The Sarbanes-Oxley Act (SOX) does not directly regulate Information Technology. However, IT is the backbone of the financial processes that are regulated by this historic Act, whose primary objective is to assure the integrity of financial statements. A key aspect of that integrity is the control and security of the financial systems and the IT infrastructure supporting those systems.
Section 302: Certification of Financial Reports
The CEO, CFO and an attesting public accounting firm must certify the accuracy of financial statements and disclosures in the periodic report, and that those statements fairly present in all material aspects the operations and financial condition of the issuer. Section 302 prescribes criminal penalties if CEOs or CFOs knowingly or willfully issue inaccurate statements. Section 302 also requires that material information that is used to generate periodic reports be retained and available to the public. In most enterprises, IT systems generate periodic reports and control e-mail, the primary tool for communicating this information internally. CIOs are being asked to ensure that these systems are secure and reliable. Because of the criminal penalties, CIOs also should expect to be asked to sign an internal attestation on their systems to further protect the enterprise in case of CIO negligence in maintaining these systems.
Section 404 is the largest driver of Sarbanes-Oxley compliance projects and the most significant section for IS organizations. It requires a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company, attested to by the company's auditor. This statement includes an assessment of the controls and identification of the framework used for the assessment. Section 302 requires that financial statements be complete and accurate; section 404 requires that the process that is used to generate statements be accurate and meet an accepted industry standard (the Committee of Sponsoring Organizations of the Treadway Commission standard is the de facto standard). Because the processes and internal controls are implemented principally in IT systems, section 404 audits involve a detailed assessment of these systems. Process changes to meet compliance must be documented and implemented by the IS organization. Although a completely paper-based organization could be compliant, most organizations make such extensive use of technology for financial reporting that the CIO plays a major role in auditing and compliance projects. Section 404 also requires reporting of material process changes every quarter. Thus, a new enterprise resource planning (ERP) system or any material change to a system could require a new 404 audit, attestation and report.
Section 409: Material Event Reporting
Public companies must disclose information on material changes in their financial condition or operations on a rapid and current basis. The goal of section 409 is to protect investors from delayed reporting of material events, increasing their losses. IT systems, as they support business operations and financial management, play a significant role in the detection and management of material events. Proactive use of IT enables earlier detection and mitigation of material events. The U.S. Securities and Exchange Commission (SEC) hasn't issued final guidelines for section 409, but Gartner expects that IT systems will be affected by this section in 2004. The SEC has not defined "real time" from an enterprise information process perspective. Unless the SEC clarifies the time frame, the working guideline for section 409 is disclosure of changes, in addition to the report for that period.
A Practical Approach to Sarbanes-Oxley Compliance
Financial Systems Controls
- Identify critical system components that support the integrity of financial information
- Assessment of potential risks and vulnerabilities to the availability and security of electronically protected financial information
- Evaluate and recommend implementation of security measures to reduce risks and vulnerabilities
- Review implementation of procedures to regularly review records of information system activity, including audit logs, access reports, and security incident tracking reports
- Identify security official(s) responsible for the development and implementation security policies and procedures
- Review of key input controls, processing controls and access security
- Review of procedures or policies in place for closing system access to terminated employees and change management
- Thorough assessment of policies and procedures for granting access
- Assess authorization procedures, documentation, review and modifications of established users access rights
Information Security Controls
- Review critical IT infrastructure controls, system change management, database security, operating system integrity and network security
- Evaluate "need to know" and super user access to financial systems
- Review of technical policies and procedures for access control
- Review of procedures for monitoring log-in attempts and reporting discrepancies
- Review of current password management policies
- Review of policies and procedures that address security incidents
- Review data backup and disaster recovery plans to restore loss of data
- Review of current system monitoring to prevent, detect, contain, and correct security breaches
- Review policies for identifying and tracking user identity, authentication alternatives and authorization controls
- Review of emergency access procedures
- Review of policies and procedures for automatic logoff
- Assess technical security measures guarding against unauthorized access to electronically transmitted information
- Review of encryption policies for transactions
- Review real-time disclosure event reporting on material changes in financial conditions or operations
Physical Systems Controls
- Review of policies and procedures to limit physical access
- Review of policies and procedures to safeguard facility and equipment from unauthorized physical access, tampering, and theft
- Review policies for validating a persons access to facilities, including visitor control and access to software programs for testing and revision
- Review controls in place to prevent unauthorized physical access to information, including workstation use and workstation security
Click here to request more information or a free consultation.