I came across a concise, straight-forward summary of year 2 evolution’s in an organization, from an IT Security Manager’s perspective. Dave Bowser’s “How to Learn to Love Sarbanes-Oxley” provides some very useful points of reference for organizations continuing to change and refine their SOX compliance practices.
In addition to the IT-centric considerations noted in the article, I would also suggest that the control activities occurring within the business provide a powerful base of intelligence that can lead to improved efficiencies in the systems environment as well.
Since a control by design should stop a transaction from continuing through the process when an error is found, business owners, through the operation of their controls over critical transactions, should now be keeping documentation on the nature and frequency of exceptions they are finding in their processes. A studied review of identified exceptions is an excellent way to prioritize refinements in the core processes that drive financial performance.
In one example, IT was asked to begin logging and obtaining system owner approval for all changes to production data. Though this had long been an informal practice, it was escalated to a level of “key control” as part of the General Computer Controls considerations around systems and production data. In monitoring and performing this new control, a number of systemic issues were now documented, many of which were minor configuration or functionality changes that improved the integrity of the data.
For the non-IT business manager, a regular self-assessment of control operations should also reveal potential improvements in process. The exceptions found in detective, back-end controls can recommend more appropriate front-end controls to reduce error correction and rework. Often, these exceptions can point to refinements for system input screens that shift the control function from detective/manual to preventative/automated. These system change requests will have much more clout when based on hard data, given the potential costs these changes might require.
“Love” might still sound like a strong word, but when business begins to review and monitor the data as closely as the auditors, there is a strong promise of improved operational efficiency.