Operations Software and SOX

In today’s world, software applications can have a significant financial impact on the company. Control systems now direct the operations of many businesses and without those systems, these companies would most certainly not be competitive.  There is no doubt that these systems affect the company’s bottom line in controlling costs and maximizing revenue. But do they fall under the requirements of Sarbanes-Oxley (SOX)?

The simple answer is “it depends”. SOX for the most part, addresses the financial reporting of the organization, not necessarily the financial impact. As an example, a SCADA system controls whether a power plant comes on line or not during peak power demands. The operation of this system definitely has a financial impact on a utility, however, it most likely has no impact on “reporting” the financial performance of that utility.

When determining if a software application should be included in the scope of SOX, there are a couple of factors the auditor uses. First, the auditor determines if the application has any effect on the value reported in the General Ledger accounts. Second, the auditor will take a look at financial assertions and other factors in reporting the financial reporting of the company:

Without going into each of these factors, a number of simple business questions have been identified. If you can answer “Yes” to any of these questions, chances are that an application does fall under the scope of a SOX audit:

·         Does the system report transactions that are used in calculating revenue or cost.

·         Does the system have an interface to the Accounting System?

·         Are there General Ledger Codes defined in the system?

·         Does the system safeguard your assets?

·         Does the system prevent fraud in reporting or misappropriating revenue/cash?

If you are not certain, discuss your concerns with your IT staff and auditor.

Now that you have determined that the application does not affect financial reporting, ask yourself these questions:

·         How long can my company survive if the application or its data is lost or corrupted?

·         How sure am I in the statistics it generates that control the operations of the company?

·         How can I tell if the application is performing correctly?

·         How comfortable am I in discussing security or data integrity to my executive management or board?

·         Will I lose my job if the system is hacked or crashes?

·         Do I stay up at night worrying about these items?

If you answered YES to any of these questions, you might want to take a look at the Internal Controls you have implemented around these high priority applications. Although, the application may not be included in the scope of SOX, the same methods and techniques should be employed in the control of these applications.

SOX requires that you must document your procedures over financial reporting using an industry standard. The standard in the financial community is the COSO standard. This standard was developed in the early 90’s, and suggests that the same techniques should be used in Operations, Compliance and the Financial Reporting of a company.

Most operations documentation is procedure based. This documentation (if it exists) should be Risk based. Although most of the procedures you follow actually mitigate risk, without highlighting risks and controls, important factors can be missing in your documentation. You should document the Objectives of the Application, the Risks of obtaining those objectives, the controls in place to mitigate those risks and test (exercise) the control to ensure it is working. You may not necessarily need to document the test as completely as you would for the SOX audit, but would you sleep any better if you did? You most definitely want to use the same IT General Controls on the Financial Impact applications as you do on the Financial Reporting applications.

Our Team
Our team is comprised of experienced executives, managers and consultants who will assist your banking organization in the development, implementation and execution of comprehensive risk management and compliance strategies.  From the initial passage of  Sarbanes-Oxley in 2002, Visage has provided solutions to a client base ranging from private, entrepreneurial companies to large multinationals.