IT Sarbanes Oxley (SOX)

IT SOX testing is required for publicly traded companies. Quarterly and annually, your external auditors are required to attest to your technical controls within your companies’ Q’s and K’s that are filed with the SEC. We operate as your internal auditors and managements’ advisors for all items related to IT SOX.

​

​You may be thinking, “what does IT SOX entail?” It feels broad since technology touches all aspects of your business, but we focus first and foremost on ensuring you have the project scoped correctly. The initial investment up front in the scoping process can save you thousands of dollars and prevent large headaches down the road. IT SOX scoping is largely driven by the business process side of the SOX audit and we partner closely with those individuals throughout the life cycle of the project. With larger firms, you’ll notice IT SOX and business process SOX are treated as two separate projects, but with our focus on staying in lockstep between the two, it enhances overall quality of testing and provides more effective communication across the organization. 

​

Here are a few general questions that are asked when initiating an IT SOX project:

• What systems do you have in place?

• Walk us through the “flow of funds” or how your business incurs revenue.

• Do you have change management in place?

• Do you have adequate access management?

• Walk us through the systems that are leveraged to make changes, provision access, and manage interfaces/APIs.

• Do your policies align with SOX requirements?

• What do your SOC report reviews consist of annually? 

 

We will scope your project, develop a narrative, data flow diagram, and risk and control matrix, assist with gap remediation, test controls for design and effectiveness, and coordinate with your external auditors throughout the lifecycle of the project to ensure the highest reliance rates possible on our testing.