Tips toward surviving a SOX audit

Just the mention of a Sarbanes-Oxley audit provokes horror stories of inordinate time spent providing evidence; complying with written policies, procedures and guidelines; and attending countless meetings. Sorry to say, but life is not going to get easier until you make SOX a part of your daily routine and take an active role in the entire audit process.

In more than 70 IT security audits and three full-scale SOX engagements at Fortune 100, 500 and 1000 companies since 2002, I have witnessed both the best and worst practices and approaches to compliance. Why is it that so many educated, driven individuals seem unable to use the numerous, readily available sources of data to stand up and challenge the interpretations of SOX to which they are subjected? Instead, they blindly accept the mandates set forth by the very people who have a vested financial interest in how the SOX audit is run.

Some knowledgeable external auditors have eliminated many controls that had to be satisfied last year. They made these changes after realizing their understanding of SOX should change to be more closely in line with the intent of the law. Other auditors are unwilling to modify the audit controls they consider critical. Often there is a direct correlation between this inflexibility and lack of real-world, hands-on experience.

Unless you and your company’s audit group have a full understanding of SOX, you won’t be able to question the external auditors’ template of what they expect. The Web sites of the Information Systems Audit and Control Association (www.isaca.org), Institute of Internal Auditors (www.iia.com) and Public Company Accounting Oversight Board (www.pcaob.com) offer a wealth of information about SOX.

There are six major SOX pitfalls you’re likely to encounter:

Too many controls selected to meet compliance. You can reduce these by having an educated understanding of what the actual law asks for.

Lack of documented policies, procedures and guidelines; poorly drafted control activities and poorly documented test procedures.

Lack of an organized internal audit-team structure. Your company needs financial and IT auditors, or you face seeking out consultants on the fly without verifying their capabilities.

Failures discovered during the initial audit but not remedied. The additional time required to fix these problems increases audit costs.

Insufficient or missing evidence. You and your auditors must agree as to whether your evidence controls are satisfactory. Keep evidence in one place, properly cataloged for easy access.

No correlation between control activities and risks. You cannot take the verbiage of a control activity and make it fit the risk; you must take the time to ensure you have satisfied its intent.

In general, SOX pitfalls can be avoided through knowledge, an organized team managed by a senior executive authorized to implement the necessary mandates, detailed explanations of the controls and the tests required to satisfy them, and buy-in from the entire company.

Kamens has a law degree and is a certified information security manager and independent IT security/SOX auditor. He can be reached at mike@kamens.org.