Skip to content
a close-up of a person working on a calculator

Agile Solutions in IT SOX Environments

Published
Jun 11, 2024
By
Gaini Umarov
Anthony DeMaria
Evan Haas
Nicholas Otto
Share

The Sarbanes-Oxley Act (“SOX”) was signed into law in July 2002 and quickly changed the compliance landscape for public companies. Among other provisions intended to prevent fraudulent activities, SOX requires companies to report on the adequacy of their internal control over financial reporting (“ICFR”). For many companies, the requirements consume a considerable number of resources. Specifically, the regulation requires that an additional plethora of financially-relevant business functions be reviewed to assure public companies have effective safeguards over financial reporting accuracy. To mitigate these SOX complications and address specific technical needs, companies have been adopting agile solutions to produce tangible benefits. 

While new SOX regulations demand an increase in the oversight of data flow and information used to perform end-to-end checks and balances, an agile solution enables companies to be fit for combatting change and efficiently mitigating risk. This is especially important since regulators and auditors are demanding quicker year-over-year maturation of internal controls environments. 

Under SOX, management and accounting teams are tested with a sharper degree of scrutiny. Failure to adequately comply with SOX regulations can lead to material weaknesses that may reflect poorly on shareholder sentiment and, in extreme cases, have a company delisted from public exchanges. To mitigate this, many internal teams supporting the SOX program assessment repackage older evidence gathering practices to fit the mold of SOX. However, the downside is that manual processes can lead to valuable time and resources being wasted, urging leaner methods for compliance and regulation. 

Through an agile implementation, procedures are tailored toward a more streamlined internal control environment which helps with the aggregation and review of evidence to address pertinent business risks. These solutions enhance the experience of both the organization and its end users. Since SOX covers an abundance of internal domains, there is a lot of data to keep track of and a multitude of avenues that are taken to satisfy the requirements necessary for controls to pass in the eyes of auditors. In the realm of information technology, this includes an overlap between SOX requirements and information technology general controls (“ITGCs”). The specific domains for ITGCs primarily include change management, computer operations and logical security. The details of each are as follows: 

Domain 

Description 

Change Management 

  • Ensures changes, repairs and simple code changes to financially significant systems are continuous. 
  • Enables recoverability in the event of an unintended outcome and prohibits system changes by unapproved staff. 

Computer Operations Management 

  • Warrants the continuous reliability and availability of systems and data used to prepare financially significant information. 
  • Includes critical activities like data back-ups, data integrations between systems and problem resolution. 

Logical Security 

  • Focuses primarily on the confidentiality and integrity of systems and financially significant information. 
  • Involves granting access to systems and data locations, protecting networks, and evaluating vendor applications critical to financial reporting. 

Newer platforms with integrated automation provide a holistic management and workflow solution that acts as a repository for the maintenance and markup of audit files applicable to the ITGCs. With an increased demand to satisfy the control requirements in these domains, a handful of applications become influential in automating business functions to satisfy the requirements of auditors. Their usage by various IT departments makes the audit process more efficient as a byproduct. Some of these widely used tools are as follows:  

Domain 

Tool 

Description 

Change Management 

Bitbucket 

Version control system for code collaboration and management. 

GitHub 

Version control system facilitating collaboration among developers. 

GitLab 

Integrated DevOps platform for lifecycle management of software projects. 

Jenkins 

Automation server for building, testing, and deploying software projects. 

Computer Operations 

Amazon S3 

Scalable solution for storing and retrieving any amount of data. 

CrowdStrike 

Cybersecurity platform for endpoint security, threat detection and response.  

PagerDuty 

Incident management platform for real-time operations monitoring and response orchestration. 

Rapid7 

Security analytics and automation software for threat detection and response. 

Logical Security 

AWS IAM 

Identity and access management service for securely controlling access to Amazon Web Services resources. 

Lumos 

Business intelligence platform optimized for enhancing identity governance and privileged access management. 

Veza 

Platform for managing and automating access control and security. 

Data Aggregation 

ServiceNow 

Platform for IT service management and enterprise service management. 

Splunk 

Data analytics and visualization platform for searching, monitoring, and analyzing machine-generated data. 

Audit Management 

Workiva 

Platform for collaborative work management and streamlined reporting across organizational functions. 

The tools listed above can help enhance the aggregation of audit evidence whether for the client, auditor, or service provider. Oftentimes, the evidence is just a few clicks away.  

Many firms have leveraged technology or governance, risk and compliance (“GRC”) platforms, such as Workiva to simplify this audit aggregation process given it is user-friendly for auditors and their respective auditees. Some of the key advantages of using this agile solution include the automation of tasks, workflows, dynamic reports and dashboards that enable the planning, testing, reporting and monitoring of audit work. This collaborative workspace serves as a centralized audit tool that expedites collaboration, reporting and more. 

Although SOX has only been around for a couple of decades, public companies are still developing new strategies to complement their audit processes. Oftentimes, companies are resistant to change and will use a similar method of aggregating data for auditors as they did prior to being publicly traded. The perpetual shift in the business environments of today’s rapidly changing information age indicates that a robust business foundation is essential. While new SOX regulations demand an increase in the oversight of data flow in performing end-to-end checks and balances, agile solutions enable companies to be fit for combatting change and efficiently mitigating risk. 

What's on Your Mind?

a man in a suit

Gaini Umarov

Gaini Umarov is a Senior Manager in the firm. With over 10 years of experience in IT and business advisory services, Gaini leads the North East IT Risk, Data Privacy and Security Practice that is part of the overall Risk and Compliance Services (RCS) practice group.


Start a conversation with Gaini

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.