Compliance School

Step 2: Scope of compliance

About Compliance School

In Compliance School, guest instructor Richard Mackey shows you exactly what you need to do to meet regulations' ongoing demands and arms you with actionable items to ensure your business remains continuously compliant. Best of all you can attend any of the following on-demand lessons when it's most convenient for you:

Ensuring compliance across the extended enterprise

Compliance improvement: Get better as you go forward  

Gauging your SOX progress  

SOX compliance basics: Taking Action   

Understanding
compliance-related technology
One of the most critical steps in defining the requirements for SOX compliance is determining the IT systems and services that must be secured and audited. There is a tendency for systems and activities required for compliance to "grow to the size of their environment." Organizations need to resist this tendency.

The most straightforward approach to limiting scope is to define bounds based on the following:

  • The financial applications involved in reporting, modifying financial state or feeding information to reporting systems
  • The underlying systems and services (e.g., databases, operating systems, network authentication systems, administrative tools) that support the financial systems and applications
  • The monitoring and auditing systems designed to track use and misuse of systems and applications
Note that this list does not typically include electronic commerce systems or the general production systems of an enterprise. Unfortunately, with the success of Enterprise Resource Planning (ERP), the compliance line is not so easy to draw. ERP systems integrate order processing, fulfilment and finance in a way that makes clean separation of financial systems more difficult. Organizations need to analyze the interfaces of such systems and assess the opportunities for errors and fraud.

Armed with a focused list of financial processes, the IT organization needs to identify the critical applications and systems that comprise the compliance environment. IT then needs to work with business representatives to conduct a risk assessment to identify which systems depend largely on technical rather than business process controls. The risk assessment can help narrow the scope significantly, particularly if business checks and balances mitigate the risk that technical weaknesses could be exploited to commit fraud. Cooperation between business and technical groups is critical in defining the scope of compliance.



Home: Introduction
Step 1: Understanding compliance -- Financial and technical standards
Step 2: Scope of compliance
Step 3: Establishing an IT Control Framework
Step 4: Detailed objectives and policies
Step 5: Measuring compliance
Step 6: Managing and tracking compliance
Step 7: The changing nature of compliance

This was first published in February 2006

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top