SOX Section 404: What Does It Mean? What Should You Do?

Some companies may be reluctant to invest the time and money now in a problem that doesn't have to be dealt with for two years. But a prudent course of action would be to understand the critical focus areas of a Section 404 audit, and begin a planned, measured course of correction for potential deficiencies well before a looming deadline damages the quality of the process.

Obvious attention is required for the systems development and maintenance of financially significant applications (FSA). However, companies cannot focus just on applications, because changes to infrastructure components such as servers and networks also fall under SOX 404 inspection. An investment to institute internal controls to the satisfaction of your auditors now will save time, money and manpower later, if a company is found to have material weaknesses when its required SOX compliance audit is carried out.

This early analysis may unveil a commonly held misconception: that the first step in the audit process is to automate all internal controls. This is simply not the case. While automation is certainly one step on the road to compliance, it's often not the first step. For many businesses of your size, it is beneficial to consider the larger picture and alter only the processes for those functions that affect financials. Often the first wave of these controls can be accomplished manually and refined as needed during audit testing and verification activities.

Once this is done, you are ready to take the plunge into automation. Solutions are available that track key aspects of the Systems Delivery Life Cycle (SDLC) and IT production environment. The integration of traditional change management solutions with configuration management tools is rapidly becoming an area of focus for software vendors and service providers.

Many of these solutions can be customized to suit the particular needs of your business and automatically document and track the flow of information and approvals throughout the SDLC. If a change to the production environment is needed, these solutions ensure that control processes are enforced and an audit trail is documented from start to finish. This allows businesses to rest easy, knowing that their production environments and IT processes and controls are secure and compliant without relying on inefficient paper-based systems.

The SEC's decision to delay SOX compliance for businesses of your size should not be seen as a get-out-of-jail-free card. Rather, it should be seen as a chance to begin implementing the necessary steps to lessen this onerous burden, while at the same implementing financial controls and better-practice disciplines that will improve effectiveness of the IT organization. Businesses of your size should heed the struggles of your larger counterparts and begin putting the pieces for an audit in place now and tightening up your day-to-day IT processes.