1. Select a set of controls -- and test repeatedly. The essence of the SOX audit is to prove that you do what you say you do. The Sarbanes-Oxley Act doesn't require people to have a specific set of IT controls, but whatever set of controls you pick, you need to demonstrate that you have a credible way of testing them.
2. Develop a sound password policy. This involves establishing password duration and password aging policies and requiring complex passwords. Many organizations are guilty of allowing users to create obvious passwords, such as the name of a pet.
3. Review permissions. The first thing auditors do is go into "shares" to find out who has access to what. You should review shares with an eye toward whether such permissions are in line with documented policies.
4. Validate access control lists. Test credentials against critical line-of-business systems. Auditors will look to see if your lists for who should have access to an application really govern who has access.
5. Plug database holes. Review database management systems and be able to validate that from a DBMS-authorization perspective that there are no holes. A common problem that auditors look at involves how many production systems that are housing sensitive data are running with the full credentials.
The Sarbanes-Oxley Act was signed into law on July 30, 2002 by President Bush, and was approved by the House by a vote of 423-3 and by the Senate 99-0. Sarbanes-Oxley is considered the most significant change to federal securities laws in the United States since the New Deal. Officially titled the Public Company Accounting Reform and Investor Protection Act of 2002, and commonly called SOX and Sarbox, it was named after sponsors Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH) and came as result of a series of corporate financial scandals.
The Sarbanes-Oxley Act is designed to review dated legislative audit requirements to protect investors by improving the accuracy and reliability of corporate disclosures, covering issues such as establishing a public company accounting oversight board, corporate responsibility, auditor independence, and enhanced financial disclosure. The act's major provisions mention that we can name the prohibition on insider trades during pension fund blackout periods, the certification of financial reports by CEOs and CFOs, the public reporting of CEO and CFO compensation and profits, accelerated reporting of trades by insiders, and ban personal loans to any Executive Officer and Director. Basically, the act requires full disclosure on just about everything.
Sarbanes-Oxley requires additional disclosure as well as criminal and civil penalties for securities violations and significantly longer jail sentences and larger fines for corporate executives who knowingly and willfully misstate financial statements. The act also notes the prohibition on audit firms providing extra "value-added" services to their clients, including actuarial services, legal and extra services such as consulting or unrelated to their audit work. The Sarbanes Oxley Act also requires that publicly traded companies furnish independent annual audit reports on the existence and condition of internal controls as they relate to financial reporting.
Other provisions included mention that US companies are now obliged to have an internal audit function, which must be certified by external auditors. The act also grants auditor independence, including outright bans on certain types of work and pre-certification by the company's Audit Committee of all other non-audit work. The Sarbanes-Oxley Act list also requires that information on how significant transactions are initiated, authorized, supported, processed, and reported must be disclosed if this information is requested at any time.
Sarbanes-Oxley allows enough information about the flow of transactions to identify where material misstatements due to error or fraud could occur. There is also information and other implementations and controls designed to prevent or detect fraud, including who performs the controls and the regulated segregation of duties. This act also states how the period-end financial reporting process and controls over safeguarding of assets, reporting the results of management's testing and evaluation must be handled.
The future of The Sarbanes-Oxley Act will depend on businesses' ability to respond to those areas already mentioned by making it a part of every-day business. Deloitte and Touche LLP has released a new publication called "Under Control" where some points on this matter are exposed, such as education and training to reinforce the control environment, clearly articulated roles and responsibilities and assigned accountability, effective and efficient processes for evaluating testing, remediating, monitoring, and reporting on controls, technology to enable compliance, adaptability and flexibility to respond to organizational and regulatory change, and integrated financial and internal control processes. It's clear that the act may need refining in the future, but presently it serves as a protection to investors against those that do not or mistakenly fail to report accurately.
17 June 2008
Just the mention of a Sarbanes-Oxley audit provokes horror stories of inordinate time spent providing evidence; complying with written policies, procedures and guidelines; and attending countless meetings. Sorry to say, but life is not going to get easier until you make SOX a part of your daily routine and take an active role in the entire audit process.
In more than 70 IT security audits and three full-scale SOX engagements at Fortune 100, 500 and 1000 companies since 2002, I have witnessed both the best and worst practices and approaches to compliance. Why is it that so many educated, driven individuals seem unable to use the numerous, readily available sources of data to stand up and challenge the interpretations of SOX to which they are subjected? Instead, they blindly accept the mandates set forth by the very people who have a vested financial interest in how the SOX audit is run.
Don't Miss! Read the latest WhitePaper - Endpoint Security: Data Protection for IT, Freedom for Laptop UsersSome knowledgeable external auditors have eliminated many controls that had to be satisfied last year. They made these changes after realizing their understanding of SOX should change to be more closely in line with the intent of the law. Other auditors are unwilling to modify the audit controls they consider critical. Often there is a direct correlation between this inflexibility and lack of real-world, hands-on experience.
Unless you and your company's audit group have a full understanding of SOX, you won't be able to question the external auditors' template of what they expect. The Web sites of the Information Systems Audit and Control Association (www.isaca.org), Institute of Internal Auditors (www.iia.com) and Public Company Accounting Oversight Board (www.pcaob.com) offer a wealth of information about SOX.