Step 2: Scope of compliance

About Compliance School

In Compliance School, guest instructor Richard Mackey shows you exactly what you need to do to meet regulations' ongoing demands and arms you with actionable items to ensure your business remains continuously compliant. Best of all you can attend any of the following on-demand lessons when it's most convenient for you:

One of the most critical steps in defining the requirements for SOX compliance is determining the IT systems and services that must be secured and audited. There is a tendency for systems and activities required for compliance to "grow to the size of their environment." Organizations need to resist this tendency.

The most straightforward approach to limiting scope is to define bounds based on the following:

  • The financial applications involved in reporting, modifying financial state or feeding information to reporting systems
  • The underlying systems and services (e.g., databases, operating systems, network authentication systems, administrative tools) that support the financial systems and applications
  • The monitoring and auditing systems designed to track use and misuse of systems and applications

Note that this list does not typically include electronic commerce systems or the general production systems of an enterprise. Unfortunately, with the success of Enterprise Resource Planning (ERP), the compliance line is not so easy to draw. ERP systems integrate order processing, fulfilment and finance in a way that makes clean separation of financial systems more difficult. Organizations need to analyze the interfaces of such systems and assess the opportunities for errors and fraud.

Armed with a focused list of financial processes, the IT organization needs to identify the critical applications and systems that comprise the compliance environment. IT then needs to work with business representatives to conduct a risk assessment to identify which systems depend largely on technical rather than business process controls. The risk assessment can help narrow the scope significantly, particularly if business checks and balances mitigate the risk that technical weaknesses could be exploited to commit fraud. Cooperation between business and technical groups is critical in defining the scope of compliance.

This was last published in February 2006

Dig Deeper on Security audit, compliance and standards