This article acts as a handbook for the newly emerging breed of SOX testers for IT application controls. The article briefs on the basic responsibilities of a SOX consultant, the qualities required and demarcation of tasks between the IT and SOX consultants in an organization. Also the article highlights about setting the expectations right with the IT and SOX teams to enable frictionless working environment.
SOX–The name strikes terror in many an IT consultant. It is an undeniable fact that with the introduction of SOX, IT consultants are getting overloaded with work on top of their already existing huge work pile. But this is no reason for them to raise hullabaloo when there is a lapse in compliance. Slowly, some of the biggies in the industry are introducing SOX consultants to reduce the workload of the IT consultants.
In the ensuing paragraphs, we can have a look at the basic responsibilities of a SOX consultant, how to get things done in a rather pleasing manner and demarcation of tasks between the IT and SOX consultants.
Set the expectations right
When a SOX consultant is hired, the immediate thing that comes to the minds of IT consultants is that the SOX guy would take care of all SOX related responsibilities with just a couple of minutes of knowledge transfer about the application. But when the SOX guy comes in, he might not know head or tail about the applications and processes, leave alone the technology part. Ultimately the result is, the SOX consultant acting as a pest and bugging the IT consultant for each and every little doubt that he might have. This can sometimes create friction between the two, which would finally benefit neither the concerned parties nor the organization.
This is a repetitive scenario in most organizations opting for a consultant to do SOX work. And the first step towards avoiding the friction is setting the expectations right among the IT consultants. The management should clearly explain them that, the SOX consultant being hired would require some time before taking up things on his own and that there would not be a 100% responsibility shift. Once there is a clear statement on this, the possibility of a friction is highly reduced.
Responsibilities of the "SOX Guy"
Let us first list down the typical job responsibilities of a SOX consultant.
- Understand the application under scope and the processes involved in its various stages
- Understand how SOX testing was done previously and how the different controls were tested
- Perform controls testing with the help of IT consultant
While this list may seem somewhat exhaustive, the two main factors that differentiate a good SOX tester from an “okay” SOX tester are missing
As far as SOX testing is concerned, Quality is the key word. There is no second chance in SOX testing, as a control fails, it is escalated to all the concerned members of the upper echelons. Compromising on quality is like digging your own grave. And it is not really easy to be adamant to follow the guidelines all the time. There may be cases where an IT AD might say this is how they did last year and it passed. It might really be a pain in the neck to be stubborn. But times like these, standing firm will really help to achieve the ultimate goal. People might start to hate for being picky. But ultimately a SOX consultant should bear in mind that, if there is a lapse in quality, it is he who is going to be questioned first. Moreover, it is not with the spirit of the testing to allow a lapse, be it small or big. After spending so much to hire a SOX consultant, no organization would like to have a failure in their controls scorecard. A strict adherence to the guidelines may prove very effective whereas a small lapse may prove very costly.
b) Interpersonal Skills
For any work in any field to be done successfully,