SOx: Leveraging and Rationalizing IT General Controls

Challenge: IT general controls requirements for Sarbanes-Oxley (Sox) compliance were established and revised only slightly over the years. Stakeholders including IT management, internal audit, external audit and financial management did not recognize that the extensive list of IT control requirements and first generation IT control approaches could be reduced; particularly in light of regulatory revisions to the initial SOx standards (PCAOB Auditing Standard 5).

Solution: Leveraging GAP Resources' Big Four IT audit expertise to review IT general controls to ensure that the controls align with material risks, GAP Resources' consultants used a top-down approach starting at the financial statement level. The reviews, conducted annually over several years, identified IT controls that were included in SOx programs to ensure operational compliance but were not necessary in the formal SOx testing program. At the same time, certain control procedures reviewed on an annual basis were expanded into ongoing quality assurance processes, refocusing compliance resources while reducing the time allocated to SOx testing. GAP Resources was able to effectively advocate for changes to the controls structure; a successful approach based on our consultants’ Big Four backgrounds.

Benefits: GAP Resources work improved the connection of SOx IT controls with financial controls, created a more efficient IT control structure and resulted in an overall reduction in control testing. Compliance resources were freed up to address other IT security and control initiatives.