News Stay informed about the latest enterprise technology news and product updates.

Defining IT controls key to SOX compliance success

A CIO walks though her approach to SOX compliance from automating management and controlling costs, to defining IT controls and making sure they stick.

The success, or potential failure, of compliance with the Sarbanes-Oxley Act comes down to having the right security...

controls in place to ensure that financial data is accurate. Sharon Kaiser, CIO of Abiomed Inc., recently spoke with about the best practices she developed and tools she relies on to automate SOX compliance and reduce SOX management costs.

Sharon Kaiser
Sharon Kaiser

Based in Danvers, Mass., Abiomed makes medical devices to sustain the heart during acute heart failures. Kasier’s IT staff of 10 is responsible for day-to-day IT operations, including the management of the company’s SAP AG ERP system and IT controls around SOX compliance.

Did you develop a methodology to simplify SOX compliance?
Kaiser: I came in a little over three years now, right after they developed a lot of controls to help manage SOX compliance. They had 69 IT general controls that they were trying to manage to, and IT was audited on. Last year, the controller and I were looking at information on the AS5 top-down risk-based approach. Using that, I was able to look at those 69 IT general controls and really look at what was really key to Abiomed. What would make a difference to the timeliness and accuracy of our financial reporting? I was able to look at those controls and take them down to 12.

How did Abiomed decide which were the key SOX compliance controls for IT?
Kaiser: A lot of the controls that they had in place had nothing to do with financial reporting. They were things that a good IT department would normally do, like having data backups, a firewall. Things that come with standard processes within an IT department, but when you looked at whether they impacted the timeliness and accuracy of your financial statements? Many of them did not.

The key ones we kept were ones regarding security, change control -- being able to ensure that anything that went into the production system that could impact your financial statements -- had been reviewed and approved by the right people. If we had a new system going online, or a new module within SAP and there is a data conversion process, was there a high level of review of the business users, and did that confirm that the data was moved over properly? We really looked at what we wanted to manage as far as risk to the company. I think when the 69 controls were developed, it looked like they were checking off what was needed to run a good IT department, rather than being specific to Sarbanes-Oxley compliance.

Do you have advice for other people dealing with SOX compliance as far as risks they might they be overlooking?
Kaiser: We focused on making sure we had the right security controls of not just SAP, but the security controls around any system that could feed into the financials business. Even things as minute as making sure our password security parameters were set the right way. Things like that may not seem like much, but it does help with managing the risk that someone could break into your company.

Approvals, too. Some companies don’t have a good grasp on the approval controls that they give to certain users. There’s excessive authorizations, where if they use those authorizations, they could do some damage not even knowing what they’re doing in the systems. One of the things we’ve done is, every quarter, we require that the functional owners of an area look at all the people that have authorizations in that functional area and make sure they have appropriate roles. We also require three end users to review and approve each [change] request before it’s moved into the production environment.

How do you gear up for a SOX compliance audit? What is the first step?
Kaiser: Defining what you’re going to be auditing. Now we have these 12 controls defined with the help of our internal auditor McGladrey [Inc.] and [external auditor] Deloitte. At the beginning of each year, we review controls to make sure they are still the ones we want to manage to, or if the business has changed, is there another risk that we need to add in. The next thing the auditor does is give us test samples they want for all controls. A list of people terminated, for example. When their access was terminated, and from that list they’ll take a sampling to make sure access [to the systems] was removed.

What tools are you using to help automate the compliance process?
Kaiser: We bought ControlPanelGRC from SymSoft [Corp.]. It has 10 modules, and we used a couple of them right away when we implemented SAP. Having to have three business owners approve any change to the SAP system used to be a long paper process. Now it is routed online to 10 functional owners on a board and three of them review and approve it. Then it’s sent to me for a final technical approval and it’s provisioned into SAP.

How does the technology help uncover potential SOX compliance risks?
Kaiser: One of the roles [within SAP] is materials movement. That role gives someone access to all of the material codes in SAP and they can do anything they want. We found out people didn’t understand the difference between all these different codes, and they just put any code in. What would happen is, when it got down into the finance world, it would be in totally different accounts. Something may have been scrapped when it should not have been. The benefit for finance was instead of making adjustments to correct books to where needed to be, now our inventory was stable. Everyone is doing just what they are supposed to do. We are not required to do physical inventories every month now, and that used to be pretty costly.

In a company of our size, you need to remember that people, not just in IT, but in finance, wear many hats, so you need the right checks and balances there also.

Sharon Kaiser, CIO, Abiomed Inc.

How else have you kept costs manageable when dealing with SOX?
Kaiser: More efficiencies. I haven’t taken work away, I’ve just been able to add people to more high-value work. My manager of applications works a lot with the auditors. He had to produce a segregation-of-duties list every quarter. He would create these binders for the functional owners, then send them out and follow up. Sometimes someone would lose the binder. Now with the tool, documents are created and through workflow they’re sent to the functional owners online. I can go online and see who has not reviewed quarterly reports yet and say “Hey, you’re the last holdout.” It cuts the review process back from five months to two to three weeks.

What advice would you give another CIO approaching SOX compliance for the first time?
Kaiser: The biggest thing I learned is you need to really sit back and think about what your controls should be very early on. What risks do you want to manage, what controls will help you manage them and how will you test against those controls? What it comes down to, is you will be audited on your controls.

In a company of our size, you need to remember that people, not just in IT, but in finance, wear many hats, so you need the right checks and balances there also.

How do you make sure your staff stays on top of SOX compliance?
Kaiser: I sit down every year with the staff and make sure they are familiar with the controls. It isn’t me that terminates the controls of an employee within 24 hours, it’s my help desk people. If they’re busy and don’t get to it, that may be the sampling that the auditors decide to take.

Let us know what you think about the story; email Christina Torode, News Director.

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.