Kunal Malhotra

IT Controls for SOX Compliance & Risk Mitigation

Insurance

  • Industry: Insurance Sector
  • Size: 10,000+
The project focused on assessing & testing the effectiveness & design adequacy of IT controls for the organization’s compliance with SOX 404 regulations, ensuring robust risk mitigation & internal control framework.

Project Requirements

  • Evaluate & test the design & operational effectiveness of IT controls related to financial reporting processes.
  • Assess master data processes for completeness, accuracy, & alignment with the General Ledger.
  • Conduct testing & prepare documentation to ensure SOX 404 compliance & effective risk mitigation.

Overview

The organization, a global leader in insurance & reinsurance, engaged in a critical initiative to strengthen its internal controls around financial reporting, particularly in line with SOX 404 compliance. This project focused on ensuring that IT controls across their financial data processing systems were adequately designed, effective, & aligned with both operational needs & regulatory standards.

In parallel with this compliance project, the organization was undergoing an IT Transformation through its Central Application Services (CAS) initiative, utilizing the AS5 & GAIT methodologies. This transformation significantly impacted the internal control environment, necessitating an update to the Framework of Internal Controls (FIC) to ensure consistency with the new IT architecture & processes.
We undertook a comprehensive review of the organization’s IT control environment, ensuring that the design & operational effectiveness of controls were in place to mitigate risks related to financial reporting, while adhering to SOX 404 compliance.

Challenge

  • Complexity in Financial Systems Integration: The organization’s financial ecosystem comprised multiple systems for underwriting, claims processing, financial reporting, & general ledger reconciliations. These systems were being integrated with the newly redesigned IT infrastructure, creating challenges in ensuring that data flow & reporting were consistent & accurate across platforms.
  • Coordination Across Multiple Teams: Given the size of the organization & the complexity of its IT & operational infrastructure, gathering the necessary input from stakeholders across departments (Finance, IT, Risk, Underwriting, Claims, & Internal Audit) was a significant challenge. Aligning their inputs & ensuring effective communication was crucial to assess the effectiveness of the controls.
  • Data Reconciliation & Accuracy Testing: A core aspect of the engagement was testing the reconciliation of data from reporting tools with the general ledger, ensuring the accuracy & completeness of financial entries. This testing required verification of data integrity across systems, including Master Data Management (MDM), which plays a critical role in the accuracy of financial reporting.
  • Design Adequacy of Controls:The complexity of the organization's IT environment required a thorough examination of the adequacy of controls particularly those governing system access, data integrity, & change management. Ensuring these controls were not only operational but also designed to meet regulatory standards was a priority.

Approach & Methodology

  • Scoping & Planning Strategy: The project began with a thorough scoping phase in which we collaborated with Internal Audit (IA), Risk Management, & the IT teams to identify key financial reporting processes & associated IT controls. This phase also included understanding the changes brought by the CAS transformation & how those changes impacted the control environment.
    • Mapping out control owners across departments such as Finance, Risk, IT Security, Claims, & Underwriting.
    • Identifying key IT & financial controls (e.g., user access, data reconciliation, change management) relevant to SOX 404 compliance.
    • Defining a sample size for testing, covering various departments & systems to assess the controls’ design adequacy & operational effectiveness.
  • Redesign of Internal Controls Framework: As the organization underwent its IT transformation, it was critical that the Framework of Internal Controls was aligned with new technologies & methodologies. We worked to redesign the internal controls to fit seamlessly with the newly implemented IT systems, particularly focusing on the impacts of AS5 & GAIT methodologies which involved:
    • Updating control documentation to reflect new processes introduced by the IT transformation.
    • Ensuring that the redesigned framework was compliant with both SOX 404 requirements & the evolving regulatory landscape.
  • Effectiveness Testing: The testing process consisted of different types of controls testing designed to assess both the design adequacy & operational effectiveness of the organization’s IT controls:
    • Interviewing stakeholders from Finance, Risk Management, IT Security, & Claims to understand how controls were operationalized in practice.
    • For MDM systems, code reviews were performed to ensure the integrity & completeness of data inputs, particularly focusing on how customer data, policies, & claims were managed in the financial systems.
    • Conducting reconciliation testing by selecting samples of financial transactions across different modules & verifying that they reconciled properly with the General Ledger. This process involved checking for consistency & accuracy in the reconciliation reports generated by the financial reporting tools.
  • Types of Controls Testing Conducted: After validating the design of the controls, we conducted live testing for their effectiveness across the financial reporting & IT systems. The testing involved:
    • Design Testing: Focused on whether the control processes & procedures were appropriately designed to mitigate risks. We reviewed the control documentation, the flow of processes, & interviewed control owners to ensure that the designed controls were adequate & would function as intended in a SOX-compliant manner. Controls assessed for design included:
      • User Access Management: Ensuring that only authorized individuals have access to critical financial data & systems.
      • Change Management: Verifying that system changes, including software updates & modifications to the General Ledger system, follow an established procedure to mitigate the risk of unauthorized changes.
      • Data Integrity: Reviewing how data entered into financial systems is validated, ensuring that only correct & complete data flows into the reporting system.
    • Operating Effectiveness Testing: Aimed to assess whether the controls were actually working as intended in practice. To do this, we conducted:
      • Walkthroughs: Observed the control processes in action by walking through the key procedures with control owners & verifying that these controls were being executed as designed.
      • Sample Testing: Using statistical sampling, selected a representative sample of financial transactions to test. This included transactions related to underwriting, claims processing, & general ledger reconciliation. For example, tested whether data from claims was accurately entered & reconciled with financial reports.
      • Automated Controls Testing: Automated tests were performed on system-based controls such as data validation rules, system-generated reports, & reconciliation processes. These tests were run against a sample set of financial transactions to verify accuracy & consistency.
      • MDM & Code Reviews: Tested the MDM system by reviewing code & configurations to ensure data integrity & consistency. This included checking the synchronization of data across systems & verifying that no discrepancies existed in the data passed between systems, including underwriting & claims information.
    • Reconciliation Testing: One of the most critical aspects of SOX 404 testing was the reconciliation of financial transactions between the reporting systems & the General Ledger. Reviewed the reconciliation reports for completeness & accuracy, ensuring that:
      • Financial Transactions were properly recorded in both the transaction-level system & the General Ledger.
      • Transaction Entries matched between different systems, ensuring consistency.
      • Any exceptions or discrepancies identified during testing were properly resolved & addressed.
  • Sampling Strategy: A robust statistical sampling approach was adopted to select transactions that would provide a representative picture of control effectiveness:
    • Underwriting Transactions: Sampled policies & contracts, verifying that the data was accurately entered & processed.
    • Claims Transactions: Focused on the integrity of claim data & its reconciliation with the General Ledger.
    • Financial Reports: Tested the completeness & accuracy of journal entries, reconciliations, & reports generated by the financial reporting systems.
  • Collaboration with External Auditors & Internal Teams: Effective collaboration was essential throughout the project. We worked closely with PricewaterhouseCoopers (PWC) & Internal Audit (IA) to ensure the testing was thorough & aligned with their audits which included:
    • Coordinating audit plans with PWC, Internal Audit, & the Framework of Internal Controls to ensure no overlap in testing & to streamline the process.
    • Supporting PWC’s review & testing of controls & performing additional tests as needed.
    • Embedding key IT controls into IA’s audits, reducing redundancies & minimizing touchpoint fatigue.
    • Regularly updating the Management Control Office (MCO) with progress reports & findings.
  • Support to the Management Control Office: Our team provided substantial support to the MCO in their responsibilities, including:
    • Coordinating audit plans & ensuring alignment between various stakeholders.
    • Updating the internal controls framework based on changes in regulatory requirements.
    • Completing & updating the process-level risk assessment, ensuring the organization’s internal control environment reflected any new risks or changes in business processes.

Deliverables

  • SOX 404 Control Effectiveness Report: Detailed documentation of the design & operational effectiveness of key IT controls.
  • Framework of Internal Controls Redesign:A comprehensive update of the internal controls framework, aligned with the IT transformation & SOX compliance requirements.
  • Risk Mitigation Plan:A set of recommended actions to address identified weaknesses in control design & operation.
  • Detailed Testing Logs:Logs of tests conducted on controls, including the sample reviewed, interview summaries, & test outcomes.
  • Reconciliation Reports:Documentation verifying that financial data reconciled with the General Ledger as per SOX 404 requirements.

    • Outcome

    The outcome of this project was a robust internal control framework that was fully aligned with the organization’s evolving IT environment & SOX 404 compliance requirements. The internal controls were effectively redesigned to reflect changes resulting from the CAS transformation, ensuring that IT systems & financial reporting processes were synchronized.

    By testing both the design adequacy & operational effectiveness of key controls, including those related to user access, change management, data integrity, & reconciliation processes, we identified areas for improvement. These findings led to the implementation of corrective actions, such as enhancing user access controls, improving data validation mechanisms within the MDM system, & refining reconciliation processes.
    The integration of IT controls into IA & PWC audits helped streamline the overall audit process, reducing redundancies & minimizing audit fatigue. As a result, the organization achieved improved SOX 404 compliance & gained enhanced confidence in the accuracy & integrity of its financial data.
    Through detailed collaboration, live testing, & an adaptive approach to managing the transformation, the organization successfully mitigated risks & reinforced its internal control environment positioning the organization for sustained compliance & operational excellence in future audits.

Want me to help with your project?

Click the button below to submit your details, a summary of your requirements, and your availability. We look forward to collaborating with you.

Let's Connect