Internal Control Frameworks and Meeting ICFR Requirements

In order to be compliant with SOX and to meet ICFR requirements, organisations are required to create controls that cover a large scope of IT and financial aspects, all tailored to their unique organisational structure. Leading organisations point to frameworks such as COBIT and COSO and even a combination of the two, to adopt in your quest for SOX and ICFR compliance. Alyne’s Content Library goes beyond providing IT and Information Security related Controls and now contains extensive coverage of Financial Controls focused purely on the financial integrity of an enterprise.

The first codification of internal accounting controls happened nearly four decades ago, spurred on by the increasing bribery and corruption cases of U.S. businesses in 1977.  Since then, and more notoriously due to the Enron Accounting scandal and others, the requirements of financial controls and reporting have slowly become more clearly defined and enforced. The Sarbanes-Oxely Act (SOX) has been in effect for all U.S. listed companies and those conducting business in the U.S since 2002, as a means to prevent and protect against accounting errors and fraudulent practices. Section 404 requires the implementation of adequate Internal Control over Financial Reporting (ICFR) within listed companies to guarantee fair financial reporting practices in accordance with Generally Accepted Accounting Principles (GAAP). External auditors must attest to the design and effectiveness of Internal Control over Financial Reporting and the accuracy of an organisation’s financial statements.

Although there is mention above of requirements becoming “more clearly defined”, the actual requirements on how to achieve compliance are not so simple and SOX is not praised for straightforward guidance on how best to achieve compliance. The Sarbanes-Oxley Act, despite requiring organisations to have established and effective internal controls governing both IT and financial spheres, does not provide a checklist to follow, nor milestones to measure achievements. The ambiguity of SOX requirements has been widely condemned due to its vague nature, let alone the missing differentiation between key process parts.

Despite the lack of a clearly defined control framework from SOX, two leading organisations responsible for implementing SOX, namely the SECC and PCAOB – do point to common widely accepted frameworks, such as COSO and COBIT, and even a combination of the two, to adopt in your quest for SOX Compliance and ensuring ICFR. Combining frameworks can also help ensure that all aspects are covered in your SOX compliance checklist and help your organisations to meet ICFR requirements, as listed in Section 404.

COSO, COBIT, SOX & ICFR

Committee of Sponsoring Organisations of Treadway Commission (COSO) – 1985

The COSO framework provides an applied risk management approach to internal controls and articulates key concepts that organisations can use to deter fraud. The framework also places emphasis on financial related controls, designed to enable SOX 404 requirements of ICFR. The framework, however, lacks full consideration for the IT environment of the organisation. According to COSO, there are three types of internal controls:

  • Those that affect a company’s operation
  • Those that affect a company’s compliance with laws and regulations.
  • Those that affect a company’s financial reporting. (ICFR)

Control Objectives for Information and Related Technology (COBIT) – 1992

COBIT is an IT Management framework developed by ISACA, which provides a clear path for developing policies and good practice for IT control, helping organisations achieve their objectives in the sphere of information technology. The COBIT model allows managers to bridge the gap between control requirements, technical isssues and business risks.

Sarbanes-Oxley Act (SOX) – 2002

  • Section 404 – Internal Control over Financial Reporting

SOX applies to all publicly traded companies in the United States as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States. The Internal Controls Report, mandated by Section 4 of the Act, commonly known as SOX 404, requires that all applicable companies have adequate internal controls in place to report accurate financial data in their annual reports. More specifically, SOX 404 requires companies to implement adequate Internal Control over Financial Reporting (ICFR) to ensure fair financial reporting practices have been put in place in accordance with Generally Accepted Accounting Principles (GAAP).

SOX Compliance and Meeting ICFR Requirements within Alyne

In an interconnected world, financial integrity relies heavily on a secure, properly functioning IT infrastructure. The ability to follow your finances requires full transparency and assurance of where and how your data flows. Meeting ICFR requirements set out in SOX 404, requires an organisation to have not only sound Financial Controls, focusing on the financial integrity of an enterprise, but also cover relevant Business Controls, with IT and information security related topics.

Covered within Alyne:

  • Full mapping based on COBIT-COSO.

  • Extensive IT and Information Security related controls.

  • Library of Financial Controls focused purely on the financial integrity of an enterprise.

ICFR Control Set and Assessment Template:

The content available within the Alyne platform has enabled us to release an out-of-the-box Control Set for ICFR: Internal Control over Financial Reporting (ICFR) for compliance with SOX and SOC 1.

In addition to the Control Set, Alyne offers an out-of-the-box Assessment Template with pre-configured maturity levels which help corporations assess the maturity of their financial integrity. Regular self-assessments help organisations review compliance within their financial reporting requirements and assists them in strengthening their Internal Control over Financial Reporting. Alyne’s latest Internal Control over Financial Reporting capability allows a complete health-check of your company as well as your vendor base, for both SOX and SOC 1 compliance.

Download our latest white paper and learn more about SOX/SOC-in-a-Box and how Alyne can help your organisation with the Internal Control over Financial Reporting (ICFR) requirements of the U.S. Sarbanes- Oxley Act (SOX) “Management Assessment of Internal Controls”, and the System and Organisation Controls 1 (SOC 1) framework, defined as “Reporting on an Examination of Controls at a Service Organisation Relevant to User Entities’ Internal Control Over Financial Reporting.”

 

Alyne announces strategic partnership with LeadingEdgeCyber

Alyne enters a strategic partnership alliance with LeadingEdgeCyber to strengthen its international presence across the APAC region, with a primary focus on Sydney and Brisbane.

Alyne is proud to announce a new Resale partnership with cyber consultancy company, LeadingEdgeCyber.

LeadingEdgeCyber is an Australian company that specializes in guiding organizations of all sizes and industries in effective management of cyber security through cutting-edge solutions. As a new resale partner and fellow cyber security experts, LeadingEdgeCyber will be leveraging Alyne in their business offerings of providing end-to-end cyber security management services.

We look forward to working with LeadingEdgeCyber towards our shared mission to deepen the coverage of organizations in the Cyber Security, Governance, and Risk Management landscape. This partnership aims to strategically accelerate capability building in our services through a shared platform of expertise, insights, and reach. In a joint effort, we hope to stay ahead of the ever-evolving compliance requirements and regulatory frameworks to deliver industry-leading solutions to customers.

Cheers to a great partnership!

Alyne offers a range of partnering opportunities. More details on Alyne’s partnership opportunities can be found here.

Comprehensive Compliance with HIPAA Part 164

Although HIPAA has been in effect for over two decades, compliance with the law is still not a straightforward task. Many still lack the appropriate measures applicable to their organisation or are unsure of how to comply with all of the HIPAA Rules set out in Part 164. Alyne’s technology can facilitate this process, and offers a comprehensive mapping of Part 164 of the HIPAA regulation, covering the provisions of the HIPAA Data Privacy, Security Controls and Breach Notification Rules.

HIPAA Compliance

Although the Health Insurance and AccountabiIity Management Act (HIPAA) was first enacted into law in 1996, compliance still remains an often challenging task, leaving many Covered Entities and business associates lacking the appropriate measures and still unsure of how to comply with all HIPAA Rules set out in Part 164. The law was designed to provide consumers with greater access to healthcare insurance, reduce fraud, protect the privacy and security of healthcare information and promote efficiency and standardisation within the sector. The HIPAA regulations apply to any Covered Entities which handles health or healthcare-related data, including financial clearinghouses, and any provider that uses or transmits Personal Health Information (PHI).

According to a report by Research and Markets, the global mobile health app market is expected to hit US$134.7 Billion by 2027. In fact, two-thirds of the world’s largest hospitals offer mobile apps to their patients. With the rise of telehealth, the need for data security in the healthcare space has increased the use and sharing of patients’ Electronics Health Record (EHR).

The proliferation of digital technologies has changed the way that many healthcare providers operate. As efficiency and connectivity increased, so did the storage and transmission of key pieces of confidential health information, mandating an even greater need for the security and privacy of patients’ information. HIPAA regulates the security, privacy and protection of Personal Health Information (PHI) held by the covered entities and third parties, and provides individuals with rights to understand and control how their health information is used or disclosed.

Alyne’s Comprehensive Coverage of HIPAA Part 164

When working to achieve compliance with HIPAA, companies often focus exclusively on § 164 Subpart C (Security Standards). Technically, to ensure full compliance with HIPAA, Covered Entities will need to also apply the rules set out in § 164 Subpart D (Breach Notification) and § 164 Subpart E (Privacy Aspects).

Alyne’s coverage of HIPAA primarily focuses on Part 164 of the regulation, which covers the HIPAA Security and Privacy rules. The HIPAA Privacy Rule (Subpart E) focusses on allowed and prohibited uses and disclosures of Personal Health Information (PHI) and Personally Identifiable Information (PII) along with data subject rights. Additionally, the Security Rule (Subpart C) is the security standard for the protection of PHI, defining both technical and non-technical requirements for safeguarding health information.

 

HIPAA Privacy Rules

The HIPAA Privacy Rule (Part 164 Subpart E) focusses on the many uses and disclosures of Personal Health Information (PHI) and Personally Identifiable Information (PII) with data subject rights. This includes medical records and other personal health information, and it applies to health plans, healthcare clearinghouses, and healthcare providers that conduct certain healthcare transactions electronically.

HIPAA Security Rules

The HIPAA Security Rule (Part 164 Subpart C) is the security standard for the protection of electronic PHI (e-PHI). This set of rules ensures that there are both technical and non-technical safeguards (which include administrative and physical) to ensure that ePHI is transmitted and handled in a secured and responsible manner.

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule (Part 164 Subpart D) requires Covered Entities and their Business Associates to notify affected individuals and the media of a breach of unsecured PHI. Depending on its severity, if the data breach affects 500 and more individuals, the Secretary of Health and Human Services has to be informed no later than 60 days following the breach.

Technology can be a great facilitator to help simplify requirements, provide greater risk transparency, educate and train employees, and even act as a centralised source of data, alleviating pressure from the audit process. Are you interested in learning more about Alyne’s capabilities and comprehensive mapping of Part 164 of the HIPAA regulation?

Download HIPAA Whitepaper here or  Speak to an expert to learn more. https://mitratech.com/schedule-demo/.

How Haufe Group found success leveraging Alyne’s Software as a Service for organisation-wide digitalised policy management

Learn more about how Alyne’s easily accessible and interactive platform made it possible for Haufe Group to successfully communicate relevant guidelines.

Haufe Group with its brands Haufe, Haufe Akademie and Lexware among others has developed into a nationwide leading provider of digital workplace solutions and services, as well as a constant in the field of training and further education.

Challenges such as how to ensure acceptance among colleagues for compliance topics or link guidelines with appropriate online training and success monitoring were of central importance for them.

Learn more about how Alyne’s easily accessible and interactive platform made it possible for Haufe Group to successfully communicate relevant guidelines. Furthermore, they were also able to promote awareness among employees through the agile implementation of requirements and read confirmations through an easy-to-understand user interface – supported by an open and cooperative collaboration between Haufe and Alyne.

Read more about the case study in detail below.

DOWNLOAD CASE STUDY



For more information on Alyne’s policy management capabilities for your organisation, schedule a meeting with an Alyne expert in your region.

How Neodigital Established a Complete Risk Inventory Within Alyne in 6 Weeks

Neodigital, a digital insurance company, aimed to strengthen its Operational Risk Management capabilities within the framework of management systems and information security. They required a solution that could not only provide agile Risk Management, but cover topics across the full governance and compliance spectrum, as well. Neodigital’s first goal in Alyne was to create a complete inventory of all existing risks, which was achieved in just six weeks.

Neodigital Versicherung AG was founded in 2017 by Stephen Voss and Dirk Wittling with the goal of making it a leading insurance factory. Thanks to the strong team with many years of experience in the insurance industry, Neodigital has developed, in a very short time, into a digital insurance company based on simplified and accelerated processes with the help of extensive automations.

 

“We live digitisation in all our processes. Therefore, it is important to us to integrate it into our internal processes. Mitratech’s Alyne GRC platform helps us support our employees in the Risk Management space and beyond.”

– Anzhela Kuts Chief of Staff – Neodigital

 

While Neodigital continues its ambitious growth course, it aims to strengthen its Operational Risk Management capabilities within the framework of management systems and information security. An isolated solution, exclusively for Risk Management purposes, was out of the question for Neodigital, as other topics from the governance and compliance environment, such as VAIT Compliance or ISO 27001 Compliance, were also highly relevant.

After selecting Mitratech’s Alyne platform, Neodigital’s first goal was to create a complete inventory of all existing risks. To reach this goal, three steps were necessary within Alyne:

  1. Configuration of the Instance
  2. Migration of Existing Risks
  3. Updating the Risk Inventory

Only six weeks after signing the contract, Neodigital was able to successfully achieve its goal of developing a complete risk inventory and efficiently record as well as manage risks from different divisions.

Read about their journey in detail and the time-to-value that the Alyne platform provides. The case study is available in both English and German.

Alyne announces collaborative partnership with Cyber Samurai

Alyne and Cyber Samurai are pleased to annouce the commencement of a collaborative partnership which streamlines the delivery of industry leading IT security services.

Alyne and Cyber Samurai have entered into a collaborative partnership to support our shared vision to equip companies with greater confidence in navigating the cyber security, governance and risk management space.

Cyber Samurai is a German-based company which specialises in IT Security, offering professional advice and guidance to ensure that organisations are taking a preventive approach towards cyber risk.

 

As a new Resale Partner and fellow IT security experts, Cyber Samurai will be leveraging Alyne in their business offerings of providing end to end IT security management services. In this partnership, we will join our expertise in our shared mission to streamline IT security within companies and minimise their risk exposure. We look forward to a great partnership!

Alyne is expanding into the Central and Eastern Europe (CEE) region with OTP Bank

Alyne is proud to announce OTP Bank, the largest Financial Supplier in Hungary, as our first client within the Central and Eastern Europe (CEE) region.

Munich – Alyne is proud to announce that we have successfully onboarded our first client in the CEE region with OTP Bank, the largest financial supplier in Hungary. OTP Bank is the flagship unit of OTP Group, a key player in the banking market in the CEE region, providing high-quality financial solutions to almost 20 million private and corporate clients in 12 countries of the region. Alyne will be working closely with OTP Bank to provide cutting-edge solutions to strengthen their cyber security measures, especially with reference to the ISO and NIST frameworks, and local and European banking regulations.

We hope that this relationship will signify the launchpad of Alyne’s broader business development opportunities in the CEE region as we expand our global clientele base. Alyne is committed to developing our offering and expanding our international presence to help organizations improve Cyber Security and Compliance maturity, minimize their risk exposure, and meet regulatory compliance requirements in the most cost-effective manner.

Learn more about OTP Bank.

We look forward to serving our Central and Eastern Europe clients!

Alyne’s technology-added value to the Corona-Immobilien-Index research

Alyne’s technology has been actively facilitating the Baumonitoring study, run by emproc, Cushman and Wakefield and other partners, to generate the Corona-Immobilien-Index, through its highly secure Assessments functionality.

MUNICH, GERMANY – Alyne’s technology has been actively facilitating the Baumonitoring study, run by emproc, Cushman and Wakefield and other partners, to generate the Corona-Immobilien-Index, through Alyne’s highly secure Assessments functionality.

Corona-Immobilien-Index
Initiated by Cushman and Wakefield, the purpose of the Corona-Immobilien-Index is to research and illustratrate the impact of the coronavirus crisis on the real estate industry within Germany. More specifically, it studies the personal impression and assessment of real estate market players and experts, gaining new data insights into topics such as construction and material supply, to personnel shortages.

Stefan Stenzel, Associate Director at Cushman & Wakefield and initiator of the Corona Real Estate Index: “The real estate industry is proving to be robust. This is good news for all market players, but not surprising. On the whole, it remains true to its reputation as a stable economic sector. If anything, the real estate industry reacts sluggishly in crises, so that those involved have more time than in other sectors to adjust to new circumstances.” Read more about the press publication and insights into week four findings by emproc SYS and Ummen Communications. 

The index is supported by a network of partners that consists of several established companies and institutions such as Cushman & Wakefield, RICS, Real Estate Lounge, Frauenhofer, Norton Rose Fulbright and more. For the extensive list of partners, please click here.

Alyne’s contribution to the Index

Alyne’s security-first Software as a Service platform is the driving force behind the Corona-Immobilien-Index research. Alyne’s technology is adding value by helping real estate experts to confidently contribute to the Index with ease. Alyne does so by offering a highly secure and scalable platform to ensure the information provided by the participants remains protected and confidential.

Alyne’s facilitating of the weekly survey ensures that the Corona-Immobilien-Index will continue to be updated on a weekly basis to deliver the most reliable reflection of the German real estate market. We would like to encourage all real estate market players and subject matter experts (developers, building contractors, project managers / site managers / banks and investors) to register for participation in the project development barometer here. Updated results will be published regularly on Baumonitoring.com

We’re here to help

Contact us and we’ll answer any questions about how Mitratech supports your success.

Contact Us