in place. For example, many pharmaceutical and manufacturing companies already have to comply with federal regulations and many are ISO 9000 certified. It is important that IT departments leverage existing procedures, policies, and documentation in their SOX programs.

Be sure you design your program to fit your business needs. Don’t adapt what you do to fit a generic set of best practices. Your IT SOX 404 program should be tailored to your business requirements.

Be sure to hire advisors that understand both IT management and SOX 404. Many CPA firms are experts in accounting, auditing and SOX, but have never managed an IT department, but many companies require front-line expertise to determine what makes sense for the company. There is a significant amount of translation required to convert accounting practices into terms and actions that can be implemented by the IT department.

Inform the executive team. Be sure the executive team understands what IT does and how they fit into the program. The CIO or counterpart should be part of the SOX steering committee.

Modify your standardized procedures. Ensure that all business units follow standardized procedures for evaluating, documenting and implementing controls. But, keep in mind that processes may vary from business to business. Develop procedures for identifying and describing why some IT controls vary from unit and unit and have a methodology for standardizing controls where it makes sense.

Don’t try to take on too much at once. Complying with SOX 404 is a daunting task for many IT organizations. Prioritize and work on the critical issues that may lead to your company failing their 404 attestation. Some best practices may have to wait a year.

Get feedback early in the process. Share your program plans with your SOX PMO and accounting firms to ensure you are on the right path. Review proposed procedure changes prior to implementation to ensure your changes will meet the requirements.

Stay flexible. The rules are still changing and will continue to evolve overtime. Keep focused on what is best to ensure your IT group is focused on safeguarding company assets, maintaining data integrity, providing the business with the infrastructure they need to increase shareholder value.

SOX 404 compliance is as complicated as creating sustainable network architecture, but you don’t have to be lost in the SOX translation nightmare that plagued many companies in 2004.

A well-designed network architecture requires vision, expertise, planning and execution. If you are currently wondering how an IT general control varies from any other control step back and don’t be afraid to ask questions, seek advice and get help from an interpreter that speaks both languages.

Diane Wolff is president and founder of The Blue Sage Group. She is a former CFO with more than 18 years of financial and operations experience that spans multiple industries including life sciences, high technology, telecommunications and professional services.