Sarbanes-Oxley Compliance and Audits

As the new year arrived, it brought with it new challenges for business and the IT organizations that support it. Whether a new calendar year with renewed budgets or the start of a new business quarter, there are sure to be new projects assigned to IT. Almost assured, is one of the projects at the top of the list, will be one of regulatory compliance as the time grows near for company executives to verify compliance with the Sarbanes-Oxley Act (SOX).

Section 404 of the Act mandates that executive management of publicly held companies must evaluate and report on the effectiveness of their internal controls over financial reporting, and have independent auditors substantiate the effectiveness of the procedures and internal controls for financial reporting.

By: Steve Lemme

Although the primary purpose of SOX is to assure corporate governance standards of financial reporting and auditing, wider interpretation can include IT operational processes that support a companies business. Company's executives are now reaching out to IT to access and provide record of policies, process, and procedures that control access and protect the integrity of financials systems and business applications, across networks, servers and into databases where the data is stored. As IT organizations start to address SOX, questions are being raised on how far does it reach, what if affected, and what should be reviewed and reported.

There is guidance available from various sources, there has yet to appear a definitive set of guidelines that is not open to interpretation. Offered only as examples to assist in meeting compliance, here are five potential ways an organization might fail an upcoming audit if not properly prepared:

________________________________________________________________________

FIVE WAYS TO FAIL A SARBANES-OXLEY AUDIT

1.

No security management or demonstration of security for systems of financial record or systems that could affect financial systems integrity. Companies must assure that financial information is safe from unauthorized outside or internal influences.

2.

Not having documented procedures, records or changes, or auditable demonstration of change management when System, Database, and Network Administrators make alterations or updates on systems of financial record or those systems that could affect financial systems integrity. Proper change management must exist to ensure that software and hardware changes are controlled and recorded.

3.

No documented disaster recovery plan or auditable verification of successful plan execution of recoverability of systems of financial record. This includes demonstrating recoverability of financial systems for reasonable business continuance with minor business impact. No matter the size or the complexity of the system, organizations must assure recovery within a period of time that ensures availability of financial data in a timely manner.

4.

Database logging not enabled, logs not secured, no reporting of database transactions, or demonstration of log audit reporting for financial systems of record or systems that could affect financial systems integrity. Without database logging and log reporting, it next to impossible to identify who changed what in the database. Database Administration change management comparisons should be verified against database log reports to ensure all database alterations are recorded and verifiable.

5.

Backups or data movement onto disk, tape, or stored at third-party sites is not secured and tracked. Unsecured financial data can be vulnerable to theft, unauthorized viewing, or alteration. For instance, a Transportable Tablespace of a database could potentially be moved and reattached to another database enabling unauthorized viewing. Database archival, backups, loading and unloading, administration change management and reporting should be performed and routinely verified to ensure that data is secured.

As SOX legislation is relatively new and affects a majority of companies today, the SEC has identified guidelines provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in evaluating internal controls. However, as the COSO framework is general, IT organizations can find IT specific models available within the Control Objectives for Information and related Technology (CobiT) organization to assist with SOX compliance.

________________________________________________________________________

The question to ask your staff today is where your documented processes are for each of the five items above and can they be demonstrated to an auditor today? If not, then now is the time to kick-off a project to have them addressed.



_____________________________________________________________________