Big4Guy

In any 404 implementation, IT plays a crucial role. In the 404 implementations that I have been involved with, IT needs to be integrated into the process. It cannot be seperate. One of the major financial services company where I was providing consulting services for their 404 implemention, had created a special position under the CIO for improving IT controls. Such a part time or full time position indeed helps in building better internal controls in the company. Below, I am discussing some IT best practices that I have seen during Section 404 implementation.

Formalized Change Management Processes - Some of the best companies having a strong control environment have a formalized process for reviewing significant system changes. Triggers are built into the process which escalate the issues to upper management if some criteria is not met. Rigorous testing takes place before a system is put into production environment.

Automated IT Controls - Many companies are now using automated IT general controls. Access controls as well as application changes can now be tracked using online monitors. This can be possible using company wide vendor products. Application changes can now be controlled through change management software.

Common Business & IT control framework - Most companies I have been associated with have used COSO as the control framework for both business as well as IT processes. COBIT is also available but looks prmarily at the IT side of things. IT's better not to get involved with too many frameworks since it makes the job confusing and all the more difficult.