ITCi CI SOX 061505 -...
Transcript of ITCi CI SOX 061505 -...
From regulatory requirements to IT impacts and
technology solutions
Sarbanes-Oxley
Sponsored by:
www.ITCinstitute.com
www.ITCinstitute.com 1
This in-depth white paper provides a solid definition of Sarbanes-
Oxley, some of the surrounding interpretations of Sarbanes-Oxley’s
key sections, and how to deal with what an IT staff needs to
understand, do, and document in order to bring internal controls
in line with Sarbanes-Oxley requirements. It also provides insight
into specific tools and technologies available to simplify compliance
initiatives.
Table of Contents
2 Sarbanes-Oxley Act and its
impact on control objectives
3 Intent of Sarbanes-Oxley
4 § 105 Full-time availability of data
4 § 302 Corporate responsibility for
financial reports
4 § 403 Web site records
5 § 404 Management assessment
of internal controls
11 § 409 Material changes
11 § 802 Dealing with data
12 § 1102 Tampering with a
record or impeding an official
proceeding
12 Dealing with Sarbanes-Oxley
13 Top-down sample plan for
Sarbanes-Oxley compliance
14 Sarbanes-Oxley: IT impact zones
26 Solutions for Sarbanes-Oxley
30 ComplianceINSIGHT:
Solution Sponsors
31 Epilogue: Ten steps for sustaining
compliance benefits
34 References
About the IT Compliance InstituteThe IT Compliance Institute (ITCi) strives to be a global authority on the role of technology in business governance and regulatory compliance. Through comprehensive education, research, and analysis related to emerging government statutes and affected business and technology practices, we help organizations overcome the challenges posed by today’s regulatory environment and find new ways to turn compliance efforts into capital opportunities.
ITCi’s primary goal is to be a useful and trusted resource for IT professionals seeking to help businesses meet privacy, security, financial accountability, and other regulatory requirements. Targeted at CIOs, CTOs, compliance managers, and information technology professionals, ITCi focuses on regional- and vertical-specific information that promotes awareness and propagates best practices within the IT community.
For more information, please visit: www.ITCinstitute.com
Design elements, front matter, and content on pages 29-31 are copyright © 2005 IT Compliance Institute, a division of 101 Communications LLC. Content on pages 26-28 is copyright © 2005 Stellent, Inc. All other content is copyright © 2004 Network Frontiers, LLC. Portions of the content are derived from © 1994, 1996, 2003 The Backup Book ISBN 0-9729039-0-9. All rights are reserved for all copyright holders.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under § 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the copyright holder.
Limit of Liability/Disclaimer of Warranty: While the copyright holders, publishers, and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be usable for your situation. You should consult with a professional where appropriate. Neither the publishers nor authors shall be liable for any loss of profit or any other commercial damages, including, but not limited to, special, incidental, consequential, or other damages.
All trademarks cited herein are the property of their respective owners.
Sarbanes-Oxley From regulatory requirements to IT impacts and technology solutions
Compliance INS IGHT : S A R B A N E S - OX L E Y
www.ITCinstitute.com 2
The Sarbanes-Oxley Act (SOX) was passed in 2002.1 Most
public companies must comply by June 15, 2004; smaller
U.S. businesses and foreign companies must comply by
April 2005. By providing strict guidelines for publicly
traded company corporate governance, this act addresses
several aspects regarding:
• Security and controls of accounting and auditing
processes.
• Oversight of accounting and audit practices.
• As well as financial record retention.
Examples include development of policies and practices
for use of data integrity and confidentiality in handling
complaints. The most important parts of SOX for IT
revolve around sections 302 and 404, which require
organizations to disclose their internal financial
reporting controls as well as an assessment of how well
those controls are working. But what that actually means
for IT isn’t well understood. As recently as January 2004
one of the “Law, Public Policy and Standards Experts”
at SearchSecurity.com was asked what this all means
for an IT infrastructure. In an overly vague answer, he
stated that the “wise IT administrator would implement
as many best practices as possible,” and then named
several IT security frameworks (NIST, ISO 17799, NSA
Gold Standard) that could be used as guidance.2 Other
“experts” are just as in the dark about what to do relating
to internal control objectives. Why is that so?
The answer lies in the broad-term verbiage that the SOX
act uses to define internal controls, the somewhat less
broad-term verbiage that the Securities and Exchange
Commission (SEC) as well as the Public Company
Sarbanes-Oxley Act and its impact on control objectives
1 (2002). The Sarbanes-Oxley Act of 2002.
2 Beaver, K. (2004). Sarbanes-Oxley discusses internal controls, but what exactly does that mean in regards to infrastructure? SearchSecurity.com.
Compliance INS IGHT : S A R B A N E S - OX L E Y
www.ITCinstitute.com 3
Accounting Oversight Board (PCAOB, the folks who
watch the auditors who watch the companies) uses, and
the fact that they all point to a set of massive tomes that
serve as security frameworks, such as:
• COSO (Committee of Sponsoring Organizations
of the Treadway Commission), which released the
Enterprise Risk Management (ERM) framework that
provides information on enterprise risk management
for all organizations. The framework also identifies
the interrelationships between enterprise risk
management and internal control.
• CobiT (Control Objectives for Information and
Related Technology), published by the IT Governance
Institute and the Information Systems Audit and
Control Association (ISACA), which provides an
in-depth governance model for IT operations.
• ISO-17799, which provides a framework for
implementing an information security program
through its definition of a variety of security controls
and risk management approach.
The good news is that each of these documents
describes internal control as a process with certain
definable objectives that can be reached through proper
assessment, control activities, and monitoring. What
this white paper attempts to provide is a solid definition
of SOX, some of the surrounding interpretations of
SOX’s section 404 (such as that from the SEC, PCOAB,
IT Governance Institute, and auditors such as Ernst &
Young), and how to deal with what an IT staff needs to
understand, do, and document in order to bring internal
controls in line with SOX requirements.
Intent of Sarbanes-Oxley
Because the primary objective of SOX is to assure the
integrity of an organization’s financial statements, the
CEO and CFO are required to certify the accuracy of
those financial statements and make the related material
available to the public. In this case, security classification
of certain stored information changes from company-
confidential to public-use with the release of the financial
statement. It requires executive officer certification of
financial results, disclosure controls, and procedures; it
also requires accelerated report filing. Auditing firms, for
example, have to keep every document that influences
a report about a client—including e-mail, instant
messaging, or even sticky notes with facts and figures
—for at least seven years.
Section 404 mandates that each annual report also
contain an internal control report that states the
responsibility of the organization’s management in
establishing and maintaining an adequate internal
control structure, as well as the procedures used for
financial reporting. The control report must also contain
an assessment, at the end of the issuer’s most recent fiscal
year, of the effectiveness of the internal control structure
and procedures for financial reporting. The auditor must
also attest to, and report on, the assessment made by the
management of the issuer. SOX thereby sets forth very
strong requirements that organizations implement an
internal control framework in which general computer
integrity and confidentiality controls play a key role. Here
are some of the highlights:
• Management certification that quarterly and annual
reports as well as related disclosures reflect accurately
in all material respects the company’s financial
position (§ 302).
• Management certification that material information
relating to the company’s financial condition is
surfaced through disclosure controls and procedures
that are in place (§ 302).
• Management and auditor’s certification that financial
report preparation processes have effective internal
controls and procedures, and identification of
the internal control framework (§ 404). What has
become the largest issue to date is the definition of
internal control, because SOX wasn’t very precise in its
language.
• Rapid disclosure of material changes in financial
condition and operations (§ 409).
• As it refers to business continuity (BC) and disaster
recovery planning (DRP), preserving and maintaining
the systems that process and store the records takes on
increased importance.
Compliance INS IGHT : S A R B A N E S - OX L E Y
www.ITCinstitute.com 4
neither of them will want any surprises from any of the
information feeding into the financial system.
(a)(1) The signing officer has reviewed the report; (2) based on the officer’s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading.
Especially since § (a)(5) states that an analysis had better
be performed with a “weaknesses” report being filed and
presumably on the way to being fixed.
(a)(5) The signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function)—(A)all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report financial data and have identified for the issuer’s auditors any material weaknesses in internal controls.
What those internal controls are, and what kinds of
weaknesses that can be discovered, will be defined in the
next section.
§ 403 Web site records
Section 403 requires organizations that have a corporate
Web site to post, within a specified time, a statement
regarding major changes in the ownership of stock.
Amending section 16 of the Securities and Exchange Act
of 1934 (§ 16(a)(4)(C)):
The issuer (if the issuer maintains a corporate website) shall provide that statement on that corporate website, not later than the end of the business day following that filing.
The SEC then amended 17 CFR 240.16a-3(k) to state:
Any issuer that maintains a corporate website shall post on that website by the end of the business day after filing any Form 3, 4 or 5 filed under section 16(a) of the Act as
§ 105 Full-time availability of data
Section 105 deals with investigations and the usage of
documents. The part that is important for us is that it
states that the board (of the organization) may require
the production of “audit work papers and any other
document or information…to verify the accuracy of any
documents or information supplied.”
§ 105.2 deals with testimony and document production,
whereby it grants the Board the ability to:
(B) Require the production of audit work papers and any other document or information in the possession of a registered public accounting firm or any associated person thereof, wherever domiciled, that the Board considers relevant or material to the investigation, and may inspect the books and records of such firm or associated person to verify the accuracy of any documents or information supplied;
(C) Request the testimony of, and production of any document in the possession of, any other person, including any client of a registered public accounting firm that the Board considers relevant or material to an investigation under this section, with appropriate notice, subject to the needs of the investigation, as permitted under the rules of the Board; and
(D) Provide for procedures to seek issuance by the Commission, in a manner established by the Commission, of a subpoena to require the testimony of, and production of any document in the possession of, any person, including any client of a registered public accounting firm, that the Board considers relevant or material to an investigation under this section.
§ 302 Corporate responsibility for financial reports
The CEO and CFO must prepare a statement certifying
financial statements and disclosures. Therefore,
Compliance INS IGHT : S A R B A N E S - OX L E Y
www.ITCinstitute.com 5
3 (2003). Final Rule: Mandated Electronic Filing and Website Posting for Forms 3, 4 and 5. 17 CFR Parts 230, 232, 239, 240, 249, 250, 259, 260, 269 and 274. Release nos. 33-8230, 34-47809, 35-27674, IC-26044.
4 (2003). Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports. 17 CFR PARTS 210, 228, 229, 240, 249, 270 and 274. Release nos. 33-8238; 34-47986; IC-26068.
5 Ibid. Summary.
6 Ibid. § II.A.1 Proposed Rule.
to the equity securities of that issuer. Each such form shall remain accessible on such issuer’s website for at least a 12-month period. In the case of an issuer that is an investment company and that does not maintain its own website, if any of the issuer’s investment adviser, sponsor, depositor, trustee, administrator, principal underwriter, or any affiliated person of the investment company maintains a website that includes the name of the issuer, the issuer shall comply with the posting requirements by posting the forms on one such website.3
This means that affected organizations will need to be
able to retain and manage adequate documentation of
the posting, which includes metadata information about
when it was posted, where it was posted, and how soon it
was made available to the public.
§ 404 Management assessment of internal controls
An internal control report must accompany the
annual report. Therefore the CXOs will have to take
responsibility for, and address the effectiveness of, their
internal controls. This means that all internal processes
that are supported by technology will have to be
examined and tested regularly.
It will be the (1) responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuers for financial reporting.
To better understand this concept of internal controls, we
first need to turn to the SEC and the PCAOB.
The SEC on internal controls
In June of 2003, the SEC released its final rule on
Management’s Reports on Internal Control over
Financial Reporting,4 aimed at adopting rules requiring
companies to include in their annual reports a section
on management of the company’s internal control over
financial reporting. Among other items the report is to
address, it must have:
• A statement of management’s responsibility for
establishing and maintaining adequate internal
control over financial reporting for the company.
• Management’s assessment of the effectiveness of the
company’s internal control over financial reporting as
of the end of the company’s most recent fiscal year.
• A statement identifying the framework used by
management to evaluate the effectiveness of the
company’s internal control over financial reporting.
• A statement that the registered public accounting
firm that audited the company’s financial statements
included in the annual report has issued an attestation
report on management’s assessment of the company’s
internal control over financial reporting.5
The SEC also adopted amendments to the rules and
forms under the Securities Exchange Act of 1934, and
the Investment Company Act of 1940, by revising the
section 302 certification requirements as exhibits to
certain periodic reports. What becomes very interesting
to us is the discussion of the amendments implementing
section 404.
In the discussion section, the SEC noted that there
had been some confusion over the exact meaning and
scope of the term “internal control,” further admitting
that the term had evolved over a long period of time.
The SEC admitted that from the outset that “internal control is a broad concept that extends beyond the accounting functions of a company.” 6 The release then walks through
several iterations of the term that we can ignore for our
purposes, other than to note that the definition gradually
began to evolve into one of defining internal controls
as a part of a framework of overarching organizational
controls. The release then points to COSO as one such
framework.
Compliance INS IGHT : S A R B A N E S - OX L E Y
www.ITCinstitute.com 6
7 More on the COSO framework can be found online in (2004). Internal Control —Integrated Framework Executive Summary, The Committee of Sponsoring Organizations of the Treadway Commission.
8 (2003). Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports. 17 CFR PARTS 210, 228, 229, 240, 249, 270 and 274. Release nos. 33-8238; 34-47986; IC-26068. §II.A.3 Final Rules. This then becomes codified as 15d-15: Controls and procedures. 17 CFR. 240.15d-15.(f).
In 1985, a private-sector initiative known as the National
Commission on Fraudulent Financial Reporting (the
Treadway Commission) was formed to study the financial
reporting system in the United States. In 1987, it issued a
report recommending that its Committee of Sponsoring
Organizations (COSO) work together to integrate the
various internal control concepts and definitions and to
develop a common reference point. As related in the SEC
release, the COSO framework defines internal control as:
A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in three categories:
• effectiveness and efficiency of operations;
• reliability of financial reporting; and
• compliance with applicable laws and regulations.7
These internal controls consist of a five-layered
approach: the control environment, risk assessment,
control activities, information and communication,
and monitoring. This assures that the scope of internal
control extends to policies, plans, procedures, processes,
systems, activities, functions, projects, initiatives, and
endeavors of all types at all levels of an organization.
From this definition, the SEC notes that the American
Institute of Certified Public Accountants (AICPA)
incorporated the COSO definition in their Statement
on Auditing Standards (SAS No. 78, codified as AU
§ 319), and that is the version that the SEC used in its
definition as it “constitute[s] a more formal and widely
accessible version of the definition.” The final rules
define internal control over financial reporting as:
A process designed by, or under the supervision of, the registrant’s principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
1. Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant.
2. Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant.
3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant’s assets that could have a material effect on the financial statements.8
The SEC then goes on to note that in clause three, the
safeguarding of assets is one of the elements of internal
control over financial reporting that wasn’t in AU § 319.
However, the safeguarding of assets has been a primary
objective of internal accounting control as far back as
SAS No. 1. This clause was drawn from the 1994 COSO
addendum to the “Reporting to External Parties” volume
of the COSO Report. The addendum’s definition of
internal controls was appropriate to the SEC’s needs
because the SEC’s definition will be “used for purposes
of public management reporting, and that the companies
that will be subject to the section 404 requirements also
are subject to the FCPA requirements.”
The SEC falls short of making COSO the mandatory
framework for internal controls, however. The COSO
framework:
May be used as an evaluation framework for purposes of management’s annual internal control evaluation and disclosure requirements. However, the final rules do not mandate use of a particular framework, such as the COSO
6
Compliance INS IGHT : S A R B A N E S - OX L E Y
www.ITCinstitute.com 7
framework, in recognition of the fact that other evaluation standards exist outside of the United States, and that frameworks other than COSO may be developed within the United States in the future.9
As Scott Taub, the deputy chief accountant for the SEC,
reiterated in a speech on the SEC’s Internal Control
Report,10 SOX does not specify a framework for internal
controls assessment. Instead, the framework must be a
suitable, recognized framework established by a body or
a group following due process and public comment—
and then noted that COSO was the most well-known
framework that met this description. He also stated that
the issue isn’t that an organization merely has internal
controls, but that “some actual testing of controls will
need to be performed by the management.” And that is
where the PCAOB comes into play.
The PCAOB on internal controls effectiveness
The PCAOB is a private-sector, non-profit corporation
that was created by the SOX act of 2002 to oversee the
auditors of public companies in order to protect the
interests of investors and further the public interest in
the preparation of informative, fair, and independent
audit reports.
In March of 2004 the PCAOB released an auditing
standard11 that focuses specifically on section 404, and is
based entirely on the COSO framework. This standard
includes requirements for auditors to understand how
transactions are created, flow through the organization,
and are recorded. These transactions use IT systems, and
the reliability of the systems is integrated from the level
of documents all the way through the computer itself, the
network, power, and facilities. If you think about what
can go awry with the internal controls, you have to think
through the entire range of IT assets.12
Information flows through technology. And collectively
Table 1 denotes the range of information and technology
systems involved in the financial reporting process.
Within the audit guidelines, the PCAOB has the
following suggestion for the auditor who is attempting
to understand the internal controls an organization uses
over financial reporting and financial reporting systems:
The auditor should understand how internal control over financial reporting is designed and operates to evaluate and test its effectiveness. The auditor obtains a substantial amount of this understanding when evaluating management’s assessment process.
The auditor also should be satisfied, however, that the controls actually have been implemented and are operating as they were designed to operate. Thus, while inquiry of company personnel and a review of management’s
9 (2003). Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports. 17 CFR PARTS 210, 228, 229, 240, 249, 270 and 274. Release nos. 33-8238; 34-47986; IC-26068. §II.B.3.a Final Rules.
10 Taub, S. A. (2003). The SEC’s Internal Control Report Rules and Thoughts on the Sarbanes-Oxley Act, U.S. Securities and Exchange Commission.
11 (2004). Proposed auditing standard—an audit of internal control over financial reporting performed in conjunction with an audit of financial statements, Public Company Accounting Oversight Board.
12 This range of assets, and most protection methodologies, is well covered in Cougias, D., E. L. Heiberger, et al. (2003). The Backup Book, Disaster Recovery from Desktop to Data Center. Silicon Valley, CA, Shaser-Vartan Books.
Internal Operations Controls
Executive Leadership (CXO, Board)
Business Processes (Finance, Merchandising, Manufacturing, Logistics)
Internal IT Systems Controls
Documents Apps OSes Storage Hardware Network Power Building
Confidentiality
Integrity
Availability
Table 1: IT Assets
7
Compliance INS IGHT : S A R B A N E S - OX L E Y
www.ITCinstitute.com 8
assessment provide the auditor with an understanding of how the system of internal control is designed and operates, other procedures are necessary for the auditor to confirm his or her understanding.
The proposed auditing standard would have the auditor confirm his or her understanding by performing procedures that include making inquiries of and observing the personnel who actually perform the controls; reviewing documents that are used in, and that result from, the application of the controls; and comparing supporting documents (for example, sales invoices, contracts, and bills of lading) to the accounting records. The most effective means of accomplishing this objective is for the auditor to perform “walkthroughs” of the company’s significant processes. For this reason, and because of the importance of several other objectives that walkthroughs accomplish, the proposed auditing standard would require the auditor to perform walkthroughs in each audit of internal control over financial reporting.
In a walkthrough, the auditor traces all types of company transactions and events—both those that are routine and recurring and those that are unusual—from origination, through the company’s accounting and information systems and financial report preparation processes, to their being reported in the company’s financial statements. Walkthroughs provide the auditor with audit evidence that supports or refutes his or her understanding of the process flow of transactions, the design of controls, and whether controls are in operation. Walkthroughs also help the auditor to determine whether his or her understanding is complete and provide information necessary for the auditor to evaluate the effectiveness of the design of the internal control over financial reporting.13
Beyond the walkthrough that the auditor should
perform, the auditor has to know certain information
about the design of the controls and how they relate to
each of the other components. Remember, a control
system is only as good as the connections of its linkages.
Therefore, section 49 of the PCAOB audit document
states that the auditor must obtain an understanding
of the design of controls related to each component of
internal control over financial reporting, as discussed
below,14 which follow the COSO Control Components list
exactly. The list below is a combination of material from
the PCAOB report and more IT-specific information
excerpted from the Executive Summary of the COSO
Report issued in 1992.15
13 (2004). Proposed auditing standard—an audit of internal control over financial reporting performed in conjunction with an audit of financial statements, Public Company Accounting Oversight Board. Page 12.
14 Ibid. Audit instructions, § 49.
15 There are whole aspects that have been omitted here because they don’t apply to IT, such as information that deals with the board of directors, management’s operating style, etc.
1. Control Environment Because of the pervasive effect of the control
environment on the reliability of financial reporting,
the auditor’s preliminary judgment about its
effectiveness often influences the nature, timing, and
extent of the tests of operating effectiveness considered
necessary. Weaknesses in the control environment
should cause the auditor to alter the nature, timing, or
extent of tests of operating effectiveness that otherwise
would have been performed.
Integrity and Ethical Values
• Existence and implementation of codes of conduct
and other policies regarding acceptable business
practice, conflicts of interest, or expected standards
of ethical and moral behavior.
• Dealings with employees, suppliers, customers,
investors, creditors, insurers, competitors, and
auditors, and so on (e.g., whether management
conducts business on a high ethical plane, and
insists that others do so, or pays little attention to
ethical issues).
Commitment to Competence
• Formal or informal job descriptions or other means
of defining tasks that comprise particular jobs.
• Analyses of the knowledge and skills needed to
perform jobs adequately.
Organizational Structure
• Adequacy of definition of key managers’
responsibilities, and their understanding of these
responsibilities.
• Adequacy of knowledge and experience of key
managers in light of responsibilities.
Compliance INS IGHT : S A R B A N E S - OX L E Y
www.ITCinstitute.com 9
Assignment of Authority and Responsibility
• Assignment of responsibility and delegation of
authority to deal with organizational goals and
objectives, operating functions and regulatory
requirements, including responsibility for
information systems and authorizations for changes.
• Appropriateness of control-related standards and
procedures, including employee job descriptions.
• Appropriate numbers of people, particularly with
respect to data processing and accounting functions,
with the requisite skill levels relative to the size of
the entity and nature and complexity of activities
and systems.
Human Resource Policies and Practices
• Appropriateness of remedial action taken in
response to departures from approved policies and
procedures.
• Adequacy of employee candidate background
checks, particularly with regard to prior actions
or activities considered to be unacceptable by the
entity.
• Adequacy of employee retention and promotion
criteria and information gathering techniques (e.g.,
performance evaluations) and relation to the code
of conduct or other behavioral guidelines.
2. Risk Assessment When obtaining an understanding of the company’s
risk assessment process, the auditor should evaluate
whether management has identified the risks of
material misstatement in the significant accounts and
disclosures and related assertions of the financial
statements and has implemented controls to prevent
or detect material misstatements. For example, the risk
assessment process should address how management
considers the possibility of unrecorded transactions or
identifies and analyzes significant estimates recorded
in the financial statements. Risks relevant to reliable
financial reporting also relate to specific events or
transactions.
Entity-level risks
Adequacy of mechanisms to identify risks arising from
such external factors as the following:
• Technological developments
• New legislation or regulation
• Natural catastrophe
Adequacy of mechanisms to identify risks arising from
such internal factors as the following:
• Disruption in information systems
• Quality of personnel hired and methods of training
and motivation
• Change in management responsibilities
• Nature of the entity’s activities and employee
accessibility to assets
3. Control Activities The auditor’s understanding of control activities relates
to the controls that management has implemented
to prevent or detect material misstatement in the
accounts and disclosures and related assertions of the
financial statements. For the purposes of evaluating
the effectiveness of internal control over financial
reporting, the auditor’s understanding of control
activities encompasses a broader range of accounts
and disclosures than what is normally obtained for the
financial statement audit.
Policies and Procedures
• Compliance policies and procedures should be in
place.
Information Systems General Controls
• Data Center Operations Controls include job setup
and scheduling, operator actions, backup and
recovery procedures, and contingency or disaster
recovery planning. In sophisticated environments,
capacity planning and resource allocation and use
are also included.
• System Software Controls should cover the effective
acquisition, implementation, and maintenance
of system software/operating system, database
management systems, telecommunications software,
security software, and utilities. System logging,
tracking, and monitoring are also covered.
• Access Security Controls ensure that appropriate
access should be authorized for those needing the
Compliance INS IGHT : S A R B A N E S - OX L E Y
www.ITCinstitute.com 10
PCAOB then specifies that some controls might “have a
pervasive effect on achieving many overall objectives of
the control criteria” and uses as an example IT controls
over program development, program changes, computer
operations, and access to programs and data.16 This is
reiterated in § 104, but isn’t the only section that refers to
IT processes, technology, or IT controls:
• Section 67 (the nature of assertions) states that to test
the relevancy of assertions, the IT infrastructure has to
be understood.
• Section 69 of the audit instructions declares that the
auditor also needs to focus on significant processes,
with an understanding of the flow of transactions and
the points where a misstatement could arise, as well as
identifying the controls that management has in place
16 (2004). Proposed auditing standard—an audit of internal control over financial reporting performed in conjunction with an audit of financial statements, Public Company Accounting Oversight Board. Audit Instructions § 50.
systems to perform desired work. A variety of
practices can be used to grant or limit access; for
example, special “dial-up” numbers, review of user
profiles, and use of passwords or user IDs.
• Application Controls are designed to ensure the
completeness and accuracy of transaction
processing, authorization, and validity. Application
interfaces are particularly important because they
are often linked to other systems that need control
to ensure that all inputs for processing are received
and that all outputs are distributed appropriately.
In many applications, computerized edit checks can
prevent errors from entering the system, and can
detect and correct them if they are present.
4. Information and CommunicationThe auditor’s understanding of management’s
information and communication involves
understanding the same systems and processes that he
or she addresses in an audit of financial statements.
In addition, this understanding includes a greater
emphasis on comprehending the safeguarding controls
and the processes for authorization of transactions and
the maintenance of records, as well as the period-end
financial reporting process.
Information
• Obtaining external and internal information, and
providing management with necessary reports on
the entity’s performance relative to established
objectives.
• Providing information to the right people in
sufficient detail and in time to enable them to carry
out their responsibilities efficiently and effectively.
Communication
• Effectiveness with which employees’ duties and
control responsibilities are communicated.
• Timely and appropriate follow-up action by
management resulting from communications
received from customers, vendors, regulators, or
other external parties.
5. Monitoring. The auditor’s understanding of management’s
monitoring of controls extends to and includes its
monitoring of all controls, including control activities,
which management has identified and designed to
prevent or detect material misstatement in the accounts
and disclosures and related assertions of the financial
statements.
Ongoing Monitoring
• Extent to which personnel, in carrying out their
regular activities, obtain evidence as to whether the
system of internal control continues to function.
• Whether personnel are asked periodically to state
whether they understand and comply with the
entity’s code of conduct and regularly perform
critical control activities.
• Effectiveness of internal audit activities.
Separate Evaluations
• Scope and frequency of separate evaluations of the
internal control system.
• Appropriateness of the evaluation process.
• Whether the methodology for evaluating a system is
logical and appropriate.
• Appropriateness of the level of documentation.
Compliance INS IGHT : S A R B A N E S - OX L E Y
www.ITCinstitute.com 11
to ensure that a misstatement doesn’t happen. This is
reiterated in § 120.
• As a part of period-end financial reporting (§ 72), the
auditor must also evaluate “the extent of information
technology involvement in each period-end financial
reporting process element,” among other items.
• Section 74 delineates the risks involved if controls
aren’t operating effectively, noting that many
other controls rely upon those within the realm of
information technology.
• Section 81 suggests that “rather than reviewing copies
of documents and making inquiries of a single person
at the company, the auditor should follow the process
flow using the same documents and information
technology that company personnel use and make
inquiries of relevant personnel involved in significant
aspects of the process or controls.”
• Section 82 follows up this thought that information
technology controls are a fundamental aspect of other,
automated controls when it states that testing a single
operation of an automated control (versus testing all
operations) should be sufficient—as long as the IT
controls are functioning effectively.
Examples are given regarding how information
technology supports daily programmed and manual
controls (example B-1), weekly programmed and
manual controls (example B-4), and the role
information technology plays in within information and
communication in small- and medium-sized companies
(§ E11).
Clearly, as seen by the PCAOB, information technology
plays a business function, activity, and transactional role.
§ 409 Material changes
Any material changes that affect financial disclosures will
have to be reported on a “rapid and current basis.” That
means that depending upon the material change, these
reports might have to be transmitted in less than
48 hours.
Each issuer reporting under section 13(a) or 15(d) shall disclose to the public on a rapid and current basis such additional information concerning material changes in the financial condition or operation of the issuer…
§ 802 Dealing with data
Section 802 deals with data issues per se, and can be
broken into three separate warnings as described below.
§ 802(a) Altering or destroying data
All business records, including electronic records and
electronic messages, must be saved for “not less than five
years.” The consequences for non-compliance are fines,
imprisonment, or both. Sections 801 and 802 of SOX
contain the rules that impact IT records management.
The first rule deals with destruction, alteration, or
falsification of records.
Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.17
§ 802(a)(1) Retention periods
The second rule defines the retention period for records
storage. Best practices indicate that corporations should
securely store all business records using the same
guidelines set for public accountants.
Any accountant who conducts an audit of an issuer of securities to which section 10A(a) of the Securities Exchange Act of 1934 (15 U.S.C 78j-1(a)) applies, shall maintain all
17 Staff, I. (2003). Sarbanes-Oxley Compliance—The Cloud or the Silver Lining? TripWire.
Compliance INS IGHT : S A R B A N E S - OX L E Y
www.ITCinstitute.com 12
audit or review workpapers for a period of 5 years from the end of the fiscal period in which the audit or review was concluded.
§ 802(a)(2) Types of records to store
This third rule defines the type of business records that
need to be stored, including all business records,
communications, and electronic communications.
The SEC shall promulgate, within 180 days, such rules and regulations, as are reasonably necessary, relating to the retention of relevant records such as workpapers, documents that form the basis of an audit or review, memoranda, correspondence, communications, other documents, and records (including electronic records) which are created, sent, or received in connection with an audit or review and contain conclusions, opinions, analyses, or financial data relating to such an audit or review.
§ 1102 Tampering with a record or impeding an official proceeding
And way down here we can find a statement that says you
can’t destroy the data unless you are supposed to as a part
of the retention and disposition authority.
Whoever corruptly (1) alters, destroys, mutilates, or conceals a record, document, or other object, or attempts to do so, with the intent to impair the object’s integrity or availability for use in an official proceeding…
The exact interpretation of this clause has been the
subject of intense debate, spotlighted by the 2002
conviction of Arthur Andersen. A 2005 Supreme Court
decision overruled the jury’s opinion that information
was corruptly destroyed. Taken at face value, the
statement chiefly implies that companies shouldn’t
knowingly destroy data to avoid incrimination. But
even overwriting backup tapes that contain a single
copy of information on them during a period when the
organization is doing something that could be considered
misconduct, would violate this rule. A rule that could put
the perpetrator behind bars for 20 years.
Dealing with Sarbanes-Oxley
If you think of SOX in terms of recordkeeping practices
for accounting records, then you can follow the general
outline that ISO 15489 sets for records management.18
Starting from the top in planning and moving through
design and implementation, a SOX program might look
like the table on the next page. In creating this table,
we have followed the methodology presented in ISO
15489 for designing a top-down system of controls that
can be implemented, documented, and tested, and that
upper management and the audit team can attest to.
Each column has a direct reference to the section of the
standard or document cited.
The sample program represents a subset of all activities
defined by the ISO 17799 security standard and ISO
15489 records management standard, as indicated
by various guidelines related to SOX—including
implications of the act itself. These are represented on
the full control-objective table that begins on page XX.
The full table has its roots in unification documents from
CobiT, ISSA, GAISP, CMS, WEDI, and a few others that all
reference ISO 17799. To create the table, a research team
read original guidance such as the SOX act and SAS 94 and
interpreted its findings in terms of standard ISO control
objectives, represented in the table’s left-hand column.
Although each company must determine an optimum
compliance strategy based on its own goals and
environment, the table provides a top-down view of all
indicated controls. Moreover, by directly referencing
specific SOX-related requirements to acknowledged
standards, it circumvents the hype and rumor that has
spawned so much unnecessary SOX-based development
to date.
18 General principles are found in:
(2001). Information and documentation—Records management Part 1: General, International Standards Organization.
(2001). Information and documentation—Records management Part 2: Guidelines, International Standards Organization. Some of the outline items were derived from the more in-depth DIRKS, which was the forerunner of ISO 15489.
(2003). DIRKS, National Archives of Australia. Also see the individual steps A through G for a more detailed explanation.
Compliance INS IGHT : S A R B A N E S - OX L E Y
www.ITCinstitute.com 13
StepSOX PCAOB 240.15d-15 240.16a-3
Establish need for regulatory compliance program
Defining control objectives: Rules that govern information technology 49
Rules that govern web pages (k)
Rules that govern financial reporting documents 105.2 (f)
Identify record integrity requirements (f)(1)
Identify privacy policy requirements (f)(3)
Identify recordkeeping retention requirements 802(a)(1)
Evidential weight of information and technology
Information technology controls support multiple operations 74
Defining organizational level risks 404 49
Ensure business leaders are aware of their role 302
Create recordkeeping procedures 404 72
Determine documents to be captured and collected 802(a)(2)
Identify disposition status 1102
Provide automated integrity controls (f)(1)
Documentation and validation of collection procedures 105.2
Create a records security process 67
Ensure record transaction security 69, 120 (f)(2)
Ensure usage and tracking (f)(3)
Prepare for breach notification 49
Act immediately upon breach notification 49
Create daily automated controls B-1
Create weekly automated controls E-1
Prepare for compliance auditing 404 49
Provide transactional walkthrough capabilities 81, 82
Top-down sample plan for Sarbanes-Oxley compliance
Compliance INS IGHT : S A R B A N E S - OX L E Y
14
High-Level Objectives and LeadershipSOX
PCAOB Rel. 2004-001
Audit section SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
Establish need and define high-level objectives Implied ¶ 8 – 13 P10 ¶ 11
Analyze organizational objectives, functions, activities, and tasks Implied
Information architecture model
Corporate Data Dictionary and Data Syntax Rules
Data Classification Scheme
Security Levels
Technological Infrastructure Planning
Monitor Future Trends and Regulations
Technological Infrastructure Contingency
Hardware and Software Acquisition Plans
Technology Standards
Defining the correct roles and responsibilities
Board of Director involvement
Designated Employee Leadership
Defining rules that govern information technology Implied ¶ 49 ¶ 8
Rules that govern records privacy
Rules that govern security breach notices
Rules that govern records security and integrity
Rules that govern financial reporting documents 105.2 Implied
Rules that govern websites and web pages 403 Implied
Rules that govern database records
Rules that govern automatic transactions
Rules that govern messages (both e-mail and IM)
Rules that govern electronic signatures and transactions
Safety and Ergonomic Compliance
Compliance with Insurance Contracts
Defining organizational practices for complying with external requirements
Evidential weight of information and technology
Why courts need standards tailored to e-discovery
Precedent in paper discovery in context of e-docs
Information technology controls support multiple operations Implied 74
Create a high-level strategic IT plan
IT Long-Range Plan
IT Long-Range Planning—Approach and Structure
IT Long-Range Plan Changes
Short-Range Planning for the IT Function
Communication of IT Plans
Monitoring and Evaluating of IT Plans
Assessment of Existing Systems
Sarbanes-Oxley: IT impact zones
Compliance INS IGHT : S A R B A N E S - OX L E Y
15
I T I M PAC T Z O N E S
Audit & Risk ManagementSOX
PCAOB Rel. 2004-001
Audit section SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
Audits
Roles and Responsibilities ¶ 2
Board of directors and senior management
Internal IT Audit Manager
Internal IT Audit Staff
IT operations staff
External auditors
Internal audit program Implied Implied § 8.2.6
Risk Assessment Implied § 49 ¶ 37
Business Risk Assessment
Risk Assessment Approach
Information Gathering
Asset Discovery
Environmental survey
Hardware inventory
Software inventory
Networking inventory
Media inventory
Information Handling
Employee training
Incident Response
Risk Identification ¶ 38
Threat Identification
Vulnerability Identification
Risk Analysis
Document controls
Risk Measurement and scoring
Create gap analysis
Risk Action Plan
Risk Acceptance
Safeguard selection & prioritization
Risk Assessment Commitment
Design & ImplementationSOX
PCAOB Rel. 2004-001
Audit section SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
Project management and initial planning
Identify requirements
Identify recordkeeping security (availability and integrity) standards § 802 Implied
Identify recordkeeping retention requirements § 802(a)(1) Implied
Systems Design
Assign roles and responsibilities
Compliance INS IGHT : S A R B A N E S - OX L E Y
16
I T I M PAC T Z O N E S
Ensure business unit leaders are aware of their role § 302 Implied
Design of security controls Implied
Develop initial training plan
Security awareness training § 2.4
Systems Testing
Systems Testing 1.2(g)
Systems AcquisitionSOX
PCAOB Rel. 2004-001
Audit section SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
Establishment of an acquisition of technology plan
Risk Analysis Report Implied Implied Implied
Operational ManagementSOX
PCAOB Rel. 2004-001
Audit section SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
Operational management Implied B-1
Roles and responsibilities
Board of directors
Chief information officer
IT line or operations management
Business unit manager
Policies, Standards, and Procedures
Establishment of key policies
Positive Information Control Environment ¶ 53(a) ¶ 34
Management’s Responsibility for Policies § 1.1.2
Communication of Organization Policies § 1.1.1 ¶ 9(b)
Policy Implementation Resources § 1.2.5
Maintenance of Policies § 1.2.1
Compliance with Policies, Procedures and Standards § 1.1.1 ¶ 9(d)
Quality Commitment
Security and Internal Control Framework Policy ¶ 17 (1.0)
Intellectual Property Rights
Issue-Specific Policies
Communication of IT Security Awareness§ 1.1.1
¶ 17, 20, 24, 40 (2.0)
Documenting all policies and procedures
Operational Requirements and Service Levels
User Procedures Manual
Operations Manual
Training Materials
Standards ¶ 24 (3.15)
Acceptable Usage Policies
Operations Procedures ¶ 24 (3.2)
Design & Implementation (continued)SOX
PCAOB Rel. 2004-001
Audit section SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
Compliance INS IGHT : S A R B A N E S - OX L E Y
17
I T I M PAC T Z O N E S
Processing Operations Procedures and Instructions Manual
Start-up Process and Other Operations Documentation
Job Scheduling
Departures from Standard Job Schedules
Processing Continuity
Remote Operations
Service Level Agreements (SLAs)
Service Level Agreement Framework ¶ All (1.1)
Aspects of Service Level Agreements
Performance Procedures
Monitoring and Reporting ¶ 17 (4.1)
Review of Service Level Agreements and Contracts § 10.2.3 ¶ 20 (2.2)
Chargeable Items
Service Improvement Program
Assist and support IT customers (Help Desk) ¶ 20 (3.9)
Help Desk operations
Registration of Customer Queries
Customer Query Escalation
Monitoring of Clearance
Trend Analysis
Establishment of a problem management and incident handling system
Implied § 49
¶ 24 (3.10,11),
¶ 30 (3.12,13)
Problem Management System
Uses and capability
Characteristics
Problem Escalation ¶ 24 (3.11)
Problem Tracking and Audit Trail
Emergency and Temporary Access Authorizations
Emergency Processing Priorities
Manage the current IT configuration Implied § E-1
Configuration Recording
Configuration Baseline
Status Accounting
Configuration Control
Unauthorized Software
Software Storage
Configuration Management Procedures
Software Accountability
System Software Installation
Operational Management (continued)SOX
PCAOB Rel. 2004-001
Audit section SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
Compliance INS IGHT : S A R B A N E S - OX L E Y
18
I T I M PAC T Z O N E S
System Software Security
Identify and allocate costs
Annual IT Operating Budget ¶ 20 (3.9)
Cost and Benefit Monitoring App ¶ 9.1
Cost and Benefit Justification
Assessment of New Hardware and Software
Initial Hardening of systems
Always change the vendor-supplied defaults
Develop system configuration standards for all networks components
Implement only one application or primary function per network component
Disable all unnecessary services ¶ 17(3.3)
Configure system security parameters to prevent misuse
Remove all unnecessary functionality
Encrypt internal non-console administrative access § 8.2.2 ¶ 17(3.3)
Perform vulnerability test prior to final installation § 8.2.1(l)
Preventative Maintenance for Hardware ¶ 20 (3.1)
Change Management
Change Request Initiation and Control ¶ 17 (3.10,11)
Impact Assessment
Control of Changes
Emergency Changes ¶ 17 (3.12)
Documentation and Procedures
Authorized Maintenance
Software Release Policy
Distribution of Software
System Software Maintenance
System Software Change Controls (patch management)
Ensure that all system software is the latest version
Test all security patches before they are deployed
Use and Monitoring of System Utilities
Conversions
Systems Disposal § 802(a) Implied § 5.2.2
IT Staff ManagementSOX
PCAOB Rel. 2004-001
Audit section SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
Human Resources management
Establishing the IT organizational structure
IT Planning or Steering Committee ¶ 17 (3.10)
Responsibility for Quality Assurance ¶ 24 (3.13)
Operational Management (continued)SOX
PCAOB Rel. 2004-001
Audit section SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
Compliance INS IGHT : S A R B A N E S - OX L E Y
19
I T I M PAC T Z O N E S
Responsibility for Logical and Physical Security ¶ 17 (2.3)
Data and System Ownership ¶ All (1.3)
Segregation of Duties ¶ 41.4 ¶ 17 (3.11)
IT Staffing ¶ 17 (3.10)
Job or Position Descriptions for IT Staff § 1.2.6 ¶ 17 (3.9)
Key IT Personnel ¶ 24 (3.18), ¶ 20 (3.2)
Managing internal staff
Personnel Recruitment and Promotion § 1.2.6
Personnel Qualifications § 1.2.6
Personnel Clearance Procedures § 1.2.6 ¶ 17 (3.9)
Roles and Responsibilities ¶ 53.1 App ¶ 3(a)
Personnel Training § 1.2.6 ¶ 17 (3.9)
Cross-Training or Staff Backup ¶ 17 (3.9)
Employee Job Performance Evaluation App ¶ 3(g) § 1.2.6 ¶ 17 (3.9)
Job Change and Termination ¶ 24 (3.5)
Managing third-party interaction and services
Counterparty trust § 7.2.2 ¶ 40 (3.2)
Third-Party Contracts § 7.2.2 ¶ 40 (3.2)
Third-Party Qualifications § 4.2.3
Outsourcing Contracts ¶ 40 (3.2)
Security and Audit Relationships § 7.1.2 ¶ 40 (3.2)
Records Discovery & Records ManagementSOX PCAOB SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
The Need for Records Management
Determining scope of preservation obligations
Determining documents for capture § 802(a)(2) Implied
Determining how long to retain records § 103.(2)(A)(i)
Records capture and classification process AS 2 § 72
Capture
Registration
Classification
Business activity classification
Vocabulary controls
Allocation of numbers and codes
Indexing
Usage and tracking AS 2 § 69
Data input and access authorization procedures
Accuracy, Completeness, and Authorization Checks
Data Input Error Handling
Data Processing Integrity
IT Staff Management (continued) SOX
PCAOB Rel. 2004-001
Audit section SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
Compliance INS IGHT : S A R B A N E S - OX L E Y
20
I T I M PAC T Z O N E S
Data Processing Validation and Editing
Data Processing Error Handling
Output Handling and Retention
Output Distribution
Output Balancing and Reconciliation
Output Review and Error Handling
Security Provision for Output Reports
Records Handling
Protecting digital storage
Creating backups or duplicate copies § 5.2.2
Maintain duplicate copies of indexes
Backup and Restoration
Backup Jobs ¶ 24 (3.19), ¶ 20 (3.3)
Backup Storage ¶ 24 (3.19), ¶ 20 (3.3)
Encrypt backup data
Maintain media controls
Separate duplicates from the originals ¶ 24 (3.19), ¶ 20 (3.3)
Disposition and destruction § 802(a) Implied § 5.2.2
Identification of disposition status § 1102 Implied
Writing of Disposition Authority document § 5.2.2
Training ¶ 17 (3.9)
Records Discovery
Retrieval of records
Documentation and validation of collection procedures § 105.2
Production of discovered documents R 5013(b)
Production within a set time frame R 5422(c)
Technical Security SOX
PCAOB Rel. 2004-001
Audit section SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
Technical security Implied § 67 § 319.16
Security and access classification scheme ¶.17§1.1
Development of security access classification ¶.17§1.2(a)
Data classification
Access and security classification steps § 319.13 8.2.2
Identification, Authentication, and Access 8.2.2(a)&(b) ¶.17§3.1(b)
User Account Management 8.2.2(d)
Control the addition, deletion, and modification of user IDs, credentials, or other identifier objects 8.2.2(c) ¶.17§3.1(a)&(c)
Immediately revoke accesses of terminated users ¶.17§3.1(c)
Remove inactive user accounts at least every 90 days
Records Discovery & Records Management (continued)
SOX PCAOB SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
Compliance INS IGHT : S A R B A N E S - OX L E Y
21
I T I M PAC T Z O N E S
Distribute password procedures and policies to all users who have access to cardholder information 8.1.1
Do not permit group passwords
Change user passwords at least every 90 days ¶.17§3.1(b)
Require a minimum password length of at least seven characters
Use passwords containing both numeric and alphabetic characters
Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used
Review access capabilities for any functional change in user status
Management Review of User Accounts 8.2.2(e)&(f)
User Control of User Accounts
Security Surveillance 8.2.1
Central Identification and Access Rights Management
Network Access § 319.45
Network configuration
Create a network diagram
DMZ areas
Segregate security restricted servers into their own domain
Plan for, and have approved, all network changes
Track and log all network changes
Scan for unknown workstations and default deny access
Protocols and ports
Protocol policies
TCP/IP packets
Routing and the DNS system
Secure router configurations against unauthorized changes
Router configuration should have an ACL list
Disable Telnet for remote administration
Firewall Design 8.2.2(i) ¶.17§3.3
Enable NAT or PAT
Firewall policies
Deny all traffic except designated traffic
Ensure firewall change policies are formalized
Ensure firewall logs are capturing correct data
All laptops should be equipped with a firewall
Operating system access § 319.18
Ensure accounts (and stored information) are segregated
Employ sign-on authentication management
Log all access attempts
Limit repeated attempts by locking out the user ID after not more than six attempts ¶.17§3.3
Set the lockout duration to 30 minutes or until administrator enables the user ID
Technical Security (continued) SOX
PCAOB Rel. 2004-001
Audit section SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
Compliance INS IGHT : S A R B A N E S - OX L E Y
22
I T I M PAC T Z O N E S
If a session has been idle for more than 15 minutes, require the user to reenter the password to reactivate the terminal
Application access
Remote access
Explicitly deny all modems except for documented and authorized systems
Implement two-factor authentication
Protect remote access accounts against eavesdropping
Monitor remote access usage
Transaction Security Implied § 69, 120 § 319.17
Protection of sensitive messages
Transaction Authorization
Non-Repudiation
Trusted Path
Protection of Security Functions Implied
Encryption ¶.17§3.5
Cryptographic Key Management
Protect keys against disclosure
Document all key management practices
Malicious code 8.2.2(j) ¶.17§3.4
Install anti-virus software
Ensure that signature files are up to date
Maintain and audit log of all malicious code
Ensure anti-virus system works on e-mails
Intrusion detection and response ¶.17§3.6
Intrusion detection ¶.17§3.3
Automated IDS
Honeypots
Registry control monitoring
Preparation for breach notifications Implied § 49 ¶.17§2.4
Internal control monitoring
Timely Operation of Internal Controls
Internal Control Level Reporting
Operational Security and Internal Control Assurance
Intrusion response ¶.17§3.7
Operational anomalies
Incident Handling, notification, and actions
Violation and Security Activity Reports
Reaccreditation
Logging and data collection
Audit logs must contain timestamp that tracks user activity
Ensure that it is impossible to disable an audit log
Review audit logs regularly
Technical Security (continued) SOX
PCAOB Rel. 2004-001
Audit section SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
Compliance INS IGHT : S A R B A N E S - OX L E Y
23
I T I M PAC T Z O N E S
Physical Security (continued)SOX
PCAOB Rel. 2004-001
Audit section SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
Physical Security § 8.2.3
Facilities management
Physical Security App ¶ 9.3 ¶ 17 (3.2)
Low Profile of the IT Site
Visitor Escort
Visitor identification
Maintain visitor log
Personnel Health and Safety
Cabinet and vault security § 8.1.1
Physical Security of distributed IT assets
Desktop and notebook security
Physical Information and Media security § 8.1.1
Server security
Physically separate systems that store sensitive data from those that don’t
Physical LAN access ¶ 17 (3.2)
Environmental controls ¶ 20 (3.1)
Uninterruptible power supplies and secondary power ¶ 20 (3.1)
Duplicate telecom feeds
HVAC equipment ¶ 20 (3.1)
Heat and smoke detection ¶ 20 (3.1)
Fire suppression systems ¶ 20 (3.1)
Water detection ¶ 20 (3.1)
Systems ContinuitySOX
PCAOB Rel. 2004-001
Audit section SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
The Need for Business Continuity ¶ 24 (3.18), ¶ 20 (3.2)
Business Continuity Framework
Roles and responsibilities ¶ 24 (3.18), ¶ 20 (3.2)
Business Continuity Plan Strategy & Philosophy
Business Continuity Plan Strategies
Critical business functions
Critical records identification
Operational management
Critical personnel ¶ 24 (3.18), ¶ 20 (3.2)
Critical IT Resources ¶ 24 (3.18), ¶ 20 (3.2)
SLAs include continuity planning
Alternate Site Strategies
Compliance INS IGHT : S A R B A N E S - OX L E Y
24
I T I M PAC T Z O N E S
Network Recovery Strategies ¶ 24 (3.18), ¶ 20 (3.2)
Alternate Site Preparations
Contingency Arrangements list
Contingency Arrangements for all offices
Off-site Media Storage
Off-site data backup and storage ¶ 24 (3.19), ¶ 20 (3.3)
Off-site software backup and storage ¶ 24 (3.19), ¶ 20 (3.3)
Writing the Business Continuity Plan ¶ 24 (3.18), ¶ 20 (3.2)
Business Continuity Plan Contents ¶ 24 (3.18), ¶ 20 (3.2)
Minimizing Business Continuity Requirements
Emergency communications planning
Problem escalation
Maintaining the Business Continuity Plan
Testing the Business Continuity Plan
Annual Testing ¶ 24 (3.18), ¶ 20 (3.2)
Simulation Testing
Updating the Plan
Business Continuity Plan Training
Business Continuity Plan Distribution ¶ 24 (3.18), ¶ 20 (3.2)
User Department Alternative Processing Backup Procedures
Wrap-up Procedures
Insurance
Monitoring, Measurement & ReportingSOX
PCAOB Rel. 2004-001
Audit section SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
Continued monitoring and auditing § 104 § 49 § 10 .17 § 4.0
Establishing overall monitoring and logging operations § 319.53
Key concepts
Measurement § 13
Traceability
Thoroughness § 104(d) § 13
Frequency § 104(b)
Collecting Monitoring Data § 319.54
All accesses to cardholder data
All actions taken by any individual with root or administrative privileges
Access to all audit trails
Systems Continuity (continued)SOX
PCAOB Rel. 2004-001
Audit section SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
Compliance INS IGHT : S A R B A N E S - OX L E Y
25
I T I M PAC T Z O N E S
Invalid logical access attempts
Use of identification and authentication mechanisms
Initialization of the audit logs
Creation and deletion of system-level objects
Assessing Performance § 7, 13
Assessing Customer Satisfaction .24 § 3.2
Management Reporting and logging § 404(b) § 10.2.3
Security Testing § 8.2.6 .17 § 4.1
Penetration testing
Run both internal and external vulnerability scans
Assessments .17 § 4.2
Risk monitoring § 49 § 319.37
Overall testing strategy § 319.39
Testing scope and objectives § 319.39
Specific test plans
Test plan review
Validation of assumptions
Completeness of procedures
Testing methods
Analyzing the reports
Performance monitoring §3 19.41
Monitor for capacity
Monitor for uptime status
Outcome-based measurements
Compliance monitoring and auditing § 404 § 49 § 319.54 § 10.2.3
Provide transactional walk-through capabilities for third-party auditor Implied § 81, 82
Availability of audit results
Preservation of audit results
Follow-up Activities § 319.29
Report Monitoring statistics and follow-up to the Board of Directors § 102(d)
Monitoring, Measurement & ReportingSOX
PCAOB Rel. 2004-001
Audit section SAS 94
AICPA/CICA Privacy
Framework
AICPA Suit-able Trust Services Criteria
S O L U T I O N S F O R S A R B A N E S - OX L E Y
26
High-ranking executives, such as chief compliance officers, and board members now actively oversee many compliance activities. As a result, it has become a critical priority for many companies to find technology solutions that quickly increase the efficiency of compliance processes and generate significant return-on-investment (ROI). A key requirement for achieving these objectives is selecting a solution that embraces the successful processes companies have used during compliance “projects” and makes them part of daily business practices.
For example, most companies initially took a tactical, manual approach to Sarbanes-Oxley compliance by creating projects that included dedicated employees, consultants, project plans, ongoing meetings, executive status reports and specialized technology—a standard practice in developing methodologies for new compliance efforts. However, now that companies understand the methodology necessary for 404 compliance, they must create a more efficient, long-term compliance strategy by incorporating their successful Sarbanes-Oxley compliance processes into daily business practices.
When companies concentrate on managing regulated business processes, demonstrable compliance simply becomes a by-product of everyday work activities.
Stellent: Turning Compliance Projects Into Ongoing ProcessesStellent’s compliance and records management applications allow companies to turn compliance projects into ongoing processes that are conveniently and inherently carried out during the normal course of business. In particular, Stellent’s full suite of Web-based document management solutions effectively manage the massive amounts of content involved in compliance documentation and testing—providing the necessary foundation for storing, managing, processing and tracking content in a central, secure repository.
Stellent can support multiple compliance initiatives with a single technology architecture that utilizes a common repository and interface. Consequently, companies can leverage Stellent’s infrastructure to comply with a variety of government mandates from Sarbanes-Oxley, JCAHO (Joint Commission on Accreditation of Healthcare Organizations) and HIPAA (Health Insurance Portability and Accountability Act), to ISO (International Organization for Standardization) regulations in the manufacturing industry. In this way, customers reduce the number of software applications they must purchase for compliance efforts and lower the duplication of documents and data across multiple compliance applications—leading
to less complex IT integrations, faster user adoption, lower total cost of ownership and an overall substantial cost savings.
Based on Stellent’s content management platform, the integrated suite of compliance applications allow companies to manage the full scope of their compliance responsibilities while reducing operational costs. Stellent’s compliance platform is based on five key components: document management, records management, workflow, enterprise risk management and vertical applications.
DOCUMENT MANAGEMENT
Enables organizations to effectively and efficiently capture, secure, share and distribute digital and paper-based documents and reports. Retention policies, escalation flows and audit trails are accessed quickly and easily by only those authorized to see them.
RECORDS MANAGEMENT
Stellent’s built-in, Department of Defense (DoD) 5015.2-certified Active and Fixed Records Management solutions help companies control the creation, declaration, classification, retention and destruction of all types of business records—whether they are “active” such as documents and graphics, or “fixed” such as scanned images and email. These records are stored and managed, along with other business content, within one server and accessed using a single interface.
Transitioning Compliance Projects into Inherent Business Processes
In the not too distant past, compliance initiatives often were characterized by back office operations
that involved large volumes of records stored in basement filing cabinets. Recently, this situation
has changed. Accounting scandals; the growing number of regulatory mandates; and the litigation
consequences associated with those regulations have prompted many businesses to bring compliance
initiatives out of the back office and into the boardroom.
S O L U T I O N S F O R S A R B A N E S - OX L E Y
S O L U T I O N S F O R S A R B A N E S - OX L E Y
27
WORKFLOW
Stellent’s workflow capabilities provide periodic “check-ups” on progress toward compliance goals by automating assessment, audit, remediation, approval and review processes.
ENTERPRISE RISK MANAGEMENT
The Stellent solution provides an enterprise-wide view of compliance efforts, enabling leveragability across the organization and diminishing project “silos.” Enterprise risk management prioritizes compliance initiatives based on areas of greatest risk and aligns all strategies with corporate goals.
VERTICAL APPLICATIONS
Stellent’s compliance offerings include vertical applications such as the Stellent® Sarbanes-Oxley Solution and Stellent® Email Management. The Stellent Sarbanes-Oxley Solution effectively automates and supports long-term Sarbanes-Oxley compliance methodologies, enabling companies to efficiently manage and approve documentation supporting financial and non-financial disclosures and Section 404 compliance. The solution is highly personalized for non-technical business users, allowing auditors, accountants and CFOs to easily create, manage, share, track, approve and archive information with minimal training, using only a Web browser. Stellent Email Management facilitates the intelligent integration of email into customers’ business processes. With rule-based, centralized email archiving, the solution guarantees seamless records and fulfillment of legal requirements.
Powering Multiple Compliance Initiatives with a Single SolutionCompanies across a variety of industries use Stellent’s compliance and records management solutions to comply with a wide range of regulations, including Sarbanes-Oxley, JCAHO, Basel II, HIPAA, FDA approvals and ISO 9001. Examples of successful customer implementations include:
SARBANES-OXLEY COMPLIANCE
Reliant Energy, Inc., a provider of electricity and energy services, has streamlined its Sarbanes-Oxley compliance processes by using Stellent technology to distribute documentation tasks to process owners and smooth its attestation process. Specifically, the Stellent solution provides Reliant’s core compliance team with an enterprise-wide view of the company’s internal control makeup. This view allows the core team to keep track of and schedule control changes based on company priorities, which helps the company meet its goal of automating as many internal controls as possible.
Additionally, the Stellent solution provides Reliant with centralized process management capabilities and a centralized content repository. The core compliance team easily manages the overall process of Sarbanes-Oxley compliance through an automated workflow system that involves process owners. Reliant has customized specific features within the workflow that monitor contributions from process owners to ensure all work and processes meet the quality
standards set by the company. In addition, the centralized repository has eliminated Reliant’s disparate content repositories and disconnected areas of the company carrying out compliance efforts on their own.
Another benefit of Reliant’s compliance solution is the ability to easily share content with multiple audiences, including external auditors, process owners, company executives and managers, and internal auditors. Users log in to the system through an easy-to-use, Web-based interface and access information immediately, 24 hours a day. Auditors easily access the latest documentation they need for external audits —resulting in significantly less preparation time for internal staff.
Providing Your Company with the Most Effective Compliance SolutionsBecause most compliance mandates are primarily a process of massive documentation and testing, comprehensive document management-based solutions, rather than stand-alone compliance systems, are best equipped to effectively support compliance initiatives.
Stellent’s compliance and records management solutions are built upon Stellent’s proven, industry-leading content management system, used by more than 1,600 customers worldwide. Stellent drives rapid success for customers by enabling fast implementations, easy integrations with existing systems, and generating quick, broad user adoption. Consequently, customers can promptly transition their resource-intensive compliance projects into ongoing, productive business processes and reap the substantial benefits these evolutions can generate.
Enterprise Risk Management
Sarbanes-Oxley,
Euro SOX
InternalAudit
Operations
PatriotAct Sec 17a ISO HIPAA,
JCAHO
BASEL II,IAS,
GLBAFDA
Workflow
Records Management
Document Management
STELLENT COMPLIANCE FRAMEWORK
S O L U T I O N S F O R S A R B A N E S - OX L E Y
28
BackgroundThe Sarbanes-Oxley Act of 2002 was created to restore investor confidence in public markets following many high-profile cases of corporate malfeasance and deceptive practices. In a nutshell, it holds CEOs and CFOs accountable for the veracity of their company’s financial statements.
Sarbanes-Oxley is a comprehensive law designed to prevent corporate crime, and it fundamentally changes the business environment. Yet it does not detail exactly how to become compliant. It broadly states, in Section 302, that certifying officers in a company are responsible for establishing and maintaining internal controls over financial accounting that will verify the accuracy, reliability and accountability of corporate disclosures. In Section 404, Sarbanes-Oxley requires annual assessments of the effectiveness of whatever internal controls the corporation has established.
Sarbanes-Oxley requires publicly held companies to implement internal controls over their financial reporting, operations and assets, to evaluate the strengths and weaknesses of these internal controls in official documents filed with the SEC and to make regular disclosures concerning the viability of these controls and potential fraud or losses that may affect the company’s financial position. Because most companies’ financial reporting and operations depend heavily on information technology, and because many corporate assets now exist in the form of critical data, Sarbanes-Oxley has
significant information security implications for companies governed by the law.
The Role of ITAt first glance, Sarbanes-Oxley seems pointed solely at a company’s finance department. What does that have to do with the IT department? Everything. Technology is what gathers, protects and reports the financial information that CEOs and CFOs must attest is correct.
Without a well-controlled IT environment, there is no proof that financial reporting is complete, free from error, or hasn’t been tampered with.
For most businesses, the IT department is where controls over financial systems will reside. IT’s own processes and infrastructure can, therefore, can be considered a key part of the “internal controls” required by Section 302, and the tools it uses to test the efficacy of controls are a key part of meeting Section 404.
Meeting the Requirements with TripwireAlthough Sarbanes-Oxley does not explicitly detail how to achieve compliance, the Security and Exchange Commission (SEC) recognizes the
“COSO” framework as the official framework for establishing internal controls over financial reporting. Accordingly, COSO has become the most commonly adopted framework.
COBIT (Control Objectives for Information and related Technology) is the IT-specific aspect of COSO’s control framework. Tripwire change audit solutions support many elements of the Delivery and Support (DS)
and the Acquisition and Implementation (AI) guidelines of COBIT. The following are just of few of the COBIT recommendations where Tripwire excels as the solution.
• Implement change control monitoring/auditing tools. Tripwire is a recognized leader in change monitoring and auditing solutions.
• Implement a change management system. Tripwire change information can be integrated with other enterprise management systems and reporting packages, such as Remedy AR System, HP OpenView, and other similar systems
• to provide validation and documentation of planned changes, as well as storing
"before and after" snapshots of systems, which can be appended to work orders.
• Document and implement preventative controls procedures. Tripwire validates that all changes are tracked, synchronized with documentation, and applied consistently across the appropriate systems.
• Document and implement detective controls. Tripwire is commonly used to monitor the configuration, applications, and underlying OS of security software and devices in order to detect and report change. In this way, Tripwire provides independent validation that security applications and their configurations have not been compromised or changed without authorization. Tripwire also monitors and cryptographically protects its own files to protect itself from compromise.
Tripwire: The Proof You Need
Tripwire brings all-inclusive change auditing practices to operations. Tripwire change auditing solutions
enable you to prove that all authorized change is properly implemented, and that no change of any type
goes undetected. Detailed change audit trails verify that IT process controls are effective, that the IT
infrastructure is secure, and that your change management policy is enforced. This ensures compliance
with Sections 302 and 404 of the Sarbanes-Oxley Act.
S O L U T I O N S F O R S A R B A N E S - OX L E Y
29
• Document change management workflow approval processes. Tripwire enables user-scheduled integrity checks to monitor files and their attributes, comparing them against the baseline. Changes are immediately pinpointed and appropriate IT staff can be notified by email or pager.
• Document and report all unauthorized changes. Detailed reports and audit logs of any change are provided. If the change is not desired, Tripwire software enables rapid restoration of files to a known good state.
• Provide accurate auditing of authorized changes as it relates to approved change management work flow process. Tripwire not only detects and reports unauthorized change, it also can verify that authorized changes were indeed successfully made, thus supporting change management policy and procedures.
Services to Achieve Sarbanes-Oxley Compliance Sometimes ensuring that IT systems are controlled requires more than software—
it calls for expertise and deep knowledge of data, devices and how change happens. That’s what Tripwire Professional Services contributes so you can quickly get the most out of your Tripwire change audit solution.
From initial network discovery to policy file writing and customization, our experienced consultants work to get your solution up and running as quickly and effectively as possible.
Aligning IT to support Sarbanes-Oxley compliance is only one benefit. Tripwire also delivers consulting services that help build an integrated, stable and effective IT environment. This includes complete solutions to ensure the security of a company’s data assets, as well as developing strategies for using change monitoring and analysis to maximize IT service delivery uptime.
Tripwire and its network of certified partners have a proven history of delivering results to customers, and providing benefits that enable you to achieve your business objectives. Additionally, we can craft compliance solutions for you that return value far beyond your compliance requirements.
More InformationTripwire’s SOX Solutions Center contains links to live webcasts, white papers, and case studies that show you how to integrate change auditing practices into your operations to demonstrate Sarbanes-Oxley compliance.
In addition to Sarbanes-Oxley, a growing list of industry and regulatory issues is affecting change management requirements for organizations with IT infrastructure. Fortunately, Tripwire enables IT organizations to automate change detection, reconciliation and reporting, ensuring compliance with almost any regulation, including: Gramm-Leach-Bliley Act, OCC guidelines, Visa CISP, US FDA CFR11, HIPAA, NSSC, E-Government Act, NCUA Guidelines, Common Criteria, ISO 17799, and CA Civil Code 1386. Find out more at www.tripwire.com.
S O L U T I O N S F O R S A R B A N E S - OX L E Y
Tripwire: The Proof You Need (continued)
30
Compliance INS IGHT : S A R B A N E S - OX L E Y
Stellent, Inc. (www.stellent.com) is a global provider of content management software solutions that drive rapid success for customers by enabling fast implementations and generating quick, broad user adoption. With Stellent, customers can easily deploy multiple line-of-business applications—such as Web sites, call centers, dealer extranets, compliance initiatives, accounts payable imaging and claims processing—and also scale the technology to support enterprise-wide content management needs.
More than 4,300 customers worldwide—including Procter & Gamble, Merrill Lynch, Los Angeles County, The Home Depot, British Red Cross, ING, GlaxoSmithKline, Georgia Pacific, Bayer Corp., Coca-Cola FEMSA, Emerson Process Management and Genzyme Corp.—have selected Stellent solutions to power their content-centric business applications. Stellent is headquartered in Eden Prairie, Minn. and maintains offices throughout the United States, Europe, Asia-Pacific and Latin America.
Stellent Compliance Solutions
Stellent provides content management-based solutions to help companies streamline processes related to complying with a variety of regulations, such as the Patriot Act, Health Insurance Portability and Accountability Act (HIPAA), ISO, and the Sarbanes-Oxley Act. Stellent’s compliance solutions allow companies to efficiently manage and approve content related to financial and non-financial disclosures, as well as documentation associated with an organization’s enterprise risk management process. The solutions are based on the award-winning Stellent Universal Content Management system, which offers a full array of content management functionality—featuring document management, Web content management, digital asset management and imaging—supported by collaboration, records management and business process management services.
Solution Sponsors
About Tripwire Solutions
A comprehensive change auditing solution requires three critical pieces: process, people and technology. Correspondingly, Tripwire Solutions include both software and professional services offerings. Its software offerings include Tripwire Enterprise and Tripwire for Servers, which is a proven change monitoring and analysis solution for servers and network infrastructure running in small to enterprise organizations. Tripwire Professional Services offers a complete set of services to help organizations define change control processes, integrate Tripwire software with existing Configuration and Change Management systems, as well as Tripwire software implementation and tuning.
About Tripwire, Inc.
Tripwire, Inc. is the world leader in Change Auditing solutions that enable enterprises to reduce operational risk and gain control over IT systems. With Tripwire software, you ensure the security of your systems, instill accountability for change, gain visibility across your enterprise and increase the availability of critical IT infrastructure. Tripwire customers include Global 2000 companies such as Intuit, AT&T, Ernst & Young and the U.S. House of Representatives. Tripwire is headquartered in Portland, Ore., with offices in the UK, France and Japan and customers in 92 countries around the world. For more information visit: http://www.tripwire.com/.
Compliance INS IGHT : S A R B A N E S - OX L E Y
www.ITCinstitute.com 31
Cass Brewer Editorial and Research Director, IT Compliance Institute
When you look at how little impact reporting material
weaknesses has had on the issuers’ stock prices, you
might wonder whether all of the worry and expense
of compliance is worthwhile. There’s been little
immediate investor backlash. Moreover, the business
community hasn’t seen a campaign of Sarbanes-Oxley
(SOX) indictments. The SEC seems neither staffed nor
motivated to prosecute companies to the degree that
companies have braced to be prosecuted.
If SOX compliance were only about preventing fraud
and looking good to investors, it would be tempting to
sideline it on the evidence that failure in either effort
remains almost as unlikely to incur penalty now as it
did prior to SOX’s passage. But SOX isn’t really about
legislating ethics.
SOX is a deterrent in the sense it makes it harder to get
away with bad business. But, in the long run, its main
goal is to restore investor faith in the idea that companies
do reliably communicate their financial health and risk,
acknowledge corporate responsibility, and know the
penalties for straying.
Perhaps the best reason to actively embrace compliance,
however, is that SOX is simply good business. In survey
after survey, IT managers, CIOs, and CTOs say their
companies are in better shape because of compliance
efforts. Finding more efficient ways to perpetuate and
grow these benefits is what sustainable compliance is all
about. How can you keep up with compliance pressures
while reducing costs? That’s really the name of the game
going forward. And it’s much of what this paper addresses.
Epilogue: Ten steps for sustaining compliance benefits
Compliance INS IGHT : S A R B A N E S - OX L E Y
www.ITCinstitute.com 32
Ten steps for sustainable compliance
Fundamentally, IT’s challenge in SOX compliance is that
it’s practically as pervasive as information itself. When
you look at the major general-control areas—records
management, technical and physical security, and
application management—it’s almost everything in the
IT realm.
As it turns out, this everything-everywhere-anytime
challenge of SOX is also why compliance potentially
offers such broad business benefits. It is an opportunity,
and perhaps an imperative, to assess, align, streamline,
and improve processes and technologies across the
organization.
1. Get Past FUD
The most important step to sustaining compliance
benefits is getting past FUD: fear, uncertainty, and doubt.
In reality, fear is a poor motivator, especially when threats
are abstract, distant, or inconsistent. If enforcers aren’t
breathing down your neck and investors aren’t going to
abandon you, it’s easy to become complacent: let controls
slip, disregard changes in regulatory guidelines, and so
forth. That’s where you can get into trouble—because
enforcers are still out there, and another filing deadline
is right around the corner.
FUD is also ultimately expensive. By focusing too
tightly on avoiding negative consequences, you miss
opportunities; for example, seeing that your investment
in a records management solution for financial data
might also benefit your legal or sales department.
To sustain compliance, companies must learn to
see compliance investments both as challenges and
opportunities for innovation. If you’re going to audit or
integrate data sources, can those processes serve broader
business initiatives? Could your SOX security solution
also solve a security issue in another part of the business?
Are there projects for which you can’t otherwise get
funding that will fit under the compliance umbrella?
2. See the Whole
In many cases, getting past FUD involves a conscious
effort to reevaluate the role of IT compliance more
holistically. In year one of SOX, most companies’ efforts
have been intensively deadline driven, reactive, and
tactical. Going forward, companies should proactively
assess the potential role of individual compliance processes
in meeting business goals and even other compliance
goals. Sustainability lives in these relationships.
3. Be the Whole
It might seem counterintuitive, but expanding your
compliance view can actually simplify your IT challenge.
Our natural impulse is to fight complexity with
complexity; so, for each SOX requirement, there’s a
potential to architect a discrete solution. This approach
can limit your options, decreasing solution compatibility,
flexibility, and extensibility, while increasing downstream
integration and maintenance costs.
A more holistic take on compliance processes can liberate
you from one-off, project-centric implementations.
Instead of thinking about solving a discrete compliance
problem, such as records storage, you can think about
how granular IT controls, such as records archiving, can
meet compliance, IT, and business goals—and those goals
can be tied to any number of projects.
From this foundation, you can more easily build an
efficient, well-leveraged plan for high-profile, high-
reward, low-risk projects with sweeping benefits—which,
coincidentally, is a great way to get support and additional
funding for future projects.
4. Get Business Buy-in
IT managers must train business-side compliance
stakeholders to ask “how?” every time a compliance goal
is on the table: how will the goal will be met and what are
the IT implications? Once the strategic team is on the
same page with “how,” it becomes much easier to align
business support behind the technical “what” you need to
do to get the job done.
5. Automate
Year-one compliance is all about need—the need to meet
complex requirements by the first SOX deadline. In a
sustainable compliance environment, however, the focus
should from need to speed (and cost reduction).
Compliance INS IGHT : S A R B A N E S - OX L E Y
www.ITCinstitute.com 33
constantly shifts around you. Regulations change,
enforcer expectations evolve, regulatory trends migrate,
technology emerges, business and technology standards
practices evolve. Knowledge is power, when it comes to
SOX compliance, but it requires constant research. In
sustained compliance, companies should develop regular
research practices, schedules, and channels.
For more information on sustainable compliance and related topics, visit the IT Compliance Institute at www.ITCinstitute.com.
To date, companies have been reticent to invest in
software until they’ve defined needs, mapped processes,
and tested and remediated controls. Once these
prerequisites are filled, however, companies should
look for ways to reduce the burden and cost of manual
processes through automation.
6. Don’t Forget Human Factors
Don’t forget the people part of the compliance equation.
Corporate governance belongs to the entire corporation
and extends beyond products to encompass people
and processes. Ultimately, sustainable compliance must
belong to every worker every day.
7. Build Communicative Culture
We all make the mistake sometimes of thinking people
can read our minds, and SOX compliance offers ample
opportunity for this error. New roles, responsibilities, and
relationships; new processes and practices; and unfamiliar
topics all facilitate misalignment between individuals
and groups. To promote smooth compliance processes,
compliance managers should act as communication role
models. Moreover, it pays to stay on top of potential hot
zones—in particular, cross-functional groups.
8. Measure, Monitor, Enforce
Continuing to spend heavily on compliance without
tracking its costs or benefits is not a sustainable practice.
Companies should bring compliance in line with
other business practices by finding ways to monitor
and measure it; for example, tracking expenses via a
dedicated budget or billing code. Setting tangible goals,
such as storage metrics, data quality metrics, and security
incident targets, can also help.
9. Be Vigilant, but Not Too Vigilant
For sustained compliance, companies must align
compliance cost with material relevance—gauged by their
internal standards, the broader regulatory arena, and
peer activities. You must assess what’s a real risk, what
isn’t, and what becomes more or less risky over time.
10. Keep Your Eye on the Ball
Staying on top of SOX compliance can seem like
standing on a skateboard on a patch of ice on a glacier:
your job is to remain upstanding, even as everything
Compliance INS IGHT : S A R B A N E S - OX L E Y
www.ITCinstitute.com 34
15d-15: Controls and procedures.
17 CFR. 240.15d-15.
(2001). Information and documentation—Records
management Part 1: General, International Standards
Organization.
(2001). Information and documentation—Records
management Part 2: Guidelines, International Standards
Organization.
(2002). The Sarbanes-Oxley Act of 2002.
(2003). DIRKS, National Archives of Australia.
(2003). Final Rule: Management’s Reports on Internal
Control Over Financial Reporting and Certification of
Disclosure in Exchange Act Periodic Reports. 17 CFR
PARTS 210, 228, 229, 240, 249, 270 and 274. Release nos.
33-8238; 34-47986; IC-26068.
(2003). Final Rule: Mandated Electronic Filing and
Website Posting for Forms 3, 4 and 5. 17 CFR Parts 230,
232, 239, 240, 249, 250, 259, 260, 269 and 274. Release
nos. 33-8230, 34-47809, 35-27674, IC-26044.
(2004). Internal Control—Integrated Framework
Executive Summary, The Committee of Sponsoring
Organizations of the Treadway Commission.
(2004). Proposed auditing standard—an audit of
internal control over financial reporting performed in
conjunction with an audit of financial statements, Public
Company Accounting Oversight Board.
Beaver, K. (2004). Sarbanes-Oxley discusses internal
controls, but what exactly does that mean in regards to
infrastructure? SearchSecurity.com.
Cougias, D., E. L. Heiberger, et al. (2003). The Backup
Book, Disaster Recovery from Desktop to Data Center.
Silicon Valley, CA, Shaser-Vartan Books.
Staff, I. (2003). Sarbanes-Oxley Compliance—The Cloud
or the Silver Lining? Tripwire.
Taub, S. A. (2003). The SEC’s Internal Control Report
Rules and Thoughts on the Sarbanes-Oxley Act, U.S.
Securities and Exchange Commission.
Compliance INS IGHT : S A R B A N E S - OX L E Y
References