Case Study: Document Processes and Define Controls for SOX Compliance

Client: Global Advertising Firm

Function: IT Department

Project: Document Processes and Define Controls for Sox Compliance

The Challenge

A global advertising holding company required the IT departments of its operating companies to become compliant with Section 404 of Sarbanes-Oxley regulations. The company issued a set of 34 control points, each of which fell into one of four categories: 1) IT Policies and Procedures, 2) Data Processing and Backup; 3) Physical and System Security; and 4) Systems Development Support and Maintenance. Each office was required to document proof of compliance for each of the 34 controls.

Intellilink was requested to document current processes and procedures, accumulate evidence for each control, and prepare a compliance update report for the New York and Corporate office of a global advertising agency.

The Solution

Intellilink managed a four-person client team to document processes and procedures for its 14 different financial systems, gather evidence for each control, liaise with third parties, and design and implement new processes.

Process Analysis and Documentation

The first task was to document and analyze the current Corporate and New York-office financial systems processes. Intellilink interviewed system owners and managers, documented systems transactions, access control, and system support procedures.

Policy Development

Intellilink worked closely with the Global Chief Information Officer to develop and implement an Employee Information Technology Policy and IT Usage Guidelines based on the parent company policy manual. Intellilink coordinated policy development with global Technology Directors. The employee policy will be pushed out to and signed by all agency employees. The Usage Guidelines which provide clarification on the IT policy, will be posted to the company intranet and disseminated to the HR departments.

Change Management

Intellilink helped the Corporate and New York offices develop and implement new processes to become Sarbanes compliant. New processes included: monthly meetings with the Corporate Controller and NY Local Finance Director to communicate IT infrastructure and system issues; manual password change procedures for some of the agency’s financial systems; Corporate and Local office systems and server risk assessment; and communication of employee IT policy.

Intellilink developed a Compliance Plan to spell out the action steps required for the Corporate and New York-offices to become compliant. New processes will be implemented overtime. The agency will update processes and documentation based on internal and third party audit findings.