IT Systems Validation
For SOx and Regulatory Compliance
Information technology has become a core enabler of business processes within the organizations today. As a result, companies are required to audit and validate their relevant IT systems to ensure that their business processes and underlying records comply with regulations such as the Sarbanes-Oxley Act of 2002 .
Syentys defines an "easy-to-implement" framework for auditing and validating IT systems for regulatory compliance. It also identifies a best practice which calls for IT organizations and software vendors to proactively audit their software development and implementation processes on an ongoing basis to identify and correct any systemic issues to lower the cost of compliance.
The Sarbanes-Oxley takes corporate governance, disclosure and financial accounting to new heights. The crux of the legislation - aimed squarely at public companies - centers on ensuring the accuracy, consistency, transparency, and timeliness of financial results and disclosures. Establishing and maintaining an adequate internal control structure and procedures for financial reporting is at the core of compliance with section 404 of Sarbanes-Oxley Act. However, there is a strong linkage between the enhanced internal controls that the act demands and the information systems that manage data, implement workflows, and automate business processes. In fact, the accuracy and timeliness of financial reporting is heavily dependent on a well-controlled IT environment. PCAOB Auditing Standard No. 2 discusses the importance of IT in the context of internal control. In particular, it states: "The nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting."
Many companies are using the COSO framework for internal controls - where the importance of IT controls is embedded in the framework. These companies are then applying the COBIT model of IT Governance to ensure that the right level of IT controls are implemented (see figure 1). Compliance with Sarbanes-Oxley Act requires that financial systems used in the preparation of required financial statements be controlled and validated to prove the accuracy and timeliness of certain financial data.