Nine question for effective IT control in SOX compliance

1. Has the organization established an IT-specific internal control framework to guide its section 404 compliance activities with respect to IT?

An IT-specific internal control framework provides vital structure to an organization's effort to develop and maintain effective internal control in its IT environment. Failure to identify such a framework may indicate that the organization has failed to examine IT controls as systematically or as deeply as required to support section 404 compliance. One possible IT-specific control framework to build upon is the CobiT framework, described by the IT Governance Institute in its 2000 publication, "Control Objectives for Information and Related Technology." While the full CobiT framework goes far beyond section 404 compliance requirements, companies seeking guidance regarding IT controls would be well advised to customize the applicable portions of CobiT for their own particular section 404 compliance needs.

2. Is the IT environment highly customized?

Custom-built applications and platforms are a fertile ground for internal control issues for two reasons. One, the original technology's vendor may not be able or willing to provide technical support once its product has been significantly modified. And two, no matter how competent a company's IT personnel or service providers, there's always a much higher risk of errors in new, untried software than in standardized, widely used, and well-tested software.

3. Does the IT department have a high turnover rate?

Technology specialists, as a group, tend to gravitate toward best-of-breed, sophisticated, cutting-edge IT environments. A high turnover rate among IT professionals may indicate their dissatisfaction with dated, refractory technology whose unreliability could compromise internal control effectiveness.

4. Is there a large backlog of outstanding program maintenance requests?

If your IT professionals, though competent, are having trouble keeping up with program maintenance requests, chances are that the systems are overly complex and tedious to work with, casting doubt on their reliability with regard to internal control.

5. Has the company needed to extensively rework or retrofit an installed ERP system(s)?

Badly designed or incompletely activated ERP controls can create significant internal control gaps.

6. Does the company rely on disparate legacy systems to manage financial reporting?

Every time information needs to be altered for purposes of inter-system compatibility, the risk of introducing errors goes up. In addition, high variability in a company's financial applications increases both the time required to consolidate the information at year-end and the effort of managing risks and controls for each individual application.

7. Have formalized, consistent IT standards been established across all areas of the organization?

The absence of clear IT standards prescribing enterprise-wide policies for applications, infrastructure, operating protocols, and other IT-related factors encourages variability among different areas of the business, thereby increasing complexity and risk.

8. Are significant manual control activities required to manage the results provided by information systems?

Employees who feel they cannot rely on a company's technology may use manual processes to compensate for IT weaknesses. Not only are such manual processes labor-intensive and inefficient, but they are inherently riskier than automated processes due to irreducible human error.

9. Do the organization's IT processes maintain an adequate segregation of duties?

Technology can make it easy for one person to perform the work of many - but it also raises the risk of concentrating too much responsibility in one person's hands. Effective segregation of duties is therefore crucial to maintaining strong internal control over technology-enabled processes. To satisfy section 404 requirements, organizations must be able to document the existence and enforcement of appropriate segregation of duties with regard to IT. This may need to take place as part of an overall effort to improve information security controls, which is often more tedious and time-consuming than most companies expect.

Edited from 10 threat to compliances, Deloitte 2007
Read also:
Six Question related with SOX section 404 implementation