During the last decade, governments and regulatory agencies have created a myriad of business and IT regulatory frameworks that must be considered by almost all companies. Regulations like Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA can have potentially disruptive impacts on enterprise processes like finance and audit as well as IT and security departments.
All have their specific requirements and debatable value but no one regulatory issue has loomed as large over the last decade as Sarbanes-Oxley (SOX). SOX regulatory compliance was designed to address two main concerns: lowering the level of enterprise risk to financial scandal and maintaining a consistent level of error-free financial reporting. However, the steps needed to meet SOX compliance requirements have been confusing to many organizations.
Many enterprises are lacking clear direction that will address SOX requirements from an IT process perspective. Let's look at how enterprises can use IT and security tools within the frameworks of COSO and COBIT to meet SOX compliance requirements.
Financial compliance and the IT environment
SOX was a legislative response to the slew of accounting scandals involving large corporations such as Enron and Tyco. The act contains many duties and corresponding penalties for corporate boards and executives. The overarching goal of SOX is to create an environment that enforces standards that ensure accuracy of financial statements filed by publicly traded companies that file a Form 10-K with the Securities and Exchange Commission (SEC).
Sections 302 and 404 are the portions of SOX that need to have the support of both finance and the IT department. These sections require yearly certification of internal controls, as verified by an independent auditor. Lack of security of financial data that results in financial misrepresentation is a violation that could subject an enterprise to fines and can subject responsible parties to imprisonment.
COSO and COBIT
Various organizations and frameworks provide the necessary guidance to comply with SOX requirements. IT departments need to be familiar with content from COSO, COBIT, the Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) to achieve a total SOX regulatory compliance picture.
Specific to IT solutions, COSO groups IT controls into two main types:
- General Controls: These include controls over access security, data center operations, systems software controls and others.
- Applications Controls: These are controls designed to monitor and control data and transactions and authorizations. These also can include application system interactions and data exchange.
However, COSO is light in guidance when it comes to implementing IT controls. Here is where the COBIT framework helps by providing an applicable standard for IT security and control practices that can impact SOX regulatory compliance efforts. Similar to COSO, it puts controls within the framework of business objectives. COBIT categorizes IT into four main process groups:
- Planning and Organization: These concern identifying the way IT can best contribute to the achievement of stated business objectives and include key processes like defining a strategic plan, defining the information architecture, ensuring compliance with external requirements and assessing risks.
- Acquisitions and Implementation: Processes to realize the IT strategy via IT solutions that need to be identified, developed or acquired and integrated into business processes. Key processes include acquiring and maintaining applications software and technology infrastructure and developing and maintaining procedures.
- Delivery and Support: Processes around the actual processing of data by application systems. Core processes include defining and managing service levels, ensuring continuous service, ensuring systems security and managing data, facilities and operations supporting IT.
- Monitor and Evaluate: All IT processes that need to be regularly assessed over time for quality and compliance with control requirements, including assessing internal control adequacy and obtaining independent assurance of these controls.
Enterprises will need to consider IT-related controls at all stages of the SOX compliance and IT engagement process, from planning to identification, documentation and testing of significant IT controls on financial processes and supporting applications. At each stage, your work should address each of the four categories of IT processes summarized above.
SOX regulatory compliance using COSO
COSO remains the most popular framework for meeting SOX Section 404 requirements, and financial managers and auditors alike have become familiar with COSO and its objectives around controls. Therefore, companies should internally focus on the IT controls, monitoring and information gathering and reporting concepts embedded in COSO. Specifically, in their SOX compliance efforts, enterprises should demonstrate how enterprise IT controls support the COSO framework. The enterprise should deploy IT control competency in the components COSO identifies as "essential" for effective internal control. These areas are: control environment, control activities, monitoring, information and communication and risk assessment.
To support COSO, in deference to SOX compliance requirements, one of several IT general control objectives is that financial reporting systems and subsystems are appropriately secured to prevent unauthorized use, disclosure, modification, damage or loss of data. If these controls are not in place, enterprises run the risk of misleading or incorrect financial reporting, in direct violation of SOX. IT security solutions are needed, in this case to ensure there are controls that support proper authorization, authentication and security monitoring. Deficiencies could negatively impact activities like financial reporting as insufficient controls over transaction authorizations could result in inaccurate financial reporting.
For this type of control objective, specific steps need to be in place such as:
- An approved IT security plan.
- Security procedures for authentications/access management of users to support transactions.
- Procedures for requesting, establishing, issuing, suspending and closing user accounts.
- Updating of the IT security plan to reflect changes in the IT environment.
- Controls such as firewalls, intrusion detection and vulnerability assessments exist and prevent unauthorized access via public networks.
- Controls relating to segregation of duties (SOD) which grant access to systems and data.
Savvy enterprises will realize that IT controls used for compliance efforts like SOX are also useful tools to enhance overall IT governance and operations and financial risk efforts going forward.
About the author:
Scott Tiazkun is an independent analyst covering finance, enterprise financial business processes and related IT solutions. He has also worked at IDC and Forrester Research as a technology analyst and consultant in various areas including enterprise software applications, healthcare IT and business process research for the office of the CFO.