Information Systems Integration – Tony Messina


SOX (Sarbanes-Oxley) and MIS are related. When most hear of SOX we think of accounting and auditing. Risk Assurance business lines within large client service public accounting firms test controls related to SOX. There are 3 levels of controls- Entity Level, ITGC (Information Technology General Controls), and Process Level Controls.

ITGC controls are linked to MIS. These are the controls in place for all the IT services within a company. These controls are set in place to keep employees honest and to protect the company from fraud or collusion occurring. The controls assist the company with Segregation of duties.

Segregation of duties is an incremental part of ITGC controls and SOX. ITGC controls assist external auditors with reliance of support needed to test the accuracy of the financial statements. In the end, ITGC controls are an integral part of SOX testing which assist external auditors testing the financial statements for investors.

3 Responses to SOX and ITGC

  • As a technology audit analyst for a major financial services company, I can definitely agree that SOX and ITGC play a major role in ensuring that companies properly mitigate their risk. As an technology auditor, my job was to review the controls that were in place in regards to many of the most common ITGCs such as change management, data center physical security, system and data backup, and access controls. The controls that we had in place at our company was to ensure security from the external environment, as well as our own employees. One of the main things, I looked at when reviewing the controls was that duties were segregated among employees and applications built by one particular group were reviewed by a different group.

  • I have always wondered about SOX. This post definitely informs me about what SOX is and its relation with MIS. Im sure that with the late explosion of data breaches, and especially the mishap of ensuring the installement of the latest patch for Equifax’s data system, SOX will surely revamp its rules and controls in order to ensure that their safety methods are being followed and reported.

  • I was in a similar position as Josh in which I worked as a technology auditor and tested controls. As Josh stated the ITGC’s I worked with were also change management, physical security, access controls and data backup. I also worked on Termination and Hiring controls which deal with who has access to what level of information and how long do they have access after they are terminated. Also testing to see if there are checks and balances involved in key financial decision making practices to prevent fraud.

Leave a Reply

Your email address will not be published. Required fields are marked *