SOX focuses on the correctness of financial business practices. Financial activities have many features, including information technology. As such, businesses should also have SOX IT General Controls (ITGC) compliance. ITGC is a list of controls demonstrating that an IT department installs and implements the required measures to be SOX compliant. The controls ensure that a company’s security and IT activities are well-governed and managed by following the industry’s best practices and management-approved procedures and policies.
Complying with the requirements of SOX ITGC is shorter. Approximately, it will take only about two to three months if the organization meets all the requirements. However, institutions should prepare for compliance audits four times a year, following the issuance schedule of financial statements.
Since most companies must comply with several compliance regulations, they understand how laborious and time-consuming the process can get. Thus, for many of them, opting for SOX ITGC compliance automation is the way to free up their IT personnel so they can concentrate on ensuring that their security system is protecting their network from cyber threats.
Defining SOX ITGC
SOX ITGC comprises two sets of controls. First, SOX requires an organization to record, test, review, and maintain the necessary controls that affect financial reporting processes. The internal controls have methods to prevent or identify problems in business processes that can affect the integrity and accuracy of preparing financial reports.
Companies must apply the controls and review their processes, particularly before preparing their financial reports. Likewise, internal auditors must also conduct SOX compliance audits regularly.
The other component is the IT General Controls. The internal auditors must also conduct ITGC audits to check if the ITGC controls are enough to ensure the completeness and accuracy of the financial reposting system. The ITGC should be the first to be correctly in place to support SOX compliance and audits.
Importance of ITGC in SOX-audited companies
Most companies have various applications specific to their different departments, such as human resources, sales and marketing, research, inventory, purchasing, and finance. These applications are part of their central enterprise resource planning system in most large companies, which the ITGC manages. ITGC ensures that the tech tools used by an organization’s different departments are used effectively and protected from various vulnerabilities and risks. In addition, it exercises control over these actions:
- Creation of administrator accounts for different users accessing various applications.
- Managing the lifecycle of each software the organization uses.
- Ensuring rapid deployment of software updates/upgrades and security patches.
- Managing user passwords and authentication criteria.
- Recording of all transactions and changes to the organization’s IT system.
Since SOX and ITGC work hand in hand, you can deploy a SOX ITGC compliance procedure as SOX relates to financial practices and corporate governance. However, the focus of ITGC is on the organization’s entire IT management that affects business operations and security, which concerns regulatory compliance bodies.
During a SOX compliance audit, the auditor usually checks the overall IT management of the company, which can affect the results of the SOX compliance. In addition, the compliance auditors specifically check ITGC controls, such as:
- Physical and technical access
- Security and protection for IT systems and data centers
- Data backup, storage, and maintenance
- Recording change management activities and providing clear change management guidelines
You must be SOX ITGC compliant if your company is publicly traded in the United States. Compliance gives you the framework to become good stewards of your financial records, improve corporate transparency, and protect your organization from cyberattacks.