Business leaders have had to adopt technology at such a rapid rate that keeping effective IT controls in place has become a challenge. While technology tools and platforms can contribute to increased efficiency, they can also introduce more security threats, making your business susceptible to security breaches and the related consequences, such as significant revenue loss, a damaged brand reputation and even breach-related liabilities.
It’s important to have a comprehensive plan and sufficient staffing in place to proactively address security risks and bolster your controls. You can strengthen your SOX IT control environment by understanding your systems and where and specifically what data you store and by addressing turnover challenges.
Data management is a critical component of IT SOX controls. But as your system complexities grow and data volumes surge, having proper oversight of your data can become untenable.
This problem is compounded by the number of systems you’re relying on. On the surface, your organization may only have a few primary systems in place. But you could actually be pulling data from dozens of different systems and data sources.
If you don’t have a good grasp on the end-to-end flow of a financial transaction you may not have a comprehensive understanding of the data you have and how it feeds into your systems. If you’re not digging deeper into those sources of information or effectively managing your different data sources, you could be overlooking data errors and inaccuracies, ultimately resulting in unreliable financial reporting, misrepresented financials and/or increased data security risk.
For example, if information stored in one internal system isn’t properly transferred over to another system, your organization could be working with flawed data, inadvertently misrepresenting your financial information.
Assessing your data strategy periodically (and in the event of leadership changes, corporate mergers or acquisitions and updated industry regulations) is essential to staying on top of data privacy and security. Consider:
Maintaining consistent visibility into your systems and data sources can help you rein in complexities and more effectively protect your data. A regular self-assessment can also help you proactively identify and remove data collections that you no longer need, offload systems that no longer serve you and eliminate data bottlenecks, redundancies, silos and process inefficiencies that cost your organization valuable time, muddy your financial reporting and bring added risk exposure.
If your organization contracts with third-party vendors, you know that, in addition to their many benefits, they can also expose your organization to significant risk. But are you monitoring how they treat your data as closely as you should?
While you may have assessed your third parties’ risk level prior to working with them, it’s likely that their risk level has shifted over time. One area where this is particularly evident is the way third party data storage has shifted in recent years. Third party financial data is increasingly stored in the cloud, which often limits your visibility into the data. You don’t have control over how it’s being leveraged, who is seeing it or whether it’s being properly protected.
Additionally, the ease with which different third-party vendors or internal teams can move to cloud software without IT involvement can create problems. For example, your accounting team could have signed up for a new piece of software, implemented it, and begun to store financially important data in it — all without anyone else knowing or being alerted to the new software.
To defend your organization against third party risk, make sure you continuously identify new vendors that were added to the organization and monitor your vendors throughout the duration of your contract. Consider:
Make sure you know the answers to these questions and then take the necessary steps to reduce risks where you can. Perform regular assessments, periodically refresh your incident response plan and ensure that your third parties only have access to your data on an as-needed basis, and that they only have the level of data access necessary to complete their purpose.
In today’s turnover-heavy economic climate, it’s not uncommon for individual employees, or even entire teams, to turn over in a matter of months — this can create a lot of chaos from an internal controls perspective. You can remediate this in three ways: document all processes and procedures, own your internal control narrative and set reminders in your information systems for team process responsibilities and obligations.
Whether you’re working with process narratives, flow charts, an internal control matrix or something else entirely, documentation is critical to conquering the turnover chaos. Without thorough documentation, there can be confusion over processes that a former employee managed, or there can be confusion over the former employee’s role itself.
A new hire stepping into a role without documented processes and procedures can face longer learning curves, causing the company inefficiencies as they have to “go it alone” in their on-the-job training. Additionally, this can cause the team member to lack understanding of how their individual role fits into the organization’s bigger picture and process. This disconnect can also contribute to greater inefficiencies, employee frustration and can potentially even perpetuate the turnover cycle.
Take steps to ease employee transition before it occurs. The better documented your controls are, the easier it is for someone new coming in to understand what the responsibility is and the information they need to execute it.
Too often, internal audit teams take ownership of the entirety of an organization’s controls. This can become problematic because the internal audit team members aren’t the ones performing the internal controls, the process owners are.
But if the process owners feel disconnected from the process and aren’t made aware that they have responsibilities within it, the internal controls easily fall through the cracks. And as time goes by and employee turnover occurs without any reinforcement of control ownership, you can easily get into a finger-pointing match of where the responsibility lies.
Keeping process owners better engaged in the internal control narrative can help prevent this scenario from occurring. Establish a quarterly review process for process owners to revisit controls, pinpoint any recent changes and identify controls that no longer serve the organization. This quarterly self-assessment can help illuminate any process gaps, overlap or areas where ownership is unclear, allowing you to proactively address these problem areas before they become major issues.
Take full advantage of the workflow automation solutions, task delegation and notification capabilities within your information systems. Setting up automated reminders within your systems about process responsibilities and obligations is a great way to remind task owners of their action items and their deadlines. And when you contend with employee turnover, the person monitoring a former employee’s email will get the reminder — an effective way to bridge that turnover knowledge gap.
Keeping up with ever-changing technology demands can be difficult, especially if you’re also grappling with increased employee turnover and staffing shortages. In today’s increasingly complex IT space, keeping close tabs on your data, your third-party relationships and your process documentation are significant ways in which you can bolster your SOX IT control environment and minimize your risk.
Our team of experts can help you strengthen your IT control environment and build an effective SOX compliance protocol. Contact our SOX and internal audit experts to learn how you can enhance your business and face the future with confidence.