Change Management Controls Compliance With The Sarbanes-Oxley Act Of 2002: An Example From Practice

Publicly held firms and the assurance services industry are currently struggling with the implementation of standards set forth in the Sarbanes-Oxley Act of 2002 (SOX). How to meet and assess SOX standards is considered by professionals to be uncharted territory. This study reports the details of an actual SOX audit. An international computer component manufacturing corporation engaged information system auditors from a Big 4 firm to determine whether change management procedures in two areas in their Finance Department were compliant with SOX. Audit results indicated internal control deficiencies in the two areas audited. SOX compliance was thus determined to be weak and unreliable. In addition to reporting audit procedures actually used in practice to test SOX compliance, this case study presents key change management control procedures firms must have in place to be SOX compliant. We provide helpful practical guidance for corporations and audit firms involved with SOX compliance audits. In addition, this study has value for corporate internal control training sessions as well as general applicability for accounting information systems (AIS) and management information systems (MIS) courses.