SOX Compliance
Don’t fight what can help you
Skye L. Rogers




9 Years experience working in Systems &
Operations in various roles.
4 years focusing on SOX related tasks.
Currently working with TransCore.
Skye is not an attorney or an auditor.
TransCore
Approaching 70 years
in the transportation
industry
 Installations and
products in 46 countries
around the world
 Key technologies:
RFID, wireless
communications, GPS,
web-based information
systems

Operations
Management
Rail-Intermodal
Track and Trace
Fleet
Management
Financial
Services
Compliance
Services
Freight Matching
What is SOX?


SOX provides the foundation for new corporate
governance rules, regulations & standards issued by the
Securities and Exchange Commission. It covers a range
of topics from criminal penalties to Corporate Board
responsibilities. SOX also covers issues such as
independent auditing requirements, corporate
governance, internal control assessment, and enhanced
financial disclosure.
CEO’s of publicly traded companies will be held
accountable for the quality of the controls established
which enable accurate Financial reporting (including IT
processes, systems & roles).
Penalties

Section 802(a) of the SOX states: “ Whoever knowingly
alters, destroys, mutilates, conceals, covers up, falsifies,
or makes a false entry in any record, document, or
tangible object with the intent to impede, obstruct, or
influence the investigation or proper administration of
any matter within the jurisdiction of any department or
agency of the United States or any case filed under title
11, or in relation to or contemplation of any such matter
or case, shall be fined under this title, imprisoned not
more than 20 years, or both.”
What prompted SOX?

Sarbanes-Oxley was
passed in the wake of
a number of notable
corporate accounting
scandals including
Enron and
WorldCom.
SOX on the horizon?

The primary thing to
remember is that SOX
is about mitigating
the risk of fraud,
financial transparency
and process control.
This will change how
you do things but that
does not have to be a
bad thing.
A hint on policies.


Bear in mind that you will be held to the letter of
all policies your company develops related to
SOX even if they exceed federal requirements.
This is very important to remember when
drafting policies.
Policies should ensure that corporate behavior is
consistent, controlled, and can be proven.
A word on Frameworks
There are many
frameworks out there
to assist you with SOX
compliance. The key
is to find a framework
that works for your
team, commit to it,
train on it, and use it
to your best possible
advantage.
Examples of COBIT Controls
Network Security –
Firewalls, secure network
configuration including
802.11x

Virus Protection –antivirus and anti-spyware
updated regularly

Examples of COBIT Controls


Backups & Restore –
Regularly tested
procedures
IT Continuity –
Disaster Recovery
Procedures
Examples of COBIT Controls


Files Access Privilege
Controls
Identity Management
– password
strength/age and
access. Who has
access and is that
appropriate now?
Examples of COBIT Controls


Risk Evaluation
Programs – Risk
Assessment and
internal auditing.
Employee IT
Security Training –
Training of end users
related to utilization
of resources.
Examples of COBIT Controls


Management support/buy in – Executive level
oversight of projects related to IT.
IT as part of strategic planning – The business
must be supported by technologies.
Change Management
(Skye’s favorite)






Standardized change control is a great place to
find fast rewards in pursuit of compliance.
Change Approval
Change Categorization
Change Documentation
Change Prioritization
Formal Request for Change Process
A body of subject matter experts that oversee
change.
Consistent Logging






Change Management
Configuration Mgmt.
Event Management
Incident Management
Knowledge Mgmt.
Problem Management
“Operationalize” information.



Connect the internal changes needed with the
strategic objectives of the company.
Illustrate that real-time information flow
enhances your organization’s ability to make
decisions while making compliance easier.
Point out the significance of new activities that
may seem mundane or inconsequential. This will
help actions taken by staff at every level feel
more relevant and less painful.
Remember W. Edward Deming?
SOX Compliance is
not a fix it and forget
it endeavor. As
companies and the
ecosystems that
support them change
new compliance
quandaries will
come up.
Wait, how can SOX help me?


Perspectives on operational control, consistency,
and quality take on a whole different meaning
once they have a clear relationship to fiduciary
responsibility.
It is amazing how different the conversation
about project prioritization becomes once
executive management are offered the
opportunity to make decisions guiding it.
Questions?
This is assuming that we have time
for any.
FIN
Thank you very much for your kind
attention.