The Sarbanes-Oxley of 2002, often referred to as SOX, is a financial regulation that raised as a response to major accounting scandals from corporates like Enron and WorldCom. SOX regulation goal is to reduce financial felonies by increasing penalties, including millions of dollars fines and prison years, for failing to meet their standards.
All publicly-traded companies are required to meet SOX standards. Due to the fact that almost all financial records are digital, SOX compliance requires a robust IT infrastructure. In order to prevent an easy excuse for noncompliance and inaccurate financial reports, lost or damaged data is not an acceptable excuse. In addition, the regulation demands senior management to state that data was handled and stored in a way that prevented it from being meddled or lost. This means that even if a company produces an accurate financial report, they are still at risk for legal trouble if their IT infrastructure is vulnerable to breaches that can lead to producing incorrect data.
SOX is arranged into 11 titles. The most important ones, from a compliance perspective, are 302, 401, 404, 409, 802 and 906. As SOX mostly deals with financial issues, sections 302 and 404 are directly related to IT concerns. These sections present governmental requirements for collecting, storing and verifying the accuracy of the financial records.
Section 302 pertains to ‘Corporate Responsibility for Financial Reports’. Periodic statutory financial reports include among the rest: 1. A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities. 2. Any significant changes in internal controls or related factors that could have a negative impact on the internal controls.
In other words, Section 302 requires companies to use tools for data protection and have the ability to track timelines to determine who had access to the data and when. Further, companies must make sure that all protection tools are working and report on any security breaches. SOX doesn’t specify the ways to accomplish these tasks.
Data tampering protections prevent users without write access to edit the data in the financial records. Those users can refer to both outside interference, such as hackers, and inside users that shouldn’t have this access. This requires organizations to not only have protection tools, such as firewalls and anti-malware but also good access control.
In addition to prevention measures, another part of data tampering is ensuring that even in the case of a cyberattack, records can be recovered. Financial data should be completely recoverable, thereby backups are mandatory. Multiple and off-site backups with the most updated data are a must to achieve compliance.
Companies should keep track of changes in the data. In addition to knowing when a file was last changed, companies should also record what the changes were and who made them. sometimes it’s easier for the company to make copies of the files every time they are changed and update the logs parallelly.
Assuring anti-malware and protection tools are active and reporting:
Companies should verify the effectiveness and functionality of their cybersecurity tools in the 90 days prior to the financial report. To ensure that the security systems are up to the task of protecting and reporting the data, audits need to be done. The audits can be either done internally or externally, but documentation that audits were done must be presented, as well as their findings.
In any case of interference to the security systems, either due to external interference or problems in the system itself, it must be reported. The case of DoS or malware attacks that can compromise data needs to be reported, even if it was addressed.
Section 404 states that annual financial reports must include an Internal Control Report stating that the company has an internal control structure that has been assessed and found effective. Any insufficiency of these controls should also be reported. In addition to that, external audits must also approve the accuracy of the company’s claim that the internal accounting controls are indeed operated and effective. Those demands make Section 404 the most complicated, contested and expensive to implement in order to achieve SOX compliance.
A recommended approach for IT risks and security controls:
It is helpful to divide the IT control evaluation into three sets of processes that must be considered:
General IT process control:
The review of general IT controls addresses the critical IT processes that support all different IT structures that use the base of all key financial reporting tools. IT teams might need to review the same general IT controls more than one time in certain circumstances. The general IT processes that will most likely be needed to be evaluated are:
- Security administration.
- Application change control.
- Data backup and recovery.
- Systems development life cycle.
Application and data owner controls:
The processes evaluated in this section are owned directly by the application and data owner. The ones that will most likely be needed to be evaluated are:
- Making sure that incompatible duties are segregated (administration duties and security).
- Implementing controls on end-user computing and reports.
- Confirm and track access to critical data and transactions.
- Making sure there is an established business owner change control.
Configurable application controls:
The controls evaluated are all IT manual controls at the business process level, which means controls within key applications that support key processes impacting the financial reports. The following application controls should be evaluated for each critical financial application in the critical business processes:
- Automated processes controls.
- Manual processes controls.
- End-user computing controls.
- Reporting controls
- Application security controls.
- General IT controls.
The IT process-level control reporting is where most time and effort will be invested in the SOX compliance project. Parallelly, assuring that protection tools are doing their job might lead to major expenses that originated in unknown vulnerabilities or the need for expensive tools. Those facts emphasize the critical part that the IT teams are responsible for what is considered as financial regulation.