Five steps for SOX compliance

1. Read the standard

Section 404 relates to the effectiveness of the financials being reported, and to the processes and controls used to provide the information that's being reported. In addition to CoBiT, mentioned above, auditors use The Public Company Accounting Oversight Board (PCAOB) "Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements" as their guideline. Be warned, this is a 211- page document -- but if you're responsible for a public company's financials -- you need to know what's in the standard.

2. Refine "effectiveness"

While CoBiT and Standard No. 2 provide baselines and guidance for determining what is "effective," there are no black and whites across the board. No accounting firms attested to 404 reporting before last year. You know your business better than anyone else. Determine for your own organization, within the guidelines of Standard No.2, COSO and CoBiT, what effective controls are in your environment.

3. Plan for reuse and real-time

Although financials, once reported, are supposed to be set in stone, the networks and controls related to these are in constant flux. A network audit is obsolete the moment it's complete because networks are changing all the time. And while Sarbanes-Oxley Act (SOX )is a landmark regulation, it's not the only one affecting companies. A few years ago, financial services firms were scrambling to fulfill Title V compliance for GLBA. Today it's SOX, but what about tomorrow? The ability to report, in near real time, on the effectiveness and control across the entire organization's infrastructure in an automated manner will not only ease today's SOX compliance issues, b...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance and Governance Digest Shifting to a flexible information security framework Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights Data breach protection: Implementing vendor breach safeguards How to manage security risks in vendor contracts Red Flags Rule and preparing for new regulations Companies lagging in PA DSS compliance Social media: Risk management strategies for financial institutions FFIEC guidance on RDC: Guidance overview FFIEC guidance on RDC: Risk management basics SOX financial reporting compliance Audit requirements drive demand for privileged account management Regulatory reform will require much work ahead Infosecurity pro pitfalls Using virtualization for compliance efforts SureWest makes the call on SOX compliance Survey: Life back on track at financial firms after SOX Keeping SOX 404 under control(s) Sarbanes-Oxley testing cuts could mean cost cuts Some Things SOX Doesn't Say: SOX Myths FISMA and SOX

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary SOX Section 404  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ut prepare the company for tomorrow's new regulations. Here's where vendor solutions can be applied to make a big difference. If a company has determined that setting certain policies, such as "lock account after three failed login attempts," on a server housing financial information makes it "effective," then an audit tool that can report this policy is active on the server would help automate the reporting process. Other tools, such as security information management consoles, change reporting and control, and compliance solutions must be used in conjunction with corporate defined policies. These tools can be used to plan ahead for increased effectiveness by reporting on the current state of the companies' policy compliance on-demand.

4. Draw the line

Taken to extremes, everything and everyone at a company could seem to somehow affect the accuracy of the reported financials. But is the temperature control system in a development server center really something that has to be taken into consideration for integrity of controls around financial reporting? Where possible, silo out the financial systems and processes related to them. Look at how your systems are set up. Develop a stronger separation between where financial reporting is handled and the rest of your network. Technology such as firewalls, switches and VLANs that segment the network and keep the financial systems separate can help here.

5. Sanity check, early and often

Since it will be the external auditors that perform the attestation, don't work in a vacuum. We've only just completed the first cycle of 404 attestations, and, as yet, external auditors don't have final, "stand-up-in-court" answers regarding what constitutes complete 404 compliance. Don't assume that you can do this all alone either. Another set of eyes often turns up problems that you may not have been aware of. So, work with reputable compliance consultants to track and check where you are today. Then apply that intelligence to the existing audit, reporting, compliance, and SIM tools. Documentation of controls is a required part of 404 compliance, so comprehensive documentation management tools that help automate and control the document creation, approval and completion process may be a necessary purchase for companies without them. Many vendors provide tools and wizards that can help guide and manage the process of documenting for Sarbanes-Oxley.

>> Read part one of this article and learn about the fallacy of SOX-in-a-box.

• Attend Diana Kelley's expert webcast Command, control, comply: The evolution of security management systems.
• Test your knowledge of security regulations with our quiz.
• Here's advice on getting a quality SOX audit.

About the author
Diana Kelley is a Senior Analyst with Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.