The document discusses the Sarbanes-Oxley Act (SOX) from an IT perspective. It provides background on how major company frauds led to the creation of SOX. It describes the key points of SOX, including the requirements of section 404 for management to assess internal controls. While SOX compliance presents challenges and costs for companies, it can also streamline processes and reduce risks. The document addresses common questions about SOX's applicability and compliance requirements and concludes that maintaining strong IT controls is important for business efficiency beyond just financial reporting.

1. SOX: IT Perspective
Neelabh Srivastava

2. SOX: IT Perspective
Agenda
 Background
 Facts about SOX ACT
 Objective
 Section 404: Key Points
 A Burden or Opportunity
 Challenges
 Sox Benefits
 SOX Compliance Frameworks
 FAQs
 Conclusion
2 Neelabh Srivastava September 2012

3. SOX: IT Perspective
Background
 Two largest US companies goes bankrupt.
 Other financial frauds follow.
 Investors lost money & faith in companies
 Debacle in Stock Market.
 US govt. took action.
 Sarbanes and Oxley Act was made Law.
3 Neelabh Srivastava September 2012

4. SOX: IT Perspective
Facts about SOX Act
 The Act was passed on 30 July, 2002.
 Names after its Architects US Senator
Paul Sarbanes and US Representative
Michael Oxley.
 Also Known as SOA (Sarbanes-Oxley Act)
 Applies to Publicly-traded companies in US.
 The act consists of 11 sections.
 Known as one of the worst Tech related Bills
of all time.
4 Neelabh Srivastava September 2012

5. SOX: IT Perspective
Objective:
 Fundamentally, Sarbanes-Oxley (SOX) requires that financial
reports are based on
accurate information and that
the processes by which this
information is collected are
themselves accurate & controlled.
 Rebuilding Public Trust.
5 Neelabh Srivastava September 2012

6. SOX: IT Perspective
Section 404: Key Points
 Refers to “Management assessment of Internal Controls”
 With only 180 words, this section has created a furor in
various depts. including IT.
 As IT controls financial processing and reporting,
therefore falls in SOX ambit.
 Effectively it is forced implementation of the best
practices.
 404 Most contentious part of SOX.
6 Neelabh Srivastava September 2012

7. SOX: IT Perspective
A Burden or An Opportunity
It’s a matter of Perspective.
Classic Example of “Glass Half Empty or Half Full”
7 Neelabh Srivastava September 2012

8. SOX: IT Perspective
Challenges:
 High Compliance Costs
 Segregation of Duties
(too few people)
 Increase in Project Durations.
 High Administrative work.
 Increased workload on IT staff.
8 Neelabh Srivastava September 2012

9. SOX: IT Perspective
SOX Benefits:
 Standardizing/Eliminating Variation of Computing Envt.
 Automation of Manual Processes.
 Identification and addressing risks and in your
environment.
 Improved efficiencies through consolidation.
 Reduced Operating costs.
 Reduced Incidents
 Documentation for every process/operation.
9 Neelabh Srivastava September 2012

10. SOX: IT Perspective
SOX Compliance Frameworks
 COBIT (Control Objectives for Information and Related
Technology)
 COSO (Committee of Sponsoring Organizations).
 ITIL (Information Technology Infrastructure Library)
 COCO (Criteria of Control).
 Tumbull Framework
 King Framework
COSO is the most widely adopted framework in US.
10 Neelabh Srivastava September 2012

11. SOX: IT Perspective
FAQ:
1) How often do companies need to comply with
SOX - annually or quarterly?
All publicly traded companies must comply with SOX both
annually and quarterly. Section 404 is an annual evaluation of
internal controls which requires annual compliance, whereas
other sections like 302 and 906 are both quarterly
certification requirements.
11 Neelabh Srivastava September 2012

12. SOX: IT Perspective
FAQ:
2) What does Section 404 mean from practical
perspective?
In practice it will depend on the external auditor to
define what aspects of the overall operations that they feel
are material and then to what degree. It can be based on
multiple criterion including their own control objectives.
12 Neelabh Srivastava September 2012

13. SOX: IT Perspective
FAQ:
3) If the SOX is intended for Financial reforms then
how does IT came in picture?
The thing to remember about SOX is that it is primarily
focused on the accuracy of financial reporting data. IT per
say is important under SOX only to the extent that it
enhances the reliability and integrity of that reporting
which of course can be achieved by having full controls
over IT infra, Change management, IT security etc…
13 Neelabh Srivastava September 2012

14. SOX: IT Perspective
FAQ:
4) Whether non-production systems such as Dev, QA,
Test etc.. systems should be in-scope for SOX?
They might not be in the "direct" scope of SOX, but these
environments certainly play a role in the Change
Management process and other Life Cycles. Thus, they
cannot be completely ignored.
14 Neelabh Srivastava September 2012

15. SOX: IT Perspective
FAQ:
5) If this is ever going to finish?
Unfortunately No, there will be an ongoing need to update
and validate the processes and supporting documentation.
15 Neelabh Srivastava September 2012

16. SOX: IT Perspective
Conclusion:
The better reason to have good controls over IT and IT
security, however, is not because it will make you SOX
compliant but because it will make your business more
efficient, enable you to better utilize your data, and allow
you to trust ALL the data, not just financial reporting
data.
16 Neelabh Srivastava September 2012

17. SOX: IT Perspective
References:
http://en.wikipedia.org/wiki/Sarbanes–Oxley_Act
http://en.wikipedia.org/wiki/Information_technology_controls
http://www.securityfocus.com/columnists/322
http://www.sarbanes-oxley-101.com
17 Neelabh Srivastava September 2012