SOX Compliance IT Checklist

1. 1. Has the organization conducted an organizational risk assessment and made updates to reflect changes in its risk profile and tolerance?

2. 2. Have internal control owners and champions been identified?

3. 3. Have any new technologies used to manage the business been identified?

4. 4. Have in-scope processes and high-risk areas been identified?

5. 5. Have control owners been educated on minimum expectations, consistency, etc.?

1. 1. Have IT systems been assessed, and have controls been ensured to maintain a reliable IT environment supporting financial reporting requirements?

2. 2. Have processes and internal controls been documented and communicated to others in the organization?

3. 3. Has the organization understood ineffective controls discovered in the risk assessment and updated or created controls as necessary?

4. 4. Has buy-in from management been obtained to reduce the risk of controls being overridden?

5. 5. Have temporary and permanent changes in the control environment resulting from changes to operating conditions been identified?

6. 6. Has the consistent design of internal controls been validated, deficiencies identified, and the root cause of those deficiencies isolated?

7. 7. Have monitoring and evaluation techniques been deployed to assess where things may have gone wrong?

1. 1. Have team members and subject-matter experts worked together to develop meaningful, actionable risk management practices?

2. 2. Have deficiencies identified as a result of recent monitoring activities been remediated?

3. 3. Have risk management practices been deployed in a clear, deliberate fashion so the organization can work toward a common goal: better risk management?

4. 4. Have updated control practices been applied to ensure the reliability of information coming from IT systems, along with clearly documented procedures to validate the system output reliability?

5. 5. Have periods of time where internal controls may not have been effective been identified, noting the starting period where newly implemented and corrected controls are in place, and ensuring all involved have a clear understanding of the requirements to maintain effectiveness?

6. 6. Have controls been ensured to be designed to do what they’re supposed to do and that they’re functioning properly?

1. 1. Have disclosure controls and procedures been updated for material information related to market, credit, and liquidity risks?

2. 2. Have all internal control activities been verified for effectiveness?

3. 3. Has the focus shifted to controls ensuring financial information presentation and disclosure is complete, accurate, and fairly presented in accordance with U.S. GAAP?

4. 4. If necessary, have subject-matter experts and advisors been consulted on the final application of business environment changes and how those should appear in financial reports?