Sarbanes-Oxley (Application and ITGC)

The Sarbanes-Oxley Act of 2002 is a law the U.S. Congress passed on July 30 of that year to help protect investors from fraudulent financial reporting by corporations. The Sarbanes-Oxley Act of 2002 came in response to financial scandals in the early 2000s involving publicly traded companies such as Enron Corporation, Tyco International plc, and WorldCom.

The high-profile frauds shook investor confidence in the trustworthiness of corporate financial statements and led many to demand an overhaul of decades-old regulatory standards.

SOX 404 refers to a section on the SOX Act (Section 404) that defines the SOX requirement for management to implement internal controls over financial reporting.

SOX applies to all publicly traded companies in the United States as well as wholly owned subsidiaries and foreign companies that are publicly traded and do business in the United States. From the IT perspective, there are IT general controls (ITGCs) and application controls. The goals for SOX IT controls are to ensure the systems are accurate, complete, and free from error since that would impact the financial reporting. 

1. To establish Internal Control Framework.
2. To assess the design and operating effectiveness of IT general controls for applications on annual basis.
3. To disclose all known controls significant deficiencies and material weaknesses.

Our approach includes: 

Phase 1: Assess
Define internal control framework, identify key processes, identify risks, and define risk mitigation strategies and ITGC. 

Phase 2: Test of Design 
Test of design for IT general controls defined for application in-scope.

Phase 3: Test of Effectiveness
Test of effectiveness for IT general controls defined for application in-scope based on population and sample.

Phase 4: Report
Report results of testing,  design effectiveness and operating effectiveness.