By Rob Smith, Co-Chair of Industry Solutions – SOX Committee
Integration Consortium – www.integrationconsortium.org
SOX the Game
Imagine a game where you and your team are mandated to play whether you want to or not, where the opposing team makes up all of the rules as the game is being played, and they control the referees and assign the penalties. Now imagine that you start playing halfway through the game and you’re already behind in scoring. This is the challenge that numerous companies in North
America and around the world are facing , as they race to complete the assessment and testing of their internal financial controls , before Sarbanes Oxley reporting requirements are due.
Now picture the opposing team with home field advantage, that’s the PCAOB or
Public Company Accounting Oversight Board, and the latest game The Sarbanes
Oxley Act. SOX . The SOX Act was formed as a knee jerk reaction to the failure of some very sizable organizations during the first part of the millennium, most notably Enron and WorldCom. It was also a response to what appeared to the public as ‘out of control’ executive misdeeds, involving non-arms length companies raiding cash reserves for personal loans and insider trading. The public was losing faith in the capital markets as each new accounting scandal hit the papers and the government responded in the formation of the Sarbanes
Oxley Act.
The act covers a width scope of activities all related to corporate governance as it impacts the reporting of the financial position of qualifying organizations. Given that the PCAOB is an “accounting” oversight board, it stands to reason that the primary goal of the act was to govern accounting and financial reporting. But section 404 and 409 opened a veritable Pandora’s Box of issues that had little or nothing to do with accounting and financial reporting.
The heartburn of SOX and what is required?
When an organization buys a product for inventory, the transaction is booked in the financial records but when an organization signs a contract, exactly what is booked? These types of ‘physical’ operation GAP’s between what happens in an organization and what is ‘booked’ in the financial statements is creating an exceptionally large level of stress for many CFO’s charged with the mandate of being “SOX compliant.” To further muddy the waters, many of those CFO’s have to verify that the systems that provide information for financial reporting also have the same level of controls and tests of “material impact” as the financial

operations of the organizations. But remember that accounting is a record of things that have happened and rarely a predictor of things to come.
SOX 404 primarily is composed of declaration, assessment and attestation.
•
“A declaration stating the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.
•
An assessment of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
•
An audit attestation of the assessment.”
Sox 409 states:
“REAL TIME ISSUER DISCLOSURES.— boards must disclose to the public real time information concerning material changes in the financial condition or operations of the issuer including trends as the Commission determines necessary for the protection of investors and in the public interest.’’.
SOX and Integration
Although much is written about the relationship between financial reporting controls and SOX, the reality of accounting is that IT systems are an integral part of SOX 404 and 409 compliance. On the surface, IT controls must be in place to ensure the validity of information and in order to ensure the accuracy of the financial reporting. The problem is that many audit firms are advocating that
SOX 404/409 is not about IT. This is placing complying organizations and their board of directors at risk if adequate controls and security do not exist around the systems that feed the financial reports.
More importantly, SOX 409 requires that boards report on “real time information concerning material changes in the financial condition or operations of the issuer including trends”. The only way for issuers to be aware of real time information and trends on operations or the physical activities of their organization is for the issuers systems to report on anomalies and trends in real time and on an exception basis. As well, the integration of any new system into an organization will have to pass SOX compliancy before it is either selected or ‘plugged in’.
Failure of control process, due to a systems, failure will strictly fall under the 409 clause regarding “material change”.
What can System Integrators do to mitigate SOX risk and pain?
1. Assist clients in auditing existing network controls inclusive of both physical and virtual security processes, policies and tests.

2. Evaluate purchased software for potential threats to the organizations operations from financial failure or misstatement and provide a compliancy report.
3. Provide process development assistance that includes the decision check points and assignment of responsibility for those decisions.
4. During the development of new products or customization of existing software, imbed control mechanisms such as audit trails and exception reporting to allow companies to easily test and evaluate compliance.
5. Develop periodic automated control testing mechanisms to validate ongoing compliance.
6. Provide clear and comprehensive documentation of development and change activities.
7. Perform client internal SOX audits and obtain a compliancy certificate for presentment to new clients (for service organizations this is a Type II SAS
70 report).
8. Partner with other organizations to reduce the burden of developing SOX compliance frameworks from scratch.
Developing software and integration operations with SOX 404 and 409 in mind, will add extensive value to your organization in the eyes of the senior C-level staff from companies that are required to report. The easier it is to dovetail a supply organization into an existing SOX audit, the more likely the CFO is to sign-off on a purchase order to a compliant organization.
Rob Smith is an author for Penguin Publishing on technology and business.
He is the CEO of Riskstream Inc.- a business continuity and regulatory specialist and a Managing Partner with the ISSC – SOXB2Team