SOX Testing for IT

[article]
A Handbook for the Consultants Testing IT Application Controls
Member Submitted

SOX–The name strikes terror in many an IT consultant. It is an undeniable fact that with the introduction of SOX, IT consultants are getting overloaded with work on top of their already existing huge work pile. But this is no reason for them to raise hullabaloo when there is a lapse in compliance. Slowly, some of the biggies in the industry are introducing SOX consultants to reduce the workload of the IT consultants.

In the ensuing paragraphs, we can have a look at the basic responsibilities of a SOX consultant, how to get things done in a rather pleasing manner and demarcation of tasks between the IT and SOX consultants.

Set the expectations right
When a SOX consultant is hired, the immediate thing that comes to the minds of IT consultants is that the SOX guy would take care of all SOX related responsibilities with just a couple of minutes of knowledge transfer about the application. But when the SOX guy comes in, he might not know head or tail about the applications and processes, leave alone the technology part. Ultimately the result is, the SOX consultant acting as a pest and bugging the IT consultant for each and every little doubt that he might have. This can sometimes create friction between the two, which would finally benefit neither the concerned parties nor the organization.

This is a repetitive scenario in most organizations opting for a consultant to do SOX work. And the first step towards avoiding the friction is setting the expectations right among the IT consultants. The management should clearly explain them that, the SOX consultant being hired would require some time before taking up things on his own and that there would not be a 100% responsibility shift. Once there is a clear statement on this, the possibility of a friction is highly reduced.

Responsibilities of the "SOX Guy"
Let us first list down the typical job responsibilities of a SOX consultant.

  1. Understand the application under scope and the processes involved in its various stages
  2. Understand how SOX testing was done previously and how the different controls were tested
  3. Perform controls testing with the help of IT consultant

While this list may seem somewhat exhaustive, the two main factors that differentiate a good SOX tester from an “okay” SOX tester are missing

a) Quality
As far as SOX testing is concerned, Quality is the key word. There is no second chance in SOX testing, as a control fails, it is escalated to all the concerned members of the upper echelons. Compromising on quality is like digging your own grave. And it is not really easy to be adamant to follow the guidelines all the time. There may be cases where an IT AD might say this is how they did last year and it passed. It might really be a pain in the neck to be stubborn. But times like these, standing firm will really help to achieve the ultimate goal. People might start to hate for being picky. But ultimately a SOX consultant should bear in mind that, if there is a lapse in quality, it is he who is going to be questioned first. Moreover, it is not with the spirit of the testing to allow a lapse, be it small or big. After spending so much to hire a SOX consultant, no organization would like to have a failure in their controls scorecard. A strict adherence to the guidelines may prove very effective whereas a small lapse may prove very costly.

b) Interpersonal Skills
For any work in any field to be done successfully, there needs to be a healthy relationship among the team. It is highly probable that the IT consultant might become bugged by the continuous doubts clarification sessions that he might have with the SOX guy. But it is up to the SOX guy to make the IT consultant feel he is not being bugged. One simple way to lessen the friction is by consolidating all the doubts and then approaching the IT consultant to get things clarified at one go, unless otherwise it requires immediate clarification.

Other couple of things that might provide a positive outlook is:

  1. Saving a spreadsheet/any document in printable format (With the print area and dimensions set)
  2. Saving the spreadsheet with the cursor on cell A1
  3. Having proper folder structure and naming conventions for all the documents
  4. eeping the work area organized
  5. And most importantly, a smile on the face

The above listed items might not be too much of a thing on the surface, might not even seem like things related to SOX, but when followed, they provide a positive impact that ultimately helps in getting things done easily.

c) Innovation
True that hiring a SOX consultant would reduce the burden of IT consultants. But for the price they pay for a SOX consultant, some form of innovation will always be expected.

Though SOX consultants do not do coding or do much creative work, there is always scope for innovation in the work they do. For example, doing an assessment of how the controls testing was done previously and providing recommendations to optimize the same can be a good starting point. Also, creating walkthroughs of various stages of SOX testing, would serve good when a new comer arrives at the scene.

One good advantage that a SOX consultant has is the lull period in his work. The SOX guy may not be busy all round the year doing stuff. Once a deadline is achieved, until the next testing period starts, he might have valuable time to his credit to do innovation. If properly planned, the spare time can be utilized to perform innovations of monstrous capacities.

Task Demarcation
"One man can be a crucial ingredient on a team, but one man cannot make a team."

True to the quote above, there cannot be success unless the SOX and IT consultants work together (but may be in the ratio 70:30).

There are some things that need to be tested only by a person who has immense knowledge in the application. Even though a SOX tester might know the application well, he might not be familiar with the intricacies of a system. Cases like simulating an error need to be done by the IT person with SOX consultant being a witness, to ideally certify a control. All such factors ought to be kept in mind while drawing a line between the tasks of SOX consultant and IT AD. A sample task demarcation can be as follows :

SOX Consultant

  • Help the IT AD to understand the guidelines
  • Distribute a checklist of what is required from IT for a control
  • Obtain the evidences with the help of IT AD
  • Help IT to obtain signoffs from IT and business management
  • Validate the evidences
  • Document all evidences, signoffs with acceptable naming conventions in proper folder structures

IT AD

  • Understand the guidelines
  • Provide the evidences according to the guidelines to the SOX consultant when it could not be obtained directly by the consultant. Eg. Simulating an error condition
  • Review the documents, signoff verbiages and provide email signoffs on them

All the issues in SOX testing arise due to lack of clarity in tasks demarcation. So once such a task demarcation is communicated to the concerned parties, a smooth operation can be surely expected.

Conclusion
Of course hiring a SOX consultant will prove to be useful, can accomplish things much quickly etc. But one has to carefully analyze if the SOX testing is done true to its spirit. This can only be accomplished by implementing SOX compliances in daily tasks and actions rather than doing everything at one go just before the audits. This should serve as the ultimate goal of the SOX consultant to help the organization align its business activities along with SOX compliance.

About the author

AgileConnection is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.