Information Technology plays a very crucial role in the operations of an organization. IT systems are deeply embedded in initiating, authorizing, recording, processing and reporting of financial transactions. Almost all financial reporting processes in an organization are driven by IT systems. As a result of their tight linkage to the overall financial reporting process, internal controls over relevant IT systems need to be assessed for their compliance with the Sarbanes-Oxley Act (SOx). Other regulations such as FDA, GLBA and HIPAA also require assessment of internal controls of relevant information systems.
SOX Compliance Management Most organizations regularly test the internal controls within their IT organization to ensure secure and continuous operation of their entire information systems in order to identify and mitigate risks with financial reporting. Such controls are typically derived from a standard framework such as COBIT and when implemented, it not only reduces IT related risks in financial reporting, but also forms the basis for good IT Governance.
The following are some of the key internal controls defined within an IT organization for compliance with SOX. These controls are based on the COBIT framework. This list can be extended to support HIPAA or GLBA compliance. The controls include:
The IT Auditing and Compliance process is inherently very complex within a company. This complexity is primarily due to the following three reasons:
Multiple Stakeholders: In many Fortune 500 companies, the IT function is decentralized. In such companies, the corporate IT function sets policies and guidelines and is responsible for shared resources, but most of the IT investments are made by and managed at the divisional level by a Divisional CIO, who reports to their line-of-business head, as well as to the corporate CIO. As a result, multiple internal organizations are involved in assessing compliance with IT controls. In addition, some IT operations, including application development and software/infrastructure management may be outsourced to a third party. This outsourcing partner typically uses their own organization to assess compliance with their client's IT controls guidelines for the systems they manage. Finally, some of the IT assets within a data center may be leased from a third party and maintained or serviced by them. These service providers typically also ensure that such systems comply with their client's IT control guidelines. As a result, there are a number of internal and external stakeholders involved in an IT audit and compliance process, creating a huge amount of complexity.
Evolution of the infrastructure bottom-up: Companies have implemented various tools in their environment to automate testing of specific controls, identify non-compliance and drive its remediation. These tools include point solutions such as Virsa or Logical Applications for testing Segregation of Duties (SOD); solutions such as Symantec Bindview for defining and enforcing security policies and solutions such as Active Reasoning for change management compliance. While these tools address very specific issues, each has their own 'perspective' on compliance and publishes their own compliance report about the narrow domain they address. These systems do not address overall IT audit and compliance from a top down perspective.
Lack of a single system of record: IT organizations typically end up with multiple checklists to test various controls and multiple spreadsheets containing results from the tests. In addition, people responsible for testing specific controls may keep their own checklists or records of audit and publish their own compliance reports. As a result, multiple Excel and Word files and emails keeps the overall process working. However, there is no single system of record for the entire IT Audit and Compliance process. As a result, it takes a lot of manual work to understand the status at any given time or gain visibility into key issues or track the remediation status on a non-compliance event. A lot of time spent is spent in chasing status information and in gathering evidence of compliance. In addition, implementing a sustainable change management process on multiple documents that are managed in a federated manner becomes very difficult.
In order to sustain compliance with IT controls at significantly lower costs, organizations need to streamline their IT Audit and Compliance process, enable multiple stakeholders to have visibility and control and provide a single system of record for IT audits, while leveraging the various point solutions that have already been implemented to automate the testing of various controls.
MetricStream, a leading provider of Governance, Risk Compliance and Quality solutions, provides a comprehensive solution for IT Audit and Compliance. Designed to support the COBIT framework, the solution addresses the issues mentioned in the previous section. Key capabilities of MetricStream suite for IT Audit and Compliance include:
By learning from the experience of an ISO 9000 implementation and embedding the steps listed above in the employee's daily work, SOx Program Managers can deliver SOx compliance at significantly lower costs.
By implementing the MetricStream IT Audit and Compliance solution, the customers get a single system of record for the IT audit process, while supporting a complex organizational model, including external stakeholders. The graphic above displays the IT audit and controls process for a typical IT organization, after it was streamlined and automated using MetricStream solution. Upon implementing the solution, the MetricStream customers will enjoy the following environment for their IT Audits:
IT systems are inextricably linked to the overall financial reporting process and need to be assessed, along with other important processes, for compliance with the Sarbanes-Oxley Act. Today the IT Audit and Compliance process to support the Sarbanes-Oxley Act is chaotic. Most companies have implemented limited bottom-up automation infrastructure for control test automation through point solutions. However, lack of top-down approach to IT Audit and Compliance, along with lack of a single system of record, makes the entire process very disorganized. MetricStream, a leading provider of Governance, Risk, Compliance and Quality solutions, addresses these issues through its solution, specifically designed to manage the IT Audit and Compliance process at large companies.