SOX ITGC: Controls That Help Build Reliable Financial System

To comply with the Sarbanes Oxley Act (SOX), publicly traded companies must implement controls that improve the accuracy and reliability of their financial reporting. But the real question is – which are these controls? This is where IT general controls (ITGC) come into the picture. What is that? How does it help achieve SOX compliance? In this article, we’ll explore SOX ITGC in detail.

Now, you may have a series of questions such as — ‘Why does it even matter which controls are being implemented across the financial system?’ And most importantly, among all the possible SOX controls, ‘Why is SOX ITGC even considered?’

Well, see! The controls you implement within your financial system directly influence (or can say impact) the reliability and accuracy of your financial statements or reporting. So, if you don’t want to create room for discrepancies or errors, you must avoid enforcing random controls (controls that you may think are applicable without valid reason). You have to be precise! And that’s exactly what IT general control (ITGC) offers – precision.

In fact, during SOX audits, certified (CPA, CISA, or CIA) independent auditors specifically evaluate ITGC (consider it a benchmark) to understand whether the information technology (IT systems) that support the management of financial statements are secure, effective, and reliable. 

So, if you are a publicly traded US company preparing to become SOX compliant or preparing for an IPO, ITGC is a must-follow standard.

Note: Organizations that are preparing for an IPO, which means planning to go public by offering their shares to the public for the first time, need to ensure that their financial systems and controls are SOX compliant to gain investor trust.

But what exactly is ITGC? How will it help adhere to SOX regulatory compliance? Let’s find out.

What Role Do ITGCs Play In Achieving SOX Regulatory Compliance?

Before delving into the role of ITGC in SOX compliance, let's quickly get an overview of IT general controls.

IT general controls, also commonly known as ITGCs, are a set of controls that help — 

• Ensure technology and systems used within an organization operate properly (like mitigating cyberattacks or data breaches) without causing any interruption. This ensures the systems function as an organization expects them to perform. This, in turn, further helps maintain the confidentiality, integrity, and availability of data stored in them.
• It also governs whether the technology and systems used by different departments across the organization align with the company's policies and procedures.

But now you may ask — 'How will this control even help achieve SOX compliance?'

Well, SOX compliance mandates that US publicly traded companies implement 2 main types of controls to uphold the accuracy and reliability of their financial reporting.

Also Read: SOX User Access Reviews for Publicly Traded Companies

These two controls are:

• Control1# Business Controls: This control helps ensure that data entered into the company's enterprise resource planning system is accurate and reliable for creating financial reports.

Note: ERP systems are centralized systems (e.g., SAP or Oracle) that collect data like sales figures, expense data, or inventory details from different departments (like the finance or sales departments) and store, manage, and process it effectively.

• Control 2# IT Controls: Under IT controls, there are again 2 main types of controls—ITGCs and ITACs (IT application controls). These controls help ensure that the systems and applications used to manage financial reports or data are reliable and error-free.

Note: Do not get confused between ITGCs and ITACs — they both are different controls! ITACs authenticate the data that is being entered into the ERP system, verify transmitted data (processes data), and validate the data before sending it out of the EPR system. On the other hand, ITGCs have a broader scope; they oversee the creation of administrator accounts, software lifecycle management, patch management, access controls, audit logs, and a few other aspects. Also, ITAC restricts what users can do within one platform/application, whereas ITGC governs all systems within a company.

Since SOX requires ITGC implementation, you must enforce it alongside other controls to attain SOX compliance certification—there's no skipping it!

If you neglect to comply with the mandatory requirements set forth by SOX compliance, you may end up paying compliance violation penalties, which are quite costly.

Also Read: Penalties For SOX Violation

But how does SOX ITGC ensure the systems used by organizations to collect, manage, store, and process financial data remain reliable? How does it work? Here's how.

How Does SOX IT General Control Work?

SOX ITGC makes sure enterprise resource planning systems (or any systems that handle financial data) operate effectively by controlling the following actions:

• Controls General IT Administration: ITGC controls how systems are managed, who will be responsible for overseeing those systems, and how and when to conduct risk assessments/vulnerability assessments.
• Set Rules For Account Creation: ITGC ensures that only specific individuals are responsible for creating or managing other users' accounts.
• Manages User Access: ITGC ensures that only authorized individuals have access to sensitive financial records stored in ERP or other financial systems by implementing various measures (authentication, authorization, and identity access management) designed to prevent unauthorized access and financial data manipulation.

In addition, it implements password management practices and a least-privilege access policy to create an extra layer of security. In fact, it also utilizes a full disk encryption method to lock/secure the ERP or financial system at rest and prevent financial data stored in them from being compromised during off-hours.

• Manages System Lifecycle: IT teams generally neglect to update their organizations' system programs and network releases, which puts financial data stored in those systems and applications running on those networks at risk. To prevent this, ITGC enforces rules that mandate IT teams to update systems and software on a timely basis.
• Oversees Patch Management: ITGC mandates IT teams to continuously monitor the ERP systems, network, and applications to identify potential security gaps/vulnerabilities. In case any issue is detected, ITGC requires IT teams to deploy security patches immediately to fix those gaps before they escalate into significant issues.
• Oversees Physical & Environmental Security Management: When we discuss security, our focus often shifts towards digital threats. However, ITGC ensures that equal attention is given to physical and environmental security. It does that by mandating the regular inspection and testing of keycard or badge-based entry systems and enforcing the implementation of intrusion detection systems to monitor unauthorized physical access attempts. These proactive measures help safeguard financial data stored in database lockers from data theft or tampering.
• Oversees Change Management: ITGC requires careful review and testing of changes made to a system's configuration before releasing them into a live production environment. This helps reduce the risk of introducing vulnerabilities or bugs to an organization's system ecosystem.
• Maintains Audit Logs: ITGC makes it a compulsion to audit logs to keep a tab on who performs what actions with a system.
• Creates Data Backup: ITGC sets up policies and practices to create backups of sensitive financial records. These backups help ensure that financial records can quickly be recovered if there is a system failure or cyberattack, which further helps prevent the risk of data loss and operation disruptions.

Now that you are familiar with how SOX ITGC operates, let's understand how much time is required to set up SOX ITGC and the duration of the evaluation phase.

SOX ITGC: IT General Control Implementation & Evaluation Duration

The duration of the SOX ITGC implementation and evaluation can vary depending on the size of the organization and the complexity of the system it uses.

• For example, larger organizations have more departments and systems, which makes the SOX ITGC implementation and evaluation process longer. Conversely, smaller organizations can generally complete the SOX ITGC implementation and evaluation process comparatively faster as they have fewer departments and systems.
• Another example is that if an organization uses an advanced and complex enterprise resource planning system, it will take more valuable time to set up controls to manage and test them. Meanwhile, if an organization uses a simple standalone ERP system, it will take less time to implement controls to manage it and test the effectiveness of controls.

However, the SOX ITGC preparation or implementation generally takes 1-3 months. Once the SOX ITGC implementation is complete, organizations need to conduct an internal ITGC risk assessment, which takes an average of 2-4 months.

After that, organizations have to undergo a SOX ITGC audit, in which external certified auditors thoroughly evaluate IT general controls. This evaluation process usually takes 3-6 months.

Note: Post-audit, you will further need to dedicate some time to work on feedback provided by the auditor (if any). Once necessary improvements or adjustments are made, you have to undergo a second audit to attain the SOX compliance certification. If you struggle to understand what needs to be done first during the SOX ITGC compliance process, you can get help from a SOX consultant.

Also Read: SOX Compliance Consultants: Critical Skills Required

To sum up, the entire SOX ITGC compliance process—from implementation to evaluation—will roughly take over a year to complete, so plan your schedule accordingly!

However, there is a way to achieve SOX ITGC compliance faster: by implementing SOX ITGC correctly! How to ensure that? The key is to follow SOX ITGC's best practices. What are these practices? Let's quickly find out.

SOX ITGC Best Practices For Effective Implementation Of IT General Controls 

Below are a few SOC ITGC best practices that you can follow to implement IT general controls effectively.

1: Establish A Well-Defined Structure To Supervise SOX ITGC Implementation

Start by assembling a dedicated team to supervise the implementation of SOC ITGC. How is this going to help? During SOX ITGC implementation, mistakes can occur (accidentally or intentionally), such as setting up the wrong ITGC controls for access management. With a dedicated team in place, these errors can be caught on the spot and rectified instantly, which helps ensure error-free SOX ITGC implementation from the start!

However, do not assign the entire responsibility of supervising every ITGC control to a single individual, as this can increase the risk of oversight and mismanagement. Rather, adopt the division of duties principle—dividing responsibilities among multiple authorized individuals.

For example, different individuals should supervise IT general controls that are enforced for authorizing transactions, processing payments, and reconciling accounts. This practice will help reduce the likelihood of bias, fraud, errors, or conflicts of interest.

2: Conduct An In-Depth Review Of SOX ITGC

In case discrepancies are overlooked during the SOX ITGC implementation phase, you can effectively identify them by performing a thorough SOX ITGC review. However, that is not all; this review also allows you to understand whether the implemented IT general controls are performing as intended or not.

For example, after reviewing the SOX ITGC, you may discover that the ITGC's access management controls are not correctly restricting user permissions, which exposes sensitive financial data to unauthorized users. With these real-time insights, you can promptly take necessary corrective actions to strengthen the control, like redefining role-based access restrictions or adding another layer of authentication protocols.

Now, to conduct this review, you can either assemble an internal audit team (but don't forget, whenever there is human involvement, there is always a possibility of mistakes occurring—not necessarily, but chances are high) or opt for a more viable option, an automated access review solution like Zluri.

Zluri offers an 'automated access review solution' that can help review whether ITGC controls are actually able to restrict financial data access to authorized users only. How does it do that? It performs a thorough access review of applications that store financial data and different user types that hold access to these apps.

• During this review process, Zluri’s access review evaluates each user who holds access to these apps and determines whether they are authorized (have the approval) to access them or not.
• If it detects misalignment in user access permissions, such as a user holding unauthorized access or excessive permissions, it runs auto-remediation actions to safeguard financial data from being compromised or misused.
• Finally, it logs all the misaligned access permissions or anomalies in its UAR report and mentions its actions to fix the issues. You can evaluate these reports to understand where your ITGC falls short.

Note: To gain more clarity on how Zluri conducts access review you can check out this access review tour. 

https://www.zluri.com/access-reviews/salesforce 

Still unsure how it detects ITGC inefficiencies? In simple words, Zluri conducts a user access review and detects possible access misalignment. This misalignment highlights that the current ITGC controls are not functioning as intended, which means it is not able to manage the user access permission appropriately.

However, you do not have to fix the misaligned access permissions, as Zluri automatically fixes them (as discussed above). What you can do is use these insights to improve your ITGC so that such things (misaligned access) do not happen in the future.

Note: You have to appoint a separate team of experts to make the necessary changes and modifications to ITGC controls.

3: Opt for An External Auditor

If you don't have a team of experts or prefer not to rely on an automated tool for results, then you can always turn to a third-party auditor for help. These professionals will conduct a SOX ITGC assessment on behalf of your team and outline their findings in a piece of report, along with suggestions for improvement. You can further address this feedback by taking corrective actions and requesting them to conduct a follow-up assessment to confirm whether you have made the changes correctly or not.

However, note that this assessment will take 2 to 4 months, depending on the complexity of the ITGC you have implemented. Since this assessment needs to be conducted on a periodic basis, be prepared to incur recurring costs (audit fees) associated with hiring an external auditor.

Note: This is just a suggestion – it's totally up to you whether you choose to consider it or not! Hiring an external auditor for SOX audit is mandatory; however, you don't necessarily need one to assess your ITGC controls. Moreover, relying on external auditors for regular assessment can become costly in the run. Instead, consider opting for a subscription-based access review solution (which will put less strain on your budget). It can assess the effectiveness of your ITGC controls quickly, whenever you need it, without the hassle of finding the right auditor each time.

Enforce IT General Controls To Create A Reliable Financial System & Earn Investor Confidence

By enforcing IT general controls, you are not merely meeting SOX compliance requirements—you are showcasing your organization’s dedication to providing accurate and reliable (fraud-free) financial statements.

This, in turn, helps earn investor, investor, partner, and customer trust and confidence. Once you’ve gained their trust, they view your organization as secure, trustworthy, and credible. This perception makes them more inclined to invest in your business and open up partnership opportunities. 

In fact, in this crowded market, if you can meet the expectations (hit their benchmark) of clients, partners, or investors, you’re not just keeping up—you’re gaining a competitive edge.

So, implement SOX ITGC controls today to comply and build a foundation for long-term success!

Frequently Asked Questions (FAQs)

1. Which Compliance Regulation, Apart From SOX, Mandates Implementation Of IT General Control?

The Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation, and Federal Information Security Management Act (FISMA) also mandate the implementation of ITGC.

2. Which Public Frameworks Are Used To Setup IT General Controls Within An Organization?

The Committee of Sponsoring Organizations of the Treadway Commission (COSO), Control Objectives for Information and Related Technologies (COBIT), and the National Institute of Standards and Technology (NIST) are public frameworks that are generally used to implement ITGC in an organization.

‍