SOX Compliance and ITGC - alishahbaz/ChangeManagement_Basics GitHub Wiki

SOX Compliance and IT Change Management

Purpose of the Session

  • Explain what auditors do, focusing on compliance testing, especially SOX compliance (Sarbanes-Oxley Act).
  • Discuss SOX compliance in relation to IT Change Management General Controls.
  • Present information in a straightforward, jargon-free manner to improve understanding of SOX compliance.

Background

  • Works as a Technology Risk Consultant
  • IT Auditor for financial statement audits and technology auditing of public companies.
  • Passed ISACA CRISC and CISA exams.

Disclaimer

  • Discussion reflects individual opinions and experience-based learnings.
  • All shared information is publicly available on the internet.
  • Goal is to simplify complex concepts.
  • Focuses primarily on IT Change Management.

IT Change Management: Definition and Importance

  • A change is any modification to a system environment that impacts its function.
  • Changes bring both risks and opportunities.
  • Change management ensures that all changes are controlled and authorized.
  • Prevents unauthorized or unmanaged changes that could disrupt critical processes (e.g., payroll).
  • IT General Controls (ITGC), including change management, minimize risks.

Change Management as a General Control

  • Applies to every application, regardless of its specific function (e.g., Oracle, SAP).
  • Principles remain the same across different systems.
  • Plays a role in service management (incident resolution, patch deployment, configuration changes).
  • Ensures accountability (who made changes and who is responsible).
  • Auditors verify ITGC controls using change control logs and artifacts.

SOX Compliance Overview

  • SOX = Sarbanes-Oxley Act of 2002.
  • Applies to publicly listed companies in the US.
  • Enacted in response to financial frauds in the early 2000s.
  • Aims to ensure accurate financial records and strong internal controls.
  • Requires independent auditors to assess financial records and report findings.
  • Core objectives:
    • Maintain accurate financial records.
    • Prevent fraud through strong internal controls.
    • Obtain independent assessments of financial reporting.
  • Ensures transparency between organizations and shareholders.

SOX 404

  • Key provision for IT auditing.
  • Requires company management to review systems and controls for financial accuracy.
  • Mandates internal/external auditor verification.
  • Ensures management claims about strong controls are validated.

Link Between Change Management and SOX Compliance

  • SOX compliance is focused on financial systems.
  • IT applications (SAP, Oracle, NetSuite) generate financial data.
  • Unmanaged changes can corrupt financial records (e.g., incorrect depreciation formula).
  • Poor change management undermines financial statement reliability.
  • Proper change management ensures financial data integrity and investor confidence.

Key Components of a Change Management Process

  • Tailored to organization’s goals and objectives.
  • Basic components:
    • Change request: Formal documentation of modifications.
    • Risk assessment: Identifies potential impact on the organization.
    • Business case: Cost-benefit analysis.
    • Approval process: Requires stakeholder authorization.
    • Testing: Conducted and documented in a change ticket.
    • Approval of test results: Necessary before production deployment.
    • Segregation of duties: The person testing/approving should not deploy changes.

Risks Associated with Change Management

  • Unauthorized changes may impact payroll and financial statements.
  • Lack of testing and poor communication.
  • Auditors require testing evidence; verbal assurances are insufficient.
  • Documentation gaps create audit challenges.
  • Auditors compare Requests for Change (RFCs) with implemented changes.
  • Tools like ServiceNow help track change management.

High-Level Steps in Change Management Process

  1. Research: Document business case.
  2. Change request form (RFC): Initiates process.
  3. Approval: Pre-testing authorization.
  4. Testing: Conducted in non-production environments.
  5. Documentation: Record test results.
  6. Secondary approvals: Based on test results.
  7. Deployment: Change moved to production.
  8. Post-implementation review: Evaluates success.
  9. Change review control: Monthly review can act as compensating control.

Auditing the Change Management Process

Initial Steps:

  • Understand management’s implemented controls (change management or review process).
  • Controls mitigate risks to acceptable levels.
  • Audit assesses:
    • Design effectiveness: Properly designed to address risks?
    • Operating effectiveness: Functioning as intended?

Assessing Design and Operating Effectiveness (Analogy)

  • Design effectiveness: Are the right steps identified?
  • Operating effectiveness: Are the steps followed properly?
  • Example: If stairs are too far apart, they technically lead downward (design) but are ineffective for users (operation).

Initiating a Change Management Audit

  • Change management is usually part of a broader IT audit.
  • Steps:
    1. Define audit objectives (e.g., SOX compliance).
    2. Develop an audit plan.
    3. Identify in-scope applications affecting financial records.
    4. Assemble an audit team with relevant expertise.
    5. Communicate audit scope and objectives to management.
    6. Conduct walkthroughs with process stakeholders.
    7. Observe change management process and collect documentation.
    8. Assess design and operating effectiveness.

Testing of Controls

  • Sample testing based on audit period.
  • Example: From 1,500 changes, auditors select 25 to verify process compliance.
  • Determines if controls are functioning effectively.

Audit Report

  • Includes:
    • In-scope applications.
    • Description of reviewed changes.
    • Audit objectives.
    • Control-related findings.
    • Auditor’s opinion.
  • External auditors provide evaluations, not recommendations.

Critical Phase in an Audit

  • Understanding the audit scope is crucial.
  • Missing applications can lead to incomplete findings.
  • Even one critical application falls under audit scope.
  • Early identification of in-scope applications is essential.
  • Failure in change management for a critical system can impact financial statements.

Handling Conflicts During an Audit

  • Conflicts arise when discussing exceptions or findings.
  • Auditors should:
    • Avoid framing issues as faults.
    • Communicate observations and expectations transparently.
    • Understand management’s explanations before concluding.
    • Explain risks associated with issues calmly.
    • Maintain independence while fostering understanding.

Content of an Audit Report

  • Typically includes:
    • In-scope applications.
    • Nature of changes reviewed.
    • Audit objectives.
    • Findings on controls.
    • Auditor’s independent opinion.
  • External auditors do not provide recommendations.

Final Advice for Auditors

  • Ask questions to fully understand the process.
  • Be aware of potential miscommunication between audit teams and clients.
  • Ensure test attributes for change management are detailed and relevant.
  • If test attributes do not address identified risks, the audit is ineffective.

Call to Action and Mentoring

  • Feedback on the session is encouraged.
  • Viewers can suggest future topics.
  • Chinma Kar credits previous podcasts with helping his professional identity.
  • Chinma believes anyone can succeed with effort and encourages a growth mindset.
  • Offers mentoring on a non-profit basis (responses may be delayed).
  • Viewers are encouraged to subscribe and click the bell icon for future content.