Much has been posted on the internet regarding the financial regulatory catch-all legislation labelled Sarbanes-Oxley (or SOX for short). The authoritative articles are generalistic and hard to relate to the real world while the blog posts are generally negative and frustrated reactions to more legislation designed to get you into trouble in new and intriguing ways.
But what happens when you’re a small business being asked by a much larger customer whether your internal systems are SOX compliant?
From the writer’s perspective, SOX sets out to make it clear to the individuals running large public corporations that their financial reporting must be accurate, and requires them to ensure that systems are in place to guarantee that. From that noble (though obvious and not really new) objective an entire industry has spawned of advisors and consultants with check-lists and methodologies reaching into every crevice of the organisation and its suppliers.
From the technology supplier’s perspective these boil down to being able to demonstrate traceable and auditable controls in the following areas:
- Financial: contracts must be modelled correctly, agreed, audit-trailed, documented and maintained under strict process-driven change management. Ideally, the invoices related to these contracts must be generated without manual over-rides, from process workflows that are audit-trailed and free from the opportunity for fraud
- Process: internal processes for the development, support and management of IT systems and equipment must be controlled via workflows and stages that are relevant to the action required, correctly permissioned, secure and of course, once again fully audit-trailed so who, when and why on any change can be found immediately and reported on
- Engagement: complete documentation of engagement with the customer, agreement to requirements, testing, acceptance etc., again answering the who, when and why of any project agreement or progress step
- Responsibility: control of who can do what, when and where is key. This role control goes deep into all processes highlighting changes, recording temporary delegation and documenting actions making fraud had to disguise and easy to discover
The good news is that the way Harmony is designed, it fully supports these SOX objectives.
Harmony’s billing engine uses product objects that are fully described on orders and drive their own invoicing behaviours. This was designed to remove manual intervention in the invoicing process.
Further, any changes prior to invoice release are strictly controlled, audited and tightly permissioned.
Invoices are locked on posting and may not be edited or changed. Contract lifecycle management provides full traceability from order to invoice, nothing can be done without leaving a clear data trail.
Harmony’s service desk provides for custom workflows and ticket relationships that support any development or maintenance visibility and check-point controls. You design them the way you need them to operate, Harmony will keep the score and its seamless mail integration ensures your customers are informed and involved throughout.
Harmony’s customisable role designer and delegation controls allow you to set every individual up with the right actions and data access without compromise.
If you are faced with demonstrating ISO or SOX compliance, get in touch and we will explain how Harmony can help keep your business under control and in compliance.
