18 Mar Change Management Plan & Policies – Cloud SOX Compliance Requirements
Going public means your business has to comply with the Sarbanes-Oxley (SOX) Act of 2002, and when you choose to deploy your accounting system in the cloud you are entrusting your cloud provider with an important component of your SOX compliance responsibilities. Does your provider have an adequate change management plan or policies in place to support SOX? Even if you are not going public today, choosing to host your accounting system through a SOX compliant cloud provider with audit-ready services will make an initial public offering go much smoother down the road. Plus, a trustworthy record of SOX adherence prior to your IPO will go a long way toward building underwriter confidence.
In this post we will be discussing Change Management. If you want to get in-depth info on the other critical ERP cloud SOX controls, checkout this eBook on SOX Compliance Requirements.
Change Management Plan and Policies to Meet SOX Cloud Requirements for Hosted Accounting
Doesn’t Everybody Offer SOX Compliance?
While it’s true that many cloud providers offer infrastructure that satisfies the physical security objectives of SOX, only best of breed cloud services providers ensure SSAE 16 Type 2 compliance at the data center while providing audit-ready services and support to streamline SOX audit processes and deliver comprehensive documentation of SOX policies and procedures.
About 65 to 70 percent of SOX compliant businesses showed an increase in time spent on SOX compliance according to survey respondents in a 2015 survey by audit firm Protiviti.
“This year’s survey shows that a majority of companies are not only spending more time and money on reporting requirements, but are also making significant changes to their compliance programs,” said Brian Christensen, an executive vice president with Protiviti.
The 5 Critical Controls to Satisfy SOX Criteria in the Cloud
In order to truly deliver SOX compliant cloud services and infrastructure, a cloud provider must have standardized and documented policies for…
- Change Management Plan and Policies
- Logical Access Controls
- Physical Security Policy
- IT Operations Management
- Enterprise Cloud Backup & Recovery
Change is the Only Constant: Change Management Plan and Policies for SOX Cloud
Any changes to a publicly-traded company’s financial systems must be properly approved and documented. Changes that your cloud provider might make to a SOX compliant software system include adding and removing users or changes within the application like applying upgrades, patches or adding new modules. Any changes to the application should be performed in a “test” environment before moving into a live environment.
Comprehensive testing ensures that all changes operate properly to reduce risk and ensure SOX compliance regarding system changes. A test environment should be provided by the hoster with sufficient time for the enterprise to perform tests before changes are made in production.
Before choosing a cloud hoster for SOX compliant software, it is a good idea to ask for documentation of the cloud provider’s policies regarding the following questions:
- How are changes to the system and the software approved, documented and tracked?
- What controls are in place for adding users or changing existing user passwords and access levels?
- What controls are in place regarding changes within the application itself, such as upgrades and new modules?
- Who can you request changes and how is this controlled?
If the provider’s policies around change management satisfy your needs, the next step is to determine if the provider will provide the necessary after-sale support to streamline your SOX audit processes. Ask your potential SOX cloud provider if they…
- Have a standardized approach to track and respond to requests for support and documentation
- Maintain standardized change request protocols
- Deliver quick responses to support requests
- Regularly review change management policies
- Provide change control documentation if requested
Did you know..?
If you are a publicly traded company with a Dynamics ERP system, you can upgrade to the newest version in the cloud without sacrificing governance, risk management and compliance requirements. Check out this Microsoft Dynamics SOX Compliance Solutions Page.