IT SOX遵从性:需求、提示 & 挑战

Programmers cooperating at information 技术 company

Establishing and maintaining a SOX program can be a difficult and complicated task.

为了增加复杂性, SOX programs are commonly established and directed by individuals within a company’s finance and accounting department, and requiring more responsibilities to evaluate information 技术 controls can create even more complexity for finance professionals. 

Whether or not your finance and accounting team is familiar with IT controls, they can still achieve SOX compliance requirements with a purposeful strategy.

满足IT SOX遵从性要求的5个技巧

1. 与你的CIO和/或CTO合作 

Most 技术 leaders have been exposed to controls around data security and system development during their careers. 

Your CIO or CTO is a valuable resource to assist with identification and design of controls, and they may already have processes and tools in place that you can leverage for SOX compliance. 

Questions to ask 技术 leaders about SOX compliance: 

  • Do we have existing IT controls for other compliance requirements, such as HIPAA, PCI, or ISO 27001? 
  • Does the company have a SOC 1 or SOC 2 report where we could leverage existing IT controls? 
  • Do we have tools in place to assist with access management, 变更管理, and system monitoring? 

2. 识别内部IT vs. 外包它 

It is important to distinguish between internally developed systems and systems that are outsourced to third-party, 或SaaS, 供应商. 

The same IT control coverage should be in place regardless of whether it was developed in-house or outsourced. However, the responsibility for operating the controls is a key difference.   

Internally developed systems will require processes to be established to ensure proper security, 基础设施, IT职责分离, 系统开发和测试, 以及适当的批准和变更管理. 

F或SaaS solutions, on the other hand, many of these controls are handled by the vendor. However, you are still responsible for some areas, including access management and monitoring. 

These required controls are typically outlined in the Complementary User Entity Controls (CUEC) section of your vendor’s SOC report.    

3. 记录数据流并识别接口 

确定一个坚实的起点 作用系统 involved in 财务报告 is to visualize the data flow. 

This involves identifying initial data sources for areas around procurement, 销售, 人力资源和工资, 财务报告, 以及其他业务流程.  

Create a map that follows the data through each system while identifying how the systems interface with each other.

Questions to ask when documenting data flow for SOX compliance: 

  • Is the data manually exported from one system to another? 
  • 是否有通过API或SFTP的自动接口? 
  • 是否使用数据库帐户直接加载数据? 

When you have a visual representation of the data flow from the source system through to financial reports, you can start identifying 作用系统 and design interface controls to ensure that data is transferred completely and accurately between systems. 

4. Establish future state IT general controls and application controls 

Once you have identified the systems and interfaces in-scope for IT SOX, document your controls and establish a roadmap or action plan for implementing those controls.

Even if you do not currently have processes in place to support your future-state IT controls, 设定一个努力的目标. 

Common IT General Control areas include access management, 变更管理, 计算机操作和系统开发.

Common application and interface controls include: 

  • 工作流审批 
  • 三方匹配 
  • 系统检查和比较 
  • 作业处理和错误检查

5. 保持条理性,记录每件事

During this entire process, organization is one of the main keys to success. 

  • 保持组织 -您可以选择使用MS Teams之类的工具, FloQast, SharePoint, or other file sharing platforms to store your control documentation and evidence. 
  • 使用模板 – Do not rely on email or chat messages as audit evidence when performing controls, 例如访问供应. 为访问请求开发一组模板, change requests and other repeatable processes to maintain consistency. 
  • 文档的一切 —系统变更时, 修改访问或IT决策, make sure all supporting evidence is documented and retained — this will be crucial during future audits.  

Final Thoughts on Meeting IT SOX合规 Requirements

IT SOX requirements are not as intimidating as they might initially seem. 

By partnering with 技术-minded teammates and taking a methodical approach, any organization can succeed in establishing and maintaining a successful IT SOX program. 


Bridgepoint咨询 is the strategic partner you need to make sure you are navigating the SOX合规 process with ease. 二十多年了, our team of experienced business consultants and industry veterans have been streamlining different phases of business’ lifecycles. To start simplifying your process, get in touch today.