White Papers for Sarbanes-Oxley (SOX)

Implementing General IT Controls for Sarbanes-Oxley

BMC Software’s

Prompted by corporate financial scandals of recent years, the Sarbanes-Oxley Act of 2002, “Sarbox” as it
is commonly known, is one of the most significant revisions to U.S. federal securities laws. Deadlines for Sarbox compliance, and subsequent company auditing, are fast approaching. Publicly traded U.S.-based companies must now be prepared for addressing Sarbox requirements, including Sarbox-compliant IT control processes, which could alter the claims that corporations make to upcoming annual reports. Companies must ensure their financial processes comply with Sarbox legislation, and senior executives must attest to the adequacy and effectiveness of their internal control of these processes. Many companies, however, are not fully prepared for their audits. Without proper guidance, any employee could unwittingly violate Sarbox requirements, putting a company in jeopardy.

Achieving and maintaining compliance with the general IT controls specified in Section 404 of Sarbox involves far more than just establishing rigid control over various processes and access to information. It requires merging people, processes and technology into a unified, enterprise-wide compliance effort.

From a people perspective, compliance requires the philosophical adoption of the Sarbox legislation across the enterprise. This involves the indoctrination of ownership onto every individual who has access to records that affect the company’s ability to attest to and validate that the data it provides is accurate—whether or not an individual’s access has been deemed significant.

With respect to processes, compliance requires companies to establish processes and controls that ensure
requirements are met and that readily demonstrate compliance. The interpretation of Sarbox is somewhat open, providing the flexibility to create processes that maintain compliance while still allowing efficient and profitable operations.

Finally, supporting technology is required to implement and enforce standard processes and to monitor and report on compliance.

It is important to note that Sarbox compliance involves continuous assessment and continuing education. Assessment helps ensure that compliance is maintained; education helps keep compliance firmly at the forefront of each employee’s mind.

View the White Paper

Share or bookmarklet this web page at: