Pop quiz—What happens when you combine a massive corporation with some misled regulators, cooked books, and faked holdings?
Answer—You wind up with the exact circumstances that led to the creation of the Sarbanes-Oxley Act (SOX) of 2002.
In the early 2000’s, the financial world was rocked by a number of major scandals. Names like Enron, Tyco, and WorldCom dominated the newscycle, and sent investors and analysts reeling. The resultant reforms of corporate financial practices led to the establishment of SOX which must be followed by all publicly traded companies. So If you are an InfoSec Compliance leader hearing murmurings of an upcoming IPO, which means that your company will soon be complying with SOX, what does that imply for you and your Compliance team?
It means that SOX ITGC Compliance needs to be on your radar NOW.
While SOX is hyper-focused on financial propriety, the need for compliance penetrates other business areas as well. SOX IT General Controls (ITGC) refers to a list of controls that demonstrate that your IT department provides and implements the necessary measures required to be compliant with SOX. ITGC ensures that IT and security activities are well managed and governed, according to the policies and procedures approved by management and industry best practices.
Becoming compliant with ITGC takes about 2-3 months, and since financial statements are issued every quarter, you will need to perform this audit four times per year. While it's not mandatory, your company may be contractually obligated to meet ITGC in some cases. And even when an organization is not required to adhere to SOX, many companies opt to perform ITGC as a standalone exercise to demonstrate corporate maturity.
Reaching new milestones is exciting; but if you're a hyper-growth company, you're constantly facing new hurdles that weren’t relevant when no one was looking over your shoulder (or into your books). Entering the public sphere brings with it the daunting challenge of meeting necessary InfoSec and IT Compliance frameworks. If you’ve operated “on the fly” and taken a “we’ll figure it out as we go” approach in the past, you may have a rude awakening when it comes to meeting ITGC requirements.
Compliance with ITGC is not quick, easy, or inexpensive and a manual approach to meeting Compliance requirements opens the door to human error. In an environment where even the smallest mistake can have dire consequences for the company and its directors, SOX ITGC is one area where you want to get it right the first time, and every time.
As companies grow, the old “independent project” approach to meeting Compliance requirements begins to show its limitations. In an environment experiencing an increase of tools, platforms, and requirements, the previous ad-hoc approach isn't enough to support the complexity of these rapidly changing environments. The end result is that maintaining current Compliance frameworks and meeting new ones becomes one huge hurdle.
The key to optimally meeting SOX ITGC is with a comprehensive Compliance Program led by automation.
Compliance automation is the key to helping hyper-growth companies scale Compliance requirements as they grow and expand. Automating processes such as evidence collection, policy approvals, framework cross-mapping, and tool-to-control mapping is the optimal way to be continuously prepared for audits and to eliminate reliance on outside stakeholders.