SOX 404: Compliance Not Found? (updated)
posted 2/18/2008 2:40:32 AM by Steve Andrews
Redux of original post.
NOTE: This series of articles are written as introduction to complex subjects. They are general in nature and highly condensed. They are not intended to be legal advice or counseling in individual cases and cannot substitute for consultation with a knowledgeable attorney or other competent advisory.
In case anyone has forgotten the scandals of Enron, Tyco, WorldCom, Arthur Anderson, and others, the years 2000 through 2002 were rocked by countless fraud and accounting scandals involving large corporations. Investors lost billions of dollars and the markets tumbled. In response, the Sarbanes-Oxley Act of 2002 (SOX) was enacted on July 20th 2002 in response to these scandals. President George W. Bush signed it into law, stating it included "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt."
For IT departments, there are two critical sections of SOX with which they need to be concerned. The first is section 404. Section 404, along with being the most contested and costly part of the bill requires a company and its external auditors to report on the sufficiency of the company's internal controls over financial reporting. This means that IT systems that specifically address financial risks may be within scope. The second critical section deals with penalties. Failure to comply could lead to $5 million in fines and twenty years in prison.
The text of section 404 is as follows:
SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.
- RULES REQUIRED- The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—
- state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
- contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
- INTERNAL CONTROL EVALUATION AND REPORTING- With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
Fortunately, there is a practical solution. This post begins what will be a seven part series outlining how to achieve regulatory compliance using Team Foundation Server. Team Foundation Server provides not only an integrated approach to Application Lifecycle Management, but also the necessary tools and frameworks to be compliant with SOX. Each part of the series focuses on a specific concept in SOX and highlights the relevant areas of Team Foundation Server. These concepts are Separation of Duties, Documentation, Approvals, Testing and Auditing.
Separation of Duties
Separation of Duties is a cornerstone of SOX, requiring that no one individual have control of every aspect of a business process. Responsibilities should be assigned to individuals in such a way as to encourage checks and balances within the system and minimize the opportunity for unauthorized access or fraud.
Any changes happening within a software system requires good documentation, including which work items are fixed, and how work items are fixed, tested, and released. Devoting effort in documentation from the start provides a foundation for a compliant development environment, and introductory documentation for an audit.
SOX requires that changes made to financial reporting systems or controls follow a structured, rigorous approval process. Team Foundation work items support this approval requirement through the work item workflow, which can be customized to each environment.
Testing, and specifically regression testing, has been frequently recommended in audit reports as a method of ensuring that a system is still functional after a change has been made. Team Foundation includes robust testing tools, and can store test results as a documented history for auditors.
Auditing requires proof of proper audit and control procedures. In most cases, the data required to compile reports for audit purposes is spread out across disparate systems in the enterprise. With an integrated approach to ALM and central data warehouse, Team Foundation can easily be customized to provide detailed audit reports.
Before embarking on this adventure, it is important to note that not all companies are required to comply with SOX. Only US publicly traded companies, and foreign companies required to report to the SEC, are required to comply. Not all IT systems are required to comply either: only systems with a direct impact on financial reporting.
As a final note, while this series specifically addresses Sarbanes-Oxley compliance using Team Foundation Server, the methodologies can be applied for any company in a highly regulated industry who must closely track their development process. Examples of such regulations include HIPPA, the Gramm-Leach-Bliley Act of 1999, SEC Rule 17A-4, and FACTA.