SOX, the Unsung Hero
Robert Drobish

SOX is coming! SOX is coming! Annually, these words echo down the halls of every publicly traded U.K. company and every company that has public debt, often with fear – or fire – in the tone. The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745), also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called "SOX," was a governmental response to various accounting scandals. Of the various key provisions (302 & 404) covered by SOX, this article addresses Section 404 and how it pertains to IT internal controls.

[Note: This article is by no means meant to be an in-depth review or technical reference for SOX, as that is best covered in one of the many in—depth legal and financial papers and reports. I am addressing this to the many IT and compliance departments affected by the SOX requirements and how SOX is actually an unsung hero.]

I know, on the surface SOX feels invasive, frustrating and like an additional "duty" that has unrealistic timelines to meet. Between the external auditors, the internal auditors and the management reviews (GGS fills this role), how is the day—to—day work ever supposed to get done?

IT is still, in many cases, one of the last vestiges of independence and self—expression. Different skill sets, levels of education, certification, experiences, etc., give the IT department and its subsequent CIOs and directors the ability to see and solve issues, both current and future, in very different ways, with different tools, in different businesses and ultimately with a unique flavor. After all, this is what draws most IT professionals to this job – the ability to "do it my way." As different as the many ways to solve a problem are, almost all are right. This is also why SOX causes so many IT and compliance professionals to mumble under their breath. The reason is simple and straightforward: style.

I have been on numerous SOX management assessments, I have been involved with IT and compliance professionals, I have discussed and reviewed findings with external auditors, and I have even been in boardrooms with CEOs and company presidents. The clients’ questions are always similar: Why do I have to change the way I do business? How do I prove that I followed a procedure? What is the risk to the business? Why isn’t what I say good enough? The questions and concerns are very real, have very real emotions attached, and can even affect job performance and reviews. The issue is in the dual sides of the SOX assessment. The IT director/CIO is answering these respective issues based on his own reasons, and the assessor (internal, external and management) is asking the questions and then reviewing the answers based on his own reasons. The crazy thing is that both sides are looking for the same answer: How does IT and its controls/procedures keep the company from getting into trouble? This is where style comes in – same ending, different routes.

The real IT headache is that the way assessors and auditors show that a company is complying with SOX is by proving it. This is the one area IT is notorious for sacrificing because SOX needs to be able to "touch" the proof of compliance. IT is normally so busy, keeping, updating and documenting that policies, procedures and gathering supporting documentation gets done after the operation is running smoothly and when there is "time." I don’t know about everyone else, but before I joined GGS, becoming ISO17025:2005 accredited by A2LA, I had neither the time nor the resources available to get the documentation done the way I wanted. This is why many companies have outsourced the initial SOX resource need and documentation updating/development. Then, when the bulk of the resource drain is over, bring the documentation updating in—house with periodic outside reviews to ensure the company doesn’t fall off the wagon again due to staff changes, operational changes, growth, etc.

A new thought process creeping into SOX companies is that rather than struggle with the constant SOX resource drain and internal impact, outsource it so that two to four times per year, for a very short time frame (two to four weeks), the outside company can review and remediate the issues, thus drastically reducing the workload on the internal staff while making huge strides toward ensuring compliance. Now I’m starting to get a good feeling about SOX. This new process also brings with it the benefit of new views and new experiences ensuring that the procedures are always being kept fresh and meeting the company’s needs, and with new viewpoints comes a renewed view of which controls are no longer relevant (this also can reduce the number of controls and SOX requirements).

Here is the key to the "unsung hero" line you are probably still grumbling about. The business gets to decide, within some broad parameters – don’t steal, don’t fake the numbers, control who has access to your data, etc. – how their respective business operates. And for lack of a more in—depth discussion, SOX just wants to prove it. Therefore, once the time is spent to complete and manage the documentation, the processes are easier to follow, workers are easier to train, and the approvals are easier to find, thus keeping IT out of hot water. IT gets to "cut to the chase" on its work because there are fewer interruptions, questions and problems due to different staff members doing things differently. This is where singing the praises of SOX starts: Outsource your preparation and you get to get on with doing your business.

Granted, since most IT departments haven’t been able to commit the resources they want to get to the "cut to the chase" point, it will take some initial time and energy. But this is time well—spent, because once it is done, it eases the pressure to follow undefined procedures, helps the business owner’s users meet the business owner’s needs, and makes it much easier for the auditors to get what they need to verify compliance and get on with their non—IT department duties, thus reducing their impact on IT.

OK, so maybe SOX is not a hero, but how about a really, really nice person?