How to achieve ITGC automation

Company type: Public Fortune 500

Industry: Food Retail

Primary ERP systems: Oracle E-Business Suite and Oracle ERP Cloud

Operating across 100 plus countries, our Fortune 500 customer faced the difficult task of aligning its IT controls with the Sarbanes-Oxley Act (SOX) IT General Controls (ITGC) requirements. With a complex IT infrastructure comprising on-premise ERP systems, cloud platforms, and numerous applications, achieving compliance presented significant hurdles.

How they did it

Step-by-step

Step 1. Assessment and Gap Analysis

In the project’s initial phase, the organization conducted a thorough assessment and gap analysis of its IT environment. This encompassed evaluating roles and responsibilities within systems like Oracle E-Business Suite and Oracle ERP Cloud, pinpointing conflicts in the segregation of duties, and fully understanding the complexities of the IT landscape. Notably, the lack of visibility into fine-grained access privileges was a critical challenge.

To further reduce access risk, the organization implemented continuous monitoring that went beyond roles and responsibilities to include monitoring configuration and master data changes. This involved examining key configurations like General Ledger setups and master data elements like fixed assets. By assessing these components alongside access controls, the organization gained a comprehensive understanding of its compliance landscape.

Step 2. Remediation and Implementation

Following the assessment, the organization began a remediation and control monitoring implementation effort to address the identified gaps in ITGC controls. This multi-tiered approach involved redesigning role-based access controls, instituting stricter access policies, and bolstering change management processes. The objective was to ensure that access privileges were aligned with SOX compliance standards and that any potential conflicts in the segregation of duties were mitigated effectively with continuous control monitoring.

One notable challenge during this phase was integrating these changes across various IT systems. With a diverse IT landscape, including on-premise ERP systems and cloud platforms, ensuring implementation without disrupting business operations was crucial. Documenting these changes and ensuring they met SOX compliance standards required coordination across different teams within the organization.

Step 3. Testing and Validation

With the enhanced controls and continuous monitoring, the organization shifted its focus to testing and validation to ensure control effectiveness. This involved conducting thorough audits of access controls and change management processes. Additionally, they simulated security breach scenarios to assess the resilience of the controls in real-world scenarios.

Challenges surfaced during this phase, particularly in devising strong testing methodologies encompassing all critical ITGC control areas. Additionally, addressing identified deficiencies in access controls required careful planning and coordination across different departments. To provide further context, the organization implemented daily and monthly processes for monitoring changes in configurations and master data. This approach mitigated access risks and enabled the timely detection and resolution of unauthorized changes, strengthening the overall control framework.

Step 4. Sustainment and Ongoing Compliance

Achieving and maintaining ongoing compliance with SOX ITGC requirements is a continuous effort beyond the initial implementation phase. It requires building processes for continuous monitoring, periodic reviews, and adaptive adjustments to address changes in the business environment or regulatory requirements.

During this phase, it is common to face challenges in maintaining the effectiveness of control measures over time and adapting to changing risks and regulatory requirements. Continuous monitoring and updates are essential to ensure that audit control documentation remains accurate and up-to-date.

To effectively sustain compliance efforts, the organization implemented a proactive approach involving monthly reconciliation processes to validate changes against requested key configurations and master data. The organization also ensures its control frameworks remain strong and aligned with regulatory standards by conducting periodic reviews and assessments.

Monitoring controls is crucial to quickly detecting and addressing audit policy violations. Automated monitoring solutions can help organizations stay vigilant and proactive in mitigating risks.

Furthermore, adaptive adjustments are crucial to respond to changes in the business landscape or regulatory requirements. This may involve refining existing controls, implementing new controls, or updating control documentation.

Sustaining ongoing compliance with SOX ITGC requirements requires a proactive and adaptive approach. By establishing robust monitoring processes, conducting periodic reviews, and making adaptive adjustments, the organization can ensure its control framework remains effective and compliant in the face of evolving risks and regulatory changes.

Step 5. Outcomes

1. Risk Mitigation: Real-time monitoring of changes empowered the organization to mitigate risks associated with elevated access during transformation. Coordination with internal units and auditors ensured compliance amidst dynamic changes.

2. Cost Reduction: Automating monitoring processes significantly reduced reliance on third-party IT and audit outsourcing, leading to cost savings while providing a comprehensive view of changes.

3. Agility: Enhanced monitoring capabilities facilitated swift responses to risks, fostering organizational agility and preventing issues from escalating to significant deficiencies.

Our customer achieved alignment with ITGC SOX requirements through careful assessment, targeted remediation efforts, rigorous testing, and ongoing monitoring measures. This helped them mitigate risks, reduce costs, and enhance agility and underscored the significance of continuous monitoring and adaptation while navigating the complexities of regulatory compliance in a dynamic global landscape.