As boards consider their readiness for UK SOX compliance, and tightening financial controls, it's crucial to think about information technology. We explain why technology controls are vital for driving efficiency, the key challenges, and how to implement them.
While many mature organisations will already have a framework for technology controls, it might not meet all the requirements for UK SOX compliance. So, readiness may require significant adaptations.
Preparing technology for UK SOX compliance
Thinking about technology controls now will make efficient compliance much easier to implement.
All technology components (applications, systems, and infrastructure) and data that provide material inputs to or process financial transactions are in scope of the Sarbanes-Oxley Act (US SOX). It's a reasonable expectation that the UK’s version will adopt a similar approach. This could result in a long list. It is not uncommon for US SOX compliance frameworks to include at least 20-30 systems.
In addition to core components, any cloud and third-party applications or End User Computing (EUC) solutions will also need to be included. These controls can be difficult to manage, particularly where this will require changes in organisational behaviour or contract negotiation with providers. The increased use of cloud solutions means the controls in scope of the audit will often extend beyond the boundary of the organisation itself. This is where having a clear framework for managing your third parties is key.
There are four key steps for implementing technology controls.
1 Define what should be in-scope
Firstly, you will need to determine which technology components and data should be in scope. To achieve this, your finance, business, and technology functions will need to work together to develop a clear end-to-end understanding. This should include all of your key financial processes and all the technology solutions (such as servers, interfaces, and networks) and systems (including off-the-shelf, in-house developed, cloud/third-party hosted, and EUC applications and databases) involved in creating, updating, storing, and processing financial data.
2 Define the desired technology control set
With reference to the defined scope, identify technology controls that should be in place within or over the solutions, systems, and data. Technology controls can be grouped in a number of ways, but typically include:
- User access and segregation of duties
- Change management and system development
- Batch/scheduled jobs and exception reporting
- Backups and system recovery arrangements
- Data integrity and system interfaces
- The production of key reports
Technology controls will typically be classified as an ITGC (IT General Control), or ITAC (IT Application Control). ITGC are controls where the same control wording may be applied to multiple systems and databases and often have a manual element to them. ITACs tend to be fully automated and system-specific.
3 Understand existing controls
Once all the in-scope components and data have been identified and the technology control requirements are defined, you should review your existing technology controls framework to establish what is already in place for each of these, and to what extent this can be leveraged. Where there are gaps, you will need to:
- review technical documentation and interview stakeholders to understand which controls, if any, are in place, and whether the design of these would meet UK SOX compliance requirements
- perform an initial assessment to determine how consistently and formally controls are being operated and how readily available evidence is. This should happen once you are satisfied with the design of the control environment
- understand to what extent there is existing assurance over any of the controls, and how can it be leveraged.
4 Remediate control gaps
Remediation plans should be put into place to address any shortcomings identified and the controls retested to verify they have been actioned appropriately. Compensating controls should also be considered at this stage, particularly where the technology controls gaps may have a pervasive impact on the wider control environment.
The key challenges
The main challenge is often the identification of all the technology components and data that should be in-scope, and implementing controls for these where there are significant gaps.
Many organisations will be reliant upon a wide range of different technologies and applications, including non-connected, ageing legacy software or hardware; EUC solutions (often referred to as ‘shadow IT’); cloud and third-party hosted systems; and bespoke internally developed applications.
It is often not possible, or cost effective, to retrospectively build robust controls into these systems. Careful consideration should be given to the impact of this, and how assurance can be obtained over the financial data these process or store.
You also need to be aware of some of the specific challenges of building an efficient technology controls framework.
Technology projects and control workstream
Ensure that the UK SOX implications of any technology projects or programmes, or changes to solutions, systems, and data are considered before they are performed. It is common for businesses not to consider technology control requirements upfront when updating or replacing financial systems, thus introducing weakness or gaps into what was previously a strong environment.
Formalising documentation and engagement
Formally document controls and formalising the engagement between technology and the business, particularly where this has been informal in the past.
Keeping stakeholders bought into the SOX implementation projects
Ensure technology are bought into the need for UK SOX compliance and the process to strengthen controls. A stronger control environment can often be seen to slow technology administrators down or introduce extra tasks into your day-to-day jobs. If they are not bought into changes being made, there is a high likelihood they will intentionally or unintentionally subvert the new controls.
Maintaining evidence of control activity
Maintaining evidence of the operation of technology controls, particularly automated controls, can be a complex task. While most systems allow you to log activity this can be cumbersome to configure, require significant storage capacity, and difficult to interpret if not set up correctly, especially if the evidence requirements are not understood.
Minimising the use of ‘workarounds’
It is not uncommon for organisations to adopt manual workarounds, such as using a spreadsheet to perform certain tasks, to compensate for lack of functionality in a system. Use of such workarounds can be complex to control and evidence of your operation at a point in time can be difficult to maintain. Where a workaround is unavoidable the specific process should be identified, brought into scope, and controlled to the same level as any other system.
Driving efficiency in technology controls
In our experience, there are three main opportunities to drive efficiency in a technology controls framework that complies with UK SOX:
1 Rationalise the control set
As part of the exercise to review the control environment, you should consider determining whether any of the controls can be rationalised. Longwinded and repetitive lists of controls can be difficult to manage and prone to error. More mature organisations often seek to introduce a consolidated control set over time to make managing it more efficient.
2 Automate, automate, automate
Wherever possible, implement automated controls. If correctly implemented and maintained, automated controls are less prone to error than manual. The first year investment may be significant, but the return in subsequent years generates significant payback. We have seen clients realise efficiencies of 30-40% in year two onwards.
3 Integrate into major projects/programmes
Integrate controls workstreams into all major technology projects or programmes that are seeking to update or replace one of your systems. This helps ensure that control requirements are considered throughout the programme from the start. This applies to both technology controls and controls over financial reporting.