10 Tips for Managing 404 Compliance Denver CO

provided by: 
Originally published at Internet.com

It has been almost one year since the Securities and Exchange Commission implemented Section 404 of the Sarbanes Oxley Act (SOX). To many of you, compliance with this act means adding new 404 projects to your already overloaded schedules.

Furthermore, many of these projects, which involve review, documentation and testing of the procedures and controls, are redundant to the work you do each day to ensure your IT infrastructure is meeting business requirements.

Compliance with SOX, including Section 404, is required by both public companies and public accounting firms. Where the company is required to document, evaluate, test and report on the controls over financial reporting, the public accounting firms are required to perform their own evaluation and testing of the controls, plus they must review and evaluate the company's 404 documentation, testing and reporting. This means that an IT department will have to satisfy multiple requirements and participate in at least two separate audits.

Sound complicated? It is.

Even if you are not a public company CIO, you still may not be free of the requirements of Section 404. SOX is a broad set of regulations put in place to govern public companies and public accounting firms. The SEC created the PCAOB (Public Companies Accounting Oversight Board) to govern and manage public accounting firms. New PCAOB standards apply to all areas of public accounting and range from SOX compliance to general audit practices.

This means that if you are managing an IT department in a private company that is audited annually, you may have to meet IT standards that were determined as a result of Section 404 audits.

How many of you have heard of the term "integrated audit"? This is an audit that integrates internal controls auditing into the standard audit procedures. A key component of an integrated audit is the review of IT general controls.

The review process for IT general controls involves documentation, evaluation and testing of IT controls. For public companies this typically takes place during the 404 process, but for private companies it will take place during the year-end audit.

Simplifying the Situation

In either case you will need to manage multiple requests to enhance IT documentation, provide documentation in specific formats, change your operating procedures and endure testing by multiple parties.

How do you avoid the costly task of reproducing documentation in multiple forms and formats and clearly link business units and their understanding and roles in SOX compliance? Here are 10 ways to ensure you won't be lost in the translation:

Get educated. Ask your finance team to facilitate a meeting with your public company accountants so they can provide insights into IT general controls. In addition, there are multiple materials available on the Internet that specialize in SOX 404 for IT; like public accounting firms and ISACA.

Make sure you're all on the same page. Be sure your team understands how SOX fits into the IT environment. You should make sure the IT group is involved from the beginning of the project and is updated and included in the review of business processes that rely on IT systems and infrastructure.

Be sure to leverage documentation you have in place. For example, many pharmaceutical and manufacturing companies already have to comply with federal regulations and many are ISO 9000 certified. It is important that IT departments leverage existing procedures, policies, and documentation in their SOX programs.

Be sure you design your program to fit your business needs. Don't adapt what you do to fit a generic set of best practices. Your IT SOX 404 program should be tailored to your business requirements.

Be sure to hire advisors that understand both IT management and SOX 404. Many CPA firms are experts in accounting, auditing and SOX, but havve never managed an IT department, but many companies require front-line expertise to determine what makes sense for the company. There is a significant amount of translation required to convert accounting practices into terms and actions that can be implemented by the IT department.

Inform the executive team. Be sure the executive team understands what IT does and how they fit into the program. The CIO or counterpart should be part of the SOX steering committee.

Modify your standardized procedures. Ensure that all business units follow standardized procedures for evaluating, documenting and implementing controls. But, keep in mind that processes may vary from business to business. Develop procedures for identifying and describing why some IT controls vary from unit and unit and have a methodology for standardizing controls where it makes sense.

Don't try to take on too much at once. Complying with SOX 404 is a daunting task for many IT organizations. Prioritize and work on the critical issues that may lead to your company failing their 404 attestation. Some best practices may have to wait a year.

Get feedback early in the process. Share your program plans with your SOX PMO and accounting firms to ensure you are on the right path. Review proposed procedure changes prior to implementation to ensure your changes will meet the requirements.

Stay flexible. The rules are still changing and will continue to evolve overtime. Keep focused on what is best to ensure your IT group is focused on safeguarding company assets, maintaining data integrity, providing the business with the infrastructure they need to increase shareholder value.

SOX 404 compliance is as complicated as creating sustainable network architecture, but you don't have to be lost in the SOX translation nightmare that plagued many companies in 2004.

A well-designed network architecture requires vision, expertise, planning and execution. If you are currently wondering how an IT general control varies from any other control step back and don't be afraid to ask questions, seek advice and get help from an interpreter that speaks both languages.

Diane Wolff is president and founder of The Blue Sage Group. She is a former CFO with more than 18 years of financial and operations experience that spans multiple industries including life sciences, high technology, telecommunications and professional services.

Author: Diane Wolff

Read article at Internet.com site

Mission Critical Systems

MCS Denver IT Services include IT Maintenance, IT Consulting, Document Management, SharePoint, & Microsoft Training

303.383.1627
621 17th St. Suite 2121
Denver, CO
http://www.mcstech.net

Mission Critical Systems is a well respected IT Services Company in Denver Colorado. We are the outsourced IT department for many small and mid-sized Denver companies, and we offer IT Consulting to mid sized and large businesses.
Our IT services in Denver include IT Maintenance, IT Consulting, Knowledge Management solutions, Document Management Solutions, SharePoint Development, Business Process Management Solutions, Microsoft Training, Managed Services, Microsoft Online Services, and much more.
We handle our IT Services engagements with an obsessive attention to process and planning. This distinguishes our company and provides quality IT Services performance for our Denver clients. We ensure that projects run on-time and within budget by thoroughly planning each project, systematically communicating with the client, tactical and strategic level consulting, and leveraging the depth of our IT Services experience.
Of all Denver IT Services vendors, Mission Critical Systems stands out for consistently delivering quality IT Services because our process, not our talent, controls client experience. Our process was designed with three needs in mind. Clients need to have transparency into the IT Function. Clients need consistent IT Services regardless of which engineer is available, and small and mid-sized businesses still need access to CIO level IT Services in order to make good decisions about IT.
We provide transparency into our IT Services by making our ticketing system accessible to clients. LiveDOC is our proprietary IT Services documenting system. Every project and task is recorded in the system so that the client can see what work has been accomplished and what is yet to be done. Also, if the primary engineer is unavailable for a particular critical maintenance visit, LiveDOC provides the information the replacement engineer will need to get started quickly and efficiently.
We provide consistent IT Services by constantly training and supporting our engineers in best practices and the latest technology. Because we install every server upgrade, every software addition, or every new piece of hardware for every client the same way, all IT Services are delivered on the same high level of quality. Our engineers have depth of experience in every task, our IT Managers can make quality recommendations, and our clients enjoy stable IT Services environments.
Every IT Services client is assigned a Director of IT Services, or DITS for short. This Director is a seasoned IT Professional, who can think strategically about IT problems and provide the best CIO level advice available.
As a Denver IT Services provider, Mission Critical Systems excels. We would be happy to earn your business too.

– Denver IT Services
– Denver Document Management