Introduction to Sarbanes-Oxley
Section 302 of Sarbanes-Oxley act requires the Chief Executive Officer and Chief Financial Officer on a periodic basis to have –
- “designed internal controls” over financial reporting
- “evaluated the effectiveness” of such internal controls
Section 404 requires a corporation’s annual report to contain an internal control report that states –
- “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures”
- management has performed “an assessment of the effectiveness of the internal control structure and procedures for financial reporting”
The Security and Exchange Commission (SEC) enforces Sarbanes-Oxley on all publicly traded companies in the United States and requires organizations to use a recognized controls framework like COSO. The Public Company Accounting Oversight Board (PCAOB) develops the rules for external auditors and released “Auditing Standard #2” that emphasizes the importance of IT controls and recommends the use of COBIT as a recognized framework for IT. Most organizations implement recognized IT control frameworks like ITIL, COBiT, COSO, ISO 17799, BS-7799 to meet SOX mandates.
In order to comply with SOX, organizations must:
- Map the IT systems that support internal control and the financial reporting process to the financial statements
- Identify risks related to these IT systems
- Design and implement controls designed to mitigate the identified risks and monitoring them for continued effectiveness
- Document and test IT controls
- Ensure that IT controls are updated and changed as necessary to correspond with changes in internal control or financial reporting processes
- Monitor IT controls for effective operation over time
Section 404 gives companies a mere 48-hour window to disclose material events that could affect their financial well-being. If you want to comply with the provisions of Section 404 of Sarbanes-Oxley, you must implement general application controls to ensure the integrity of the financial reports. These are controls designed to prevent or detect unauthorized transactions and support financial objectives including completeness, accuracy, authorization and validity of transactions.
Antifraud controls are vey important under the Sarbanes-Oxley Act. Fraud is the principle reason for introducing Sarbanes-Oxley in the first place, so sufficient and appropriate attention must be given to this issue. Here are a few examples emphasizing the need for anti-fraud controls:
- Segregation of duties — Users can initiate and authorize their own financial transactions (Journal postings)
- Access controls Privileged users can access sensitive information, such as payroll data, allowing them to add fictitious employees.
How can Securonix help with SOX compliance
The Securonix Security Intelligence Platform provides comprehensive controls in 3 major areas of SOX compliance:
Access Related Controls
Securonix Access Risk Intelligence uses peer group analysis techniques to identify rogue access to financially critical data based on user’s job functions. This rogue access can be sent to business managers and application owners for review. The Securonix solution also provides for monitoring of both Access and Activity based separation of duties violations. The Securonix solution is identity lifecycle aware and checks for continuos controls like terminated accounts used post-termination to conduct activities.
Security Testing, Surveillance and Monitoring
The Securonix solution proactively tests and monitors the IT security infrastructure. Using innovative behavior based anomaly detection techniques, the Securonix solution allows for early prevention and/or detection and reporting of unusual activities. The Securonix solution monitors for unauthorized attempts to gain access to financial reporting systems and subsystems. The Securonix solution allows you to search through historical log data and construct your own query to monitor the log data as required.
The Securonix solution monitors your financial systems for fraudulent transactions conducted by insiders or hackers. The Securonix technology uses behavior based techniques to identify potential fraud including substantial deviations in amounts on your sales, cost and assets that will materially impact your financial reports.