Agile Solutions in IT SOX Environments

Published: Jun 11, 2024
By: Gaini Umarov; Evan Haas; Anthony DeMaria; Nicholas Otto
Topics: Public Companies

SOX Compliance
Share

The Sarbanes-Oxley Act (“SOX”) was signed into law in July 2002 and quickly changed the compliance landscape for public companies. Among other provisions intended to prevent fraudulent activities, SOX requires companies to report on the adequacy of their internal control over financial reporting (“ICFR”). For many companies, the requirements consume a considerable number of resources. Specifically, the regulation requires that an additional plethora of financially-relevant business functions be reviewed to assure public companies have effective safeguards over financial reporting accuracy. To mitigate these SOX complications and address specific technical needs, companies have been adopting agile solutions to produce tangible benefits.

While new SOX regulations demand an increase in the oversight of data flow and information used to perform end-to-end checks and balances, an agile solution enables companies to be fit for combatting change and efficiently mitigating risk. This is especially important since regulators and auditors are demanding quicker year-over-year maturation of internal controls environments.

Under SOX, management and accounting teams are tested with a sharper degree of scrutiny. Failure to adequately comply with SOX regulations can lead to material weaknesses that may reflect poorly on shareholder sentiment and, in extreme cases, have a company delisted from public exchanges. To mitigate this, many internal teams supporting the SOX program assessment repackage older evidence gathering practices to fit the mold of SOX. However, the downside is that manual processes can lead to valuable time and resources being wasted, urging leaner methods for compliance and regulation.

Through an agile implementation, procedures are tailored toward a more streamlined internal control environment which helps with the aggregation and review of evidence to address pertinent business risks. These solutions enhance the experience of both the organization and its end users. Since SOX covers an abundance of internal domains, there is a lot of data to keep track of and a multitude of avenues that are taken to satisfy the requirements necessary for controls to pass in the eyes of auditors. In the realm of information technology, this includes an overlap between SOX requirements and information technology general controls (“ITGCs”). The specific domains for ITGCs primarily include change management, computer operations and logical security. The details of each are as follows:

Domain	Description
Change Management	Ensures changes, repairs and simple code changes to financially significant systems are continuous. Enables recoverability in the event of an unintended outcome and prohibits system changes by unapproved staff.
Computer Operations Management	Warrants the continuous reliability and availability of systems and data used to prepare financially significant information. Includes critical activities like data back-ups, data integrations between systems and problem resolution.
Logical Security	Focuses primarily on the confidentiality and integrity of systems and financially significant information. Involves granting access to systems and data locations, protecting networks, and evaluating vendor applications critical to financial reporting.

Newer platforms with integrated automation provide a holistic management and workflow solution that acts as a repository for the maintenance and markup of audit files applicable to the ITGCs. With an increased demand to satisfy the control requirements in these domains, a handful of applications become influential in automating business functions to satisfy the requirements of auditors. Their usage by various IT departments makes the audit process more efficient as a byproduct. Some of these widely used tools are as follows:

Domain	Tool	Description
Change Management	Bitbucket	Version control system for code collaboration and management.
	GitHub	Version control system facilitating collaboration among developers.
	GitLab	Integrated DevOps platform for lifecycle management of software projects.
	Jenkins	Automation server for building, testing, and deploying software projects.
Computer Operations	Amazon S3	Scalable solution for storing and retrieving any amount of data.
	CrowdStrike	Cybersecurity platform for endpoint security, threat detection and response.
	PagerDuty	Incident management platform for real-time operations monitoring and response orchestration.
	Rapid7	Security analytics and automation software for threat detection and response.
Logical Security	AWS IAM	Identity and access management service for securely controlling access to Amazon Web Services resources.
	Lumos	Business intelligence platform optimized for enhancing identity governance and privileged access management.
	Veza	Platform for managing and automating access control and security.
Data Aggregation	ServiceNow	Platform for IT service management and enterprise service management.
Data Aggregation	Splunk	Data analytics and visualization platform for searching, monitoring, and analyzing machine-generated data.
Audit Management	Workiva	Platform for collaborative work management and streamlined reporting across organizational functions.

The tools listed above can help enhance the aggregation of audit evidence whether for the client, auditor, or service provider. Oftentimes, the evidence is just a few clicks away.

Many firms have leveraged technology or governance, risk and compliance (“GRC”) platforms, such as Workiva to simplify this audit aggregation process given it is user-friendly for auditors and their respective auditees. Some of the key advantages of using this agile solution include the automation of tasks, workflows, dynamic reports and dashboards that enable the planning, testing, reporting and monitoring of audit work. This collaborative workspace serves as a centralized audit tool that expedites collaboration, reporting and more.

Although SOX has only been around for a couple of decades, public companies are still developing new strategies to complement their audit processes. Oftentimes, companies are resistant to change and will use a similar method of aggregating data for auditors as they did prior to being publicly traded. The perpetual shift in the business environments of today’s rapidly changing information age indicates that a robust business foundation is essential. While new SOX regulations demand an increase in the oversight of data flow in performing end-to-end checks and balances, agile solutions enable companies to be fit for combatting change and efficiently mitigating risk.