By Brian Mitchell, JPMorgan
Why has SOX become such technology burden?
In year one, SOX was a burden for all. The business had to define all of the key controls associated with financial reporting and it had to identify the key systems on which the business depends to support these controls. Meanwhile, the technology group applied a typical general computing controls assessment to those systems. In subsequent years, the situation has not improved for IT controls.In year two, businesses gathered feedback and streamlined the financial controls, which reduced the SOX burden. However, the number of technology systems that needed to be assessed remained roughly the same -- even though technology teams attempted a similar controls streamlining exercise to that of the business.
In year three, again, a similar streamlining exercise occurred with both the business and technology attempting to rationalize their respective controls. But the scope of the technology controls does not appear to have reduced in line with the business controls. In fact, technology scope appears to be growing because the typical general computing controls -- which are designed to prove the integrity of production processing environments -- continue to expand to include some security-related areas, as a awareness grows of additional risks that impact technology (for example: Patch & virus management).
Now, with security monitoring included in assessments, the function of general computing controls has expanded beyond the "traditional" technology controls of systems development lifecycle, change management and access administration.
In order to rein in the expanding world of "general computing controls," we have to get back to reality and ensure that SOX remains true to its original purpose: Financial Control. Greg MacSweeney is editorial director of InformationWeek Financial Services, whose brands include Wall Street & Technology, Bank Systems & Technology, Advanced Trading, and Insurance & Technology. View Full Bio