ITCi CI SOX 061505 -...

From regulatory requirements to IT impacts and

technology solutions

Sarbanes-Oxley

Sponsored by:

www.ITCinstitute.com

http://www.itcinstitute.com

www.ITCinstitute.com 1

This in-depth white paper provides a solid definition of Sarbanes-

Oxley, some of the surrounding interpretations of Sarbanes-Oxley’s

key sections, and how to deal with what an IT staff needs to

understand, do, and document in order to bring internal controls

in line with Sarbanes-Oxley requirements. It also provides insight

into specific tools and technologies available to simplify compliance

initiatives.

Table of Contents

2 Sarbanes-Oxley Act and its

impact on control objectives

3 Intent of Sarbanes-Oxley

4 § 105 Full-time availability of data

4 § 302 Corporate responsibility for

financial reports

4 § 403 Web site records

5 § 404 Management assessment

of internal controls

11 § 409 Material changes

11 § 802 Dealing with data

12 § 1102 Tampering with a

record or impeding an official

proceeding

12 Dealing with Sarbanes-Oxley

13 Top-down sample plan for

Sarbanes-Oxley compliance

14 Sarbanes-Oxley: IT impact zones

26 Solutions for Sarbanes-Oxley

30 ComplianceINSIGHT:

Solution Sponsors

31 Epilogue: Ten steps for sustaining

compliance benefits

34 References

About the IT Compliance InstituteThe IT Compliance Institute (ITCi) strives to be a global authority on the role of technology in business governance and regulatory compliance. Through comprehensive education, research, and analysis related to emerging government statutes and affected business and technology practices, we help organizations overcome the challenges posed by today’s regulatory environment and find new ways to turn compliance efforts into capital opportunities.

ITCi’s primary goal is to be a useful and trusted resource for IT professionals seeking to help businesses meet privacy, security, financial accountability, and other regulatory requirements. Targeted at CIOs, CTOs, compliance managers, and information technology professionals, ITCi focuses on regional- and vertical-specific information that promotes awareness and propagates best practices within the IT community.

For more information, please visit: www.ITCinstitute.com

Design elements, front matter, and content on pages 29-31 are copyright © 2005 IT Compliance Institute, a division of 101 Communications LLC. Content on pages 26-28 is copyright © 2005 Stellent, Inc. All other content is copyright © 2004 Network Frontiers, LLC. Portions of the content are derived from © 1994, 1996, 2003 The Backup Book ISBN 0-9729039-0-9. All rights are reserved for all copyright holders.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under § 107 or 108 of the 1976 United States Copyright Act, without the prior written permission of the copyright holder.

Limit of Liability/Disclaimer of Warranty: While the copyright holders, publishers, and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be usable for your situation. You should consult with a professional where appropriate. Neither the publishers nor authors shall be liable for any loss of profit or any other commercial damages, including, but not limited to, special, incidental, consequential, or other damages.

All trademarks cited herein are the property of their respective owners.

Sarbanes-Oxley From regulatory requirements to IT impacts and technology solutions

http://www.itcinstitute.com

Compliance INS IGHT : S A R B A N E S - OX L E Y


The Sarbanes-Oxley Act (SOX) was passed in 2002.1 Most

public companies must comply by June 15, 2004; smaller

U.S. businesses and foreign companies must comply by

April 2005. By providing strict guidelines for publicly

traded company corporate governance, this act addresses

several aspects regarding:

• Security and controls of accounting and auditing

processes.

• Oversight of accounting and audit practices.

• As well as financial record retention.

Examples include development of policies and practices

for use of data integrity and confidentiality in handling

complaints. The most important parts of SOX for IT

revolve around sections 302 and 404, which require

organizations to disclose their internal financial

reporting controls as well as an assessment of how well

those controls are working. But what that actually means

for IT isn’t well understood. As recently as January 2004

one of the “Law, Public Policy and Standards Experts”

at SearchSecurity.com was asked what this all means

for an IT infrastructure. In an overly vague answer, he

stated that the “wise IT administrator would implement

as many best practices as possible,” and then named

several IT security frameworks (NIST, ISO 17799, NSA

Gold Standard) that could be used as guidance.2 Other

“experts” are just as in the dark about what to do relating

to internal control objectives. Why is that so?

The answer lies in the broad-term verbiage that the SOX

act uses to define internal controls, the somewhat less

broad-term verbiage that the Securities and Exchange

Commission (SEC) as well as the Public Company

Sarbanes-Oxley Act and its impact on control objectives

1 (2002). The Sarbanes-Oxley Act of 2002.

2 Beaver, K. (2004). Sarbanes-Oxley discusses internal controls, but what exactly does that mean in regards to infrastructure? SearchSecurity.com.



Accounting Oversight Board (PCAOB, the folks who

watch the auditors who watch the companies) uses, and

the fact that they all point to a set of massive tomes that

serve as security frameworks, such as:

• COSO (Committee of Sponsoring Organizations

of the Treadway Commission), which released the

Enterprise Risk Management (ERM) framework that

provides information on enterprise risk management

for all organizations. The framework also identifies

the interrelationships between enterprise risk

management and internal control.

• CobiT (Control Objectives for Information and

Related Technology), published by the IT Governance

Institute and the Information Systems Audit and

Control Association (ISACA), which provides an

in-depth governance model for IT operations.

• ISO-17799, which provides a framework for

implementing an information security program

through its definition of a variety of security controls

and risk management approach.

The good news is that each of these documents

describes internal control as a process with certain

definable objectives that can be reached through proper

assessment, control activities, and monitoring. What

this white paper attempts to provide is a solid definition

of SOX, some of the surrounding interpretations of

SOX’s section 404 (such as that from the SEC, PCOAB,

IT Governance Institute, and auditors such as Ernst &

Young), and how to deal with what an IT staff needs to

understand, do, and document in order to bring internal

controls in line with SOX requirements.

Intent of Sarbanes-Oxley

Because the primary objective of SOX is to assure the

integrity of an organization’s financial statements, the

CEO and CFO are required to certify the accuracy of

those financial statements and make the related material

available to the public. In this case, security classification

of certain stored information changes from company-

confidential to public-use with the release of the financial

statement. It requires executive officer certification of

financial results, disclosure controls, and procedures; it

also requires accelerated report filing. Auditing firms, for

example, have to keep every document that influences

a report about a client—including e-mail, instant

messaging, or even sticky notes with facts and figures

—for at least seven years.

Section 404 mandates that each annual report also

contain an internal control report that states the

responsibility of the organization’s management in

establishing and maintaining an adequate internal

control structure, as well as the procedures used for

financial reporting. The control report must also contain

an assessment, at the end of the issuer’s most recent fiscal

year, of the effectiveness of the internal control structure

and procedures for financial reporting. The auditor must

also attest to, and report on, the assessment made by the

management of the issuer. SOX thereby sets forth very

strong requirements that organizations implement an

internal control framework in which general computer

integrity and confidentiality controls play a key role. Here

are some of the highlights:

• Management certification that quarterly and annual

reports as well as related disclosures reflect accurately

in all material respects the company’s financial

position (§ 302).

• Management certification that material information

relating to the company’s financial condition is

surfaced through disclosure controls and procedures

that are in place (§ 302).

• Management and auditor’s certification that financial

report preparation processes have effective internal

controls and procedures, and identification of

the internal control framework (§ 404). What has

become the largest issue to date is the definition of

internal control, because SOX wasn’t very precise in its

language.

• Rapid disclosure of material changes in financial

condition and operations (§ 409).

• As it refers to business continuity (BC) and disaster

recovery planning (DRP), preserving and maintaining

the systems that process and store the records takes on

increased importance.



neither of them will want any surprises from any of the

information feeding into the financial system.

(a)(1) The signing officer has reviewed the report; (2) based on the officer’s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading.

Especially since § (a)(5) states that an analysis had better

be performed with a “weaknesses” report being filed and

presumably on the way to being fixed.

(a)(5) The signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function)—(A)all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report financial data and have identified for the issuer’s auditors any material weaknesses in internal controls.

What those internal controls are, and what kinds of

weaknesses that can be discovered, will be defined in the

next section.

§ 403 Web site records

Section 403 requires organizations that have a corporate

Web site to post, within a specified time, a statement

regarding major changes in the ownership of stock.

Amending section 16 of the Securities and Exchange Act

of 1934 (§ 16(a)(4)(C)):

The issuer (if the issuer maintains a corporate website) shall provide that statement on that corporate website, not later than the end of the business day following that filing.

The SEC then amended 17 CFR 240.16a-3(k) to state:

Any issuer that maintains a corporate website shall post on that website by the end of the business day after filing any Form 3, 4 or 5 filed under section 16(a) of the Act as

§ 105 Full-time availability of data

Section 105 deals with investigations and the usage of

documents. The part that is important for us is that it

states that the board (of the organization) may require

the production of “audit work papers and any other

document or information…to verify the accuracy of any

documents or information supplied.”

§ 105.2 deals with testimony and document production,

whereby it grants the Board the ability to:

(B) Require the production of audit work papers and any other document or information in the possession of a registered public accounting firm or any associated person thereof, wherever domiciled, that the Board considers relevant or material to the investigation, and may inspect the books and records of such firm or associated person to verify the accuracy of any documents or information supplied;

(C) Request the testimony of, and production of any document in the possession of, any other person, including any client of a registered public accounting firm that the Board considers relevant or material to an investigation under this section, with appropriate notice, subject to the needs of the investigation, as permitted under the rules of the Board; and

(D) Provide for procedures to seek issuance by the Commission, in a manner established by the Commission, of a subpoena to require the testimony of, and production of any document in the possession of, any person, including any client of a registered public accounting firm, that the Board considers relevant or material to an investigation under this section.

§ 302 Corporate responsibility for financial reports

The CEO and CFO must prepare a statement certifying

financial statements and disclosures. Therefore,



3 (2003). Final Rule: Mandated Electronic Filing and Website Posting for Forms 3, 4 and 5. 17 CFR Parts 230, 232, 239, 240, 249, 250, 259, 260, 269 and 274. Release nos. 33-8230, 34-47809, 35-27674, IC-26044.

4 (2003). Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports. 17 CFR PARTS 210, 228, 229, 240, 249, 270 and 274. Release nos. 33-8238; 34-47986; IC-26068.

5 Ibid. Summary.

6 Ibid. § II.A.1 Proposed Rule.

to the equity securities of that issuer. Each such form shall remain accessible on such issuer’s website for at least a 12-month period. In the case of an issuer that is an investment company and that does not maintain its own website, if any of the issuer’s investment adviser, sponsor, depositor, trustee, administrator, principal underwriter, or any affiliated person of the investment company maintains a website that includes the name of the issuer, the issuer shall comply with the posting requirements by posting the forms on one such website.3

This means that affected organizations will need to be

able to retain and manage adequate documentation of

the posting, which includes metadata information about

when it was posted, where it was posted, and how soon it

was made available to the public.

§ 404 Management assessment of internal controls

An internal control report must accompany the

annual report. Therefore the CXOs will have to take

responsibility for, and address the effectiveness of, their

internal controls. This means that all internal processes

that are supported by technology will have to be

examined and tested regularly.

It will be the (1) responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuers for financial reporting.

To better understand this concept of internal controls, we

first need to turn to the SEC and the PCAOB.

The SEC on internal controls

In June of 2003, the SEC released its final rule on

Management’s Reports on Internal Control over

Financial Reporting,4 aimed at adopting rules requiring

companies to include in their annual reports a section

on management of the company’s internal control over

financial reporting. Among other items the report is to

address, it must have:

• A statement of management’s responsibility for

establishing and maintaining adequate internal

control over financial reporting for the company.

• Management’s assessment of the effectiveness of the

company’s internal control over financial reporting as

of the end of the company’s most recent fiscal year.

• A statement identifying the framework used by

management to evaluate the effectiveness of the

company’s internal control over financial reporting.

• A statement that the registered public accounting

firm that audited the company’s financial statements

included in the annual report has issued an attestation

report on management’s assessment of the company’s

internal control over financial reporting.5

The SEC also adopted amendments to the rules and

forms under the Securities Exchange Act of 1934, and

the Investment Company Act of 1940, by revising the

section 302 certification requirements as exhibits to

certain periodic reports. What becomes very interesting

to us is the discussion of the amendments implementing

section 404.

In the discussion section, the SEC noted that there

had been some confusion over the exact meaning and

scope of the term “internal control,” further admitting

that the term had evolved over a long period of time.

The SEC admitted that from the outset that “internal control is a broad concept that extends beyond the accounting functions of a company.” 6 The release then walks through

several iterations of the term that we can ignore for our

purposes, other than to note that the definition gradually

began to evolve into one of defining internal controls

as a part of a framework of overarching organizational

controls. The release then points to COSO as one such

framework.



7 More on the COSO framework can be found online in (2004). Internal Control —Integrated Framework Executive Summary, The Committee of Sponsoring Organizations of the Treadway Commission.

8 (2003). Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports. 17 CFR PARTS 210, 228, 229, 240, 249, 270 and 274. Release nos. 33-8238; 34-47986; IC-26068. §II.A.3 Final Rules. This then becomes codified as 15d-15: Controls and procedures. 17 CFR. 240.15d-15.(f).

In 1985, a private-sector initiative known as the National

Commission on Fraudulent Financial Reporting (the

Treadway Commission) was formed to study the financial

reporting system in the United States. In 1987, it issued a

report recommending that its Committee of Sponsoring

Organizations (COSO) work together to integrate the

various internal control concepts and definitions and to

develop a common reference point. As related in the SEC

release, the COSO framework defines internal control as:

A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in three categories:

• effectiveness and efficiency of operations;

• reliability of financial reporting; and

• compliance with applicable laws and regulations.7

These internal controls consist of a five-layered

approach: the control environment, risk assessment,

control activities, information and communication,

and monitoring. This assures that the scope of internal

control extends to policies, plans, procedures, processes,

systems, activities, functions, projects, initiatives, and

endeavors of all types at all levels of an organization.

From this definition, the SEC notes that the American

Institute of Certified Public Accountants (AICPA)

incorporated the COSO definition in their Statement

on Auditing Standards (SAS No. 78, codified as AU

§ 319), and that is the version that the SEC used in its

definition as it “constitute[s] a more formal and widely

accessible version of the definition.” The final rules

define internal control over financial reporting as:

A process designed by, or under the supervision of, the registrant’s principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

1. Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the registrant.

2. Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorizations of management and directors of the registrant.

3. Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant’s assets that could have a material effect on the financial statements.8

The SEC then goes on to note that in clause three, the

safeguarding of assets is one of the elements of internal

control over financial reporting that wasn’t in AU § 319.

However, the safeguarding of assets has been a primary

objective of internal accounting control as far back as

SAS No. 1. This clause was drawn from the 1994 COSO

addendum to the “Reporting to External Parties” volume

of the COSO Report. The addendum’s definition of

internal controls was appropriate to the SEC’s needs

because the SEC’s definition will be “used for purposes

of public management reporting, and that the companies

that will be subject to the section 404 requirements also

are subject to the FCPA requirements.”

The SEC falls short of making COSO the mandatory

framework for internal controls, however. The COSO

framework:

May be used as an evaluation framework for purposes of management’s annual internal control evaluation and disclosure requirements. However, the final rules do not mandate use of a particular framework, such as the COSO

6



framework, in recognition of the fact that other evaluation standards exist outside of the United States, and that frameworks other than COSO may be developed within the United States in the future.9

As Scott Taub, the deputy chief accountant for the SEC,

reiterated in a speech on the SEC’s Internal Control

Report,10 SOX does not specify a framework for internal

controls assessment. Instead, the framework must be a

suitable, recognized framework established by a body or

a group following due process and public comment—

and then noted that COSO was the most well-known

framework that met this description. He also stated that

the issue isn’t that an organization merely has internal

controls, but that “some actual testing of controls will

need to be performed by the management.” And that is

where the PCAOB comes into play.

The PCAOB on internal controls effectiveness

The PCAOB is a private-sector, non-profit corporation

that was created by the SOX act of 2002 to oversee the

auditors of public companies in order to protect the

interests of investors and further the public interest in

the preparation of informative, fair, and independent

audit reports.

In March of 2004 the PCAOB released an auditing

standard11 that focuses specifically on section 404, and is

based entirely on the COSO framework. This standard

includes requirements for auditors to understand how

transactions are created, flow through the organization,

and are recorded. These transactions use IT systems, and

the reliability of the systems is integrated from the level

of documents all the way through the computer itself, the

network, power, and facilities. If you think about what

can go awry with the internal controls, you have to think

through the entire range of IT assets.12

Information flows through technology. And collectively

Table 1 denotes the range of information and technology

systems involved in the financial reporting process.

Within the audit guidelines, the PCAOB has the

following suggestion for the auditor who is attempting

to understand the internal controls an organization uses

over financial reporting and financial reporting systems:

The auditor should understand how internal control over financial reporting is designed and operates to evaluate and test its effectiveness. The auditor obtains a substantial amount of this understanding when evaluating management’s assessment process.

The auditor also should be satisfied, however, that the controls actually have been implemented and are operating as they were designed to operate. Thus, while inquiry of company personnel and a review of management’s

9 (2003). Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports. 17 CFR PARTS 210, 228, 229, 240, 249, 270 and 274. Release nos. 33-8238; 34-47986; IC-26068. §II.B.3.a Final Rules.

10 Taub, S. A. (2003). The SEC’s Internal Control Report Rules and Thoughts on the Sarbanes-Oxley Act, U.S. Securities and Exchange Commission.

11 (2004). Proposed auditing standard—an audit of internal control over financial reporting performed in conjunction with an audit of financial statements, Public Company Accounting Oversight Board.

12 This range of assets, and most protection methodologies, is well covered in Cougias, D., E. L. Heiberger, et al. (2003). The Backup Book, Disaster Recovery from Desktop to Data Center. Silicon Valley, CA, Shaser-Vartan Books.

Internal Operations Controls

Executive Leadership (CXO, Board)

Business Processes (Finance, Merchandising, Manufacturing, Logistics)

Internal IT Systems Controls

Documents Apps OSes Storage Hardware Network Power Building

Confidentiality

Integrity

Availability

Table 1: IT Assets

7



assessment provide the auditor with an understanding of how the system of internal control is designed and operates, other procedures are necessary for the auditor to confirm his or her understanding.

The proposed auditing standard would have the auditor confirm his or her understanding by performing procedures that include making inquiries of and observing the personnel who actually perform the controls; reviewing documents that are used in, and that result from, the application of the controls; and comparing supporting documents (for example, sales invoices, contracts, and bills of lading) to the accounting records. The most effective means of accomplishing this objective is for the auditor to perform “walkthroughs” of the company’s significant processes. For this reason, and because of the importance of several other objectives that walkthroughs accomplish, the proposed auditing standard would require the auditor to perform walkthroughs in each audit of internal control over financial reporting.

In a walkthrough, the auditor traces all types of company transactions and events—both those that are routine and recurring and those that are unusual—from origination, through the company’s accounting and information systems and financial report preparation processes, to their being reported in the company’s financial statements. Walkthroughs provide the auditor with audit evidence that supports or refutes his or her understanding of the process flow of transactions, the design of controls, and whether controls are in operation. Walkthroughs also help the auditor to determine whether his or her understanding is complete and provide information necessary for the auditor to evaluate the effectiveness of the design of the internal control over financial reporting.13

Beyond the walkthrough that the auditor should

perform, the auditor has to know certain information

about the design of the controls and how they relate to

each of the other components. Remember, a control

system is only as good as the connections of its linkages.

Therefore, section 49 of the PCAOB audit document

states that the auditor must obtain an understanding

of the design of controls related to each component of

internal control over financial reporting, as discussed

below,14 which follow the COSO Control Components list

exactly. The list below is a combination of material from

the PCAOB report and more IT-specific information

excerpted from the Executive Summary of the COSO

Report issued in 1992.15

13 (2004). Proposed auditing standard—an audit of internal control over financial reporting performed in conjunction with an audit of financial statements, Public Company Accounting Oversight Board. Page 12.

14 Ibid. Audit instructions, § 49.

15 There are whole aspects that have been omitted here because they don’t apply to IT, such as information that deals with the board of directors, management’s operating style, etc.

1. Control Environment Because of the pervasive effect of the control

environment on the reliability of financial reporting,

the auditor’s preliminary judgment about its

effectiveness often influences the nature, timing, and

extent of the tests of operating effectiveness considered

necessary. Weaknesses in the control environment

should cause the auditor to alter the nature, timing, or

extent of tests of operating effectiveness that otherwise

would have been performed.

Integrity and Ethical Values

• Existence and implementation of codes of conduct

and other policies regarding acceptable business

practice, conflicts of interest, or expected standards

of ethical and moral behavior.

• Dealings with employees, suppliers, customers,

investors, creditors, insurers, competitors, and

auditors, and so on (e.g., whether management

conducts business on a high ethical plane, and

insists that others do so, or pays little attention to

ethical issues).

Commitment to Competence

• Formal or informal job descriptions or other means

of defining tasks that comprise particular jobs.

• Analyses of the knowledge and skills needed to

perform jobs adequately.

Organizational Structure

• Adequacy of definition of key managers’

responsibilities, and their understanding of these

responsibilities.

• Adequacy of knowledge and experience of key

managers in light of responsibilities.



Assignment of Authority and Responsibility

• Assignment of responsibility and delegation of

authority to deal with organizational goals and

objectives, operating functions and regulatory

requirements, including responsibility for

information systems and authorizations for changes.

• Appropriateness of control-related standards and

procedures, including employee job descriptions.

• Appropriate numbers of people, particularly with

respect to data processing and accounting functions,

with the requisite skill levels relative to the size of

the entity and nature and complexity of activities

and systems.

Human Resource Policies and Practices

• Appropriateness of remedial action taken in

response to departures from approved policies and

procedures.

• Adequacy of employee candidate background

checks, particularly with regard to prior actions

or activities considered to be unacceptable by the

entity.

• Adequacy of employee retention and promotion

criteria and information gathering techniques (e.g.,

performance evaluations) and relation to the code

of conduct or other behavioral guidelines.

2. Risk Assessment When obtaining an understanding of the company’s

risk assessment process, the auditor should evaluate

whether management has identified the risks of

material misstatement in the significant accounts and

disclosures and related assertions of the financial

statements and has implemented controls to prevent

or detect material misstatements. For example, the risk

assessment process should address how management

considers the possibility of unrecorded transactions or

identifies and analyzes significant estimates recorded

in the financial statements. Risks relevant to reliable

financial reporting also relate to specific events or

transactions.

Entity-level risks

Adequacy of mechanisms to identify risks arising from

such external factors as the following:

• Technological developments

• New legislation or regulation

• Natural catastrophe

Adequacy of mechanisms to identify risks arising from

such internal factors as the following:

• Disruption in information systems

• Quality of personnel hired and methods of training

and motivation

• Change in management responsibilities

• Nature of the entity’s activities and employee

accessibility to assets

3. Control Activities The auditor’s understanding of control activities relates

to the controls that management has implemented

to prevent or detect material misstatement in the

accounts and disclosures and related assertions of the

financial statements. For the purposes of evaluating

the effectiveness of internal control over financial

reporting, the auditor’s understanding of control

activities encompasses a broader range of accounts

and disclosures than what is normally obtained for the

financial statement audit.

Policies and Procedures

• Compliance policies and procedures should be in

place.

Information Systems General Controls

• Data Center Operations Controls include job setup

and scheduling, operator actions, backup and

recovery procedures, and contingency or disaster

recovery planning. In sophisticated environments,

capacity planning and resource allocation and use

are also included.

• System Software Controls should cover the effective

acquisition, implementation, and maintenance

of system software/operating system, database

management systems, telecommunications software,

security software, and utilities. System logging,

tracking, and monitoring are also covered.

• Access Security Controls ensure that appropriate

access should be authorized for those needing the



PCAOB then specifies that some controls might “have a

pervasive effect on achieving many overall objectives of

the control criteria” and uses as an example IT controls

over program development, program changes, computer

operations, and access to programs and data.16 This is

reiterated in § 104, but isn’t the only section that refers to

IT processes, technology, or IT controls:

• Section 67 (the nature of assertions) states that to test

the relevancy of assertions, the IT infrastructure has to

be understood.

• Section 69 of the audit instructions declares that the

auditor also needs to focus on significant processes,

with an understanding of the flow of transactions and

the points where a misstatement could arise, as well as

identifying the controls that management has in place

16 (2004). Proposed auditing standard—an audit of internal control over financial reporting performed in conjunction with an audit of financial statements, Public Company Accounting Oversight Board. Audit Instructions § 50.

systems to perform desired work. A variety of

practices can be used to grant or limit access; for

example, special “dial-up” numbers, review of user

profiles, and use of passwords or user IDs.

• Application Controls are designed to ensure the

completeness and accuracy of transaction

processing, authorization, and validity. Application

interfaces are particularly important because they

are often linked to other systems that need control

to ensure that all inputs for processing are received

and that all outputs are distributed appropriately.

In many applications, computerized edit checks can

prevent errors from entering the system, and can

detect and correct them if they are present.

4. Information and CommunicationThe auditor’s understanding of management’s

information and communication involves

understanding the same systems and processes that he

or she addresses in an audit of financial statements.

In addition, this understanding includes a greater

emphasis on comprehending the safeguarding controls

and the processes for authorization of transactions and

the maintenance of records, as well as the period-end

financial reporting process.

Information

• Obtaining external and internal information, and

providing management with necessary reports on

the entity’s performance relative to established

objectives.

• Providing information to the right people in

sufficient detail and in time to enable them to carry

out their responsibilities efficiently and effectively.

Communication

• Effectiveness with which employees’ duties and

control responsibilities are communicated.

• Timely and appropriate follow-up action by

management resulting from communications

received from customers, vendors, regulators, or

other external parties.

5. Monitoring. The auditor’s understanding of management’s

monitoring of controls extends to and includes its

monitoring of all controls, including control activities,

which management has identified and designed to

prevent or detect material misstatement in the accounts

and disclosures and related assertions of the financial

statements.

Ongoing Monitoring

• Extent to which personnel, in carrying out their

regular activities, obtain evidence as to whether the

system of internal control continues to function.

• Whether personnel are asked periodically to state

whether they understand and comply with the

entity’s code of conduct and regularly perform

critical control activities.

• Effectiveness of internal audit activities.

Separate Evaluations

• Scope and frequency of separate evaluations of the

internal control system.

• Appropriateness of the evaluation process.

• Whether the methodology for evaluating a system is

logical and appropriate.

• Appropriateness of the level of documentation.



to ensure that a misstatement doesn’t happen. This is

reiterated in § 120.

• As a part of period-end financial reporting (§ 72), the

auditor must also evaluate “the extent of information

technology involvement in each period-end financial

reporting process element,” among other items.

• Section 74 delineates the risks involved if controls

aren’t operating effectively, noting that many

other controls rely upon those within the realm of

information technology.

• Section 81 suggests that “rather than reviewing copies

of documents and making inquiries of a single person

at the company, the auditor should follow the process

flow using the same documents and information

technology that company personnel use and make

inquiries of relevant personnel involved in significant

aspects of the process or controls.”

• Section 82 follows up this thought that information

technology controls are a fundamental aspect of other,

automated controls when it states that testing a single

operation of an automated control (versus testing all

operations) should be sufficient—as long as the IT

controls are functioning effectively.

Examples are given regarding how information

technology supports daily programmed and manual

controls (example B-1), weekly programmed and

manual controls (example B-4), and the role

information technology plays in within information and

communication in small- and medium-sized companies

(§ E11).

Clearly, as seen by the PCAOB, information technology

plays a business function, activity, and transactional role.

§ 409 Material changes

Any material changes that affect financial disclosures will

have to be reported on a “rapid and current basis.” That

means that depending upon the material change, these

reports might have to be transmitted in less than

48 hours.

Each issuer reporting under section 13(a) or 15(d) shall disclose to the public on a rapid and current basis such additional information concerning material changes in the financial condition or operation of the issuer…

§ 802 Dealing with data

Section 802 deals with data issues per se, and can be

broken into three separate warnings as described below.

§ 802(a) Altering or destroying data

All business records, including electronic records and

electronic messages, must be saved for “not less than five

years.” The consequences for non-compliance are fines,

imprisonment, or both. Sections 801 and 802 of SOX

contain the rules that impact IT records management.

The first rule deals with destruction, alteration, or

falsification of records.

Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.17

§ 802(a)(1) Retention periods

The second rule defines the retention period for records

storage. Best practices indicate that corporations should

securely store all business records using the same

guidelines set for public accountants.

Any accountant who conducts an audit of an issuer of securities to which section 10A(a) of the Securities Exchange Act of 1934 (15 U.S.C 78j-1(a)) applies, shall maintain all

17 Staff, I. (2003). Sarbanes-Oxley Compliance—The Cloud or the Silver Lining? TripWire.



audit or review workpapers for a period of 5 years from the end of the fiscal period in which the audit or review was concluded.

§ 802(a)(2) Types of records to store

This third rule defines the type of business records that

need to be stored, including all business records,

communications, and electronic communications.

The SEC shall promulgate, within 180 days, such rules and regulations, as are reasonably necessary, relating to the retention of relevant records such as workpapers, documents that form the basis of an audit or review, memoranda, correspondence, communications, other documents, and records (including electronic records) which are created, sent, or received in connection with an audit or review and contain conclusions, opinions, analyses, or financial data relating to such an audit or review.

§ 1102 Tampering with a record or impeding an official proceeding

And way down here we can find a statement that says you

can’t destroy the data unless you are supposed to as a part

of the retention and disposition authority.

Whoever corruptly (1) alters, destroys, mutilates, or conceals a record, document, or other object, or attempts to do so, with the intent to impair the object’s integrity or availability for use in an official proceeding…

The exact interpretation of this clause has been the

subject of intense debate, spotlighted by the 2002

conviction of Arthur Andersen. A 2005 Supreme Court

decision overruled the jury’s opinion that information

was corruptly destroyed. Taken at face value, the

statement chiefly implies that companies shouldn’t

knowingly destroy data to avoid incrimination. But

even overwriting backup tapes that contain a single

copy of information on them during a period when the

organization is doing something that could be considered

misconduct, would violate this rule. A rule that could put

the perpetrator behind bars for 20 years.

Dealing with Sarbanes-Oxley

If you think of SOX in terms of recordkeeping practices

for accounting records, then you can follow the general

outline that ISO 15489 sets for records management.18

Starting from the top in planning and moving through

design and implementation, a SOX program might look

like the table on the next page. In creating this table,

we have followed the methodology presented in ISO

15489 for designing a top-down system of controls that

can be implemented, documented, and tested, and that

upper management and the audit team can attest to.

Each column has a direct reference to the section of the

standard or document cited.

The sample program represents a subset of all activities

defined by the ISO 17799 security standard and ISO

15489 records management standard, as indicated

by various guidelines related to SOX—including

implications of the act itself. These are represented on

the full control-objective table that begins on page XX.

The full table has its roots in unification documents from

CobiT, ISSA, GAISP, CMS, WEDI, and a few others that all

reference ISO 17799. To create the table, a research team

read original guidance such as the SOX act and SAS 94 and

interpreted its findings in terms of standard ISO control

objectives, represented in the table’s left-hand column.

Although each company must determine an optimum

compliance strategy based on its own goals and

environment, the table provides a top-down view of all

indicated controls. Moreover, by directly referencing

specific SOX-related requirements to acknowledged

standards, it circumvents the hype and rumor that has

spawned so much unnecessary SOX-based development

to date.

18 General principles are found in:

(2001). Information and documentation—Records management Part 1: General, International Standards Organization.

(2001). Information and documentation—Records management Part 2: Guidelines, International Standards Organization. Some of the outline items were derived from the more in-depth DIRKS, which was the forerunner of ISO 15489.

(2003). DIRKS, National Archives of Australia. Also see the individual steps A through G for a more detailed explanation.



StepSOX PCAOB 240.15d-15 240.16a-3

Establish need for regulatory compliance program

Defining control objectives: Rules that govern information technology 49

Rules that govern web pages (k)

Rules that govern financial reporting documents 105.2 (f)

Identify record integrity requirements (f)(1)

Identify privacy policy requirements (f)(3)

Identify recordkeeping retention requirements 802(a)(1)

Evidential weight of information and technology

Information technology controls support multiple operations 74

Defining organizational level risks 404 49

Ensure business leaders are aware of their role 302

Create recordkeeping procedures 404 72

Determine documents to be captured and collected 802(a)(2)

Identify disposition status 1102

Provide automated integrity controls (f)(1)

Documentation and validation of collection procedures 105.2

Create a records security process 67

Ensure record transaction security 69, 120 (f)(2)

Ensure usage and tracking (f)(3)

Prepare for breach notification 49

Act immediately upon breach notification 49

Create daily automated controls B-1

Create weekly automated controls E-1

Prepare for compliance auditing 404 49

Provide transactional walkthrough capabilities 81, 82

Top-down sample plan for Sarbanes-Oxley compliance


14

High-Level Objectives and LeadershipSOX

PCAOB Rel. 2004-001

Audit section SAS 94

AICPA/CICA Privacy

Framework

AICPA Suit-able Trust Services Criteria

Establish need and define high-level objectives Implied ¶ 8 – 13 P10 ¶ 11

Analyze organizational objectives, functions, activities, and tasks Implied

Information architecture model

Corporate Data Dictionary and Data Syntax Rules

Data Classification Scheme

Security Levels

Technological Infrastructure Planning

Monitor Future Trends and Regulations

Technological Infrastructure Contingency

Hardware and Software Acquisition Plans

Technology Standards

Defining the correct roles and responsibilities

Board of Director involvement

Designated Employee Leadership

Defining rules that govern information technology Implied ¶ 49 ¶ 8

Rules that govern records privacy

Rules that govern security breach notices

Rules that govern records security and integrity

Rules that govern financial reporting documents 105.2 Implied

Rules that govern websites and web pages 403 Implied

Rules that govern database records

Rules that govern automatic transactions

Rules that govern messages (both e-mail and IM)

Rules that govern electronic signatures and transactions

Safety and Ergonomic Compliance

Compliance with Insurance Contracts

Defining organizational practices for complying with external requirements

Evidential weight of information and technology

Why courts need standards tailored to e-discovery

Precedent in paper discovery in context of e-docs

Information technology controls support multiple operations Implied 74

Create a high-level strategic IT plan

IT Long-Range Plan

IT Long-Range Planning—Approach and Structure

IT Long-Range Plan Changes

Short-Range Planning for the IT Function

Communication of IT Plans

Monitoring and Evaluating of IT Plans

Assessment of Existing Systems

Sarbanes-Oxley: IT impact zones


15

I T I M PAC T Z O N E S

Audit & Risk ManagementSOX

PCAOB Rel. 2004-001


AICPA/CICA Privacy

Framework


Audits

Roles and Responsibilities ¶ 2

Board of directors and senior management

Internal IT Audit Manager

Internal IT Audit Staff

IT operations staff

External auditors

Internal audit program Implied Implied § 8.2.6

Risk Assessment Implied § 49 ¶ 37

Business Risk Assessment

Risk Assessment Approach

Information Gathering

Asset Discovery

Environmental survey

Hardware inventory

Software inventory

Networking inventory

Media inventory

Information Handling

Employee training

Incident Response

Risk Identification ¶ 38

Threat Identification

Vulnerability Identification

Risk Analysis

Document controls

Risk Measurement and scoring

Create gap analysis

Risk Action Plan

Risk Acceptance

Safeguard selection & prioritization

Risk Assessment Commitment

Design & ImplementationSOX

PCAOB Rel. 2004-001


AICPA/CICA Privacy

Framework


Project management and initial planning

Identify requirements

Identify recordkeeping security (availability and integrity) standards § 802 Implied

Identify recordkeeping retention requirements § 802(a)(1) Implied

Systems Design

Assign roles and responsibilities


16


Ensure business unit leaders are aware of their role § 302 Implied

Design of security controls Implied

Develop initial training plan

Security awareness training § 2.4

Systems Testing

Systems Testing 1.2(g)

Systems AcquisitionSOX

PCAOB Rel. 2004-001


AICPA/CICA Privacy

Framework


Establishment of an acquisition of technology plan

Risk Analysis Report Implied Implied Implied

Operational ManagementSOX

PCAOB Rel. 2004-001


AICPA/CICA Privacy

Framework


Operational management Implied B-1

Roles and responsibilities

Board of directors

Chief information officer

IT line or operations management

Business unit manager

Policies, Standards, and Procedures

Establishment of key policies

Positive Information Control Environment ¶ 53(a) ¶ 34

Management’s Responsibility for Policies § 1.1.2

Communication of Organization Policies § 1.1.1 ¶ 9(b)

Policy Implementation Resources § 1.2.5

Maintenance of Policies § 1.2.1

Compliance with Policies, Procedures and Standards § 1.1.1 ¶ 9(d)

Quality Commitment

Security and Internal Control Framework Policy ¶ 17 (1.0)

Intellectual Property Rights

Issue-Specific Policies

Communication of IT Security Awareness§ 1.1.1

¶ 17, 20, 24, 40 (2.0)

Documenting all policies and procedures

Operational Requirements and Service Levels

User Procedures Manual

Operations Manual

Training Materials

Standards ¶ 24 (3.15)

Acceptable Usage Policies

Operations Procedures ¶ 24 (3.2)

Design & Implementation (continued)SOX

PCAOB Rel. 2004-001


AICPA/CICA Privacy

Framework



17


Processing Operations Procedures and Instructions Manual

Start-up Process and Other Operations Documentation

Job Scheduling

Departures from Standard Job Schedules

Processing Continuity

Remote Operations

Service Level Agreements (SLAs)

Service Level Agreement Framework ¶ All (1.1)

Aspects of Service Level Agreements

Performance Procedures

Monitoring and Reporting ¶ 17 (4.1)

Review of Service Level Agreements and Contracts § 10.2.3 ¶ 20 (2.2)

Chargeable Items

Service Improvement Program

Assist and support IT customers (Help Desk) ¶ 20 (3.9)

Help Desk operations

Registration of Customer Queries

Customer Query Escalation

Monitoring of Clearance

Trend Analysis

Establishment of a problem management and incident handling system

Implied § 49

¶ 24 (3.10,11),

¶ 30 (3.12,13)

Problem Management System

Uses and capability

Characteristics

Problem Escalation ¶ 24 (3.11)

Problem Tracking and Audit Trail

Emergency and Temporary Access Authorizations

Emergency Processing Priorities

Manage the current IT configuration Implied § E-1

Configuration Recording

Configuration Baseline

Status Accounting

Configuration Control

Unauthorized Software

Software Storage

Configuration Management Procedures

Software Accountability

System Software Installation

Operational Management (continued)SOX

PCAOB Rel. 2004-001


AICPA/CICA Privacy

Framework



18


System Software Security

Identify and allocate costs

Annual IT Operating Budget ¶ 20 (3.9)

Cost and Benefit Monitoring App ¶ 9.1

Cost and Benefit Justification

Assessment of New Hardware and Software

Initial Hardening of systems

Always change the vendor-supplied defaults

Develop system configuration standards for all networks components

Implement only one application or primary function per network component

Disable all unnecessary services ¶ 17(3.3)

Configure system security parameters to prevent misuse

Remove all unnecessary functionality

Encrypt internal non-console administrative access § 8.2.2 ¶ 17(3.3)

Perform vulnerability test prior to final installation § 8.2.1(l)

Preventative Maintenance for Hardware ¶ 20 (3.1)

Change Management

Change Request Initiation and Control ¶ 17 (3.10,11)

Impact Assessment

Control of Changes

Emergency Changes ¶ 17 (3.12)

Documentation and Procedures

Authorized Maintenance

Software Release Policy

Distribution of Software

System Software Maintenance

System Software Change Controls (patch management)

Ensure that all system software is the latest version

Test all security patches before they are deployed

Use and Monitoring of System Utilities

Conversions

Systems Disposal § 802(a) Implied § 5.2.2

IT Staff ManagementSOX

PCAOB Rel. 2004-001


AICPA/CICA Privacy

Framework


Human Resources management

Establishing the IT organizational structure

IT Planning or Steering Committee ¶ 17 (3.10)

Responsibility for Quality Assurance ¶ 24 (3.13)

Operational Management (continued)SOX

PCAOB Rel. 2004-001


AICPA/CICA Privacy

Framework



19


Responsibility for Logical and Physical Security ¶ 17 (2.3)

Data and System Ownership ¶ All (1.3)

Segregation of Duties ¶ 41.4 ¶ 17 (3.11)

IT Staffing ¶ 17 (3.10)

Job or Position Descriptions for IT Staff § 1.2.6 ¶ 17 (3.9)

Key IT Personnel ¶ 24 (3.18), ¶ 20 (3.2)

Managing internal staff

Personnel Recruitment and Promotion § 1.2.6

Personnel Qualifications § 1.2.6

Personnel Clearance Procedures § 1.2.6 ¶ 17 (3.9)

Roles and Responsibilities ¶ 53.1 App ¶ 3(a)

Personnel Training § 1.2.6 ¶ 17 (3.9)

Cross-Training or Staff Backup ¶ 17 (3.9)

Employee Job Performance Evaluation App ¶ 3(g) § 1.2.6 ¶ 17 (3.9)

Job Change and Termination ¶ 24 (3.5)

Managing third-party interaction and services

Counterparty trust § 7.2.2 ¶ 40 (3.2)

Third-Party Contracts § 7.2.2 ¶ 40 (3.2)

Third-Party Qualifications § 4.2.3

Outsourcing Contracts ¶ 40 (3.2)

Security and Audit Relationships § 7.1.2 ¶ 40 (3.2)

Records Discovery & Records ManagementSOX PCAOB SAS 94

AICPA/CICA Privacy

Framework


The Need for Records Management

Determining scope of preservation obligations

Determining documents for capture § 802(a)(2) Implied

Determining how long to retain records § 103.(2)(A)(i)

Records capture and classification process AS 2 § 72

Capture

Registration

Classification

Business activity classification

Vocabulary controls

Allocation of numbers and codes

Indexing

Usage and tracking AS 2 § 69

Data input and access authorization procedures

Accuracy, Completeness, and Authorization Checks

Data Input Error Handling

Data Processing Integrity

IT Staff Management (continued) SOX

PCAOB Rel. 2004-001


AICPA/CICA Privacy

Framework



20


Data Processing Validation and Editing

Data Processing Error Handling

Output Handling and Retention

Output Distribution

Output Balancing and Reconciliation

Output Review and Error Handling

Security Provision for Output Reports

Records Handling

Protecting digital storage

Creating backups or duplicate copies § 5.2.2

Maintain duplicate copies of indexes

Backup and Restoration

Backup Jobs ¶ 24 (3.19), ¶ 20 (3.3)

Backup Storage ¶ 24 (3.19), ¶ 20 (3.3)

Encrypt backup data

Maintain media controls

Separate duplicates from the originals ¶ 24 (3.19), ¶ 20 (3.3)

Disposition and destruction § 802(a) Implied § 5.2.2

Identification of disposition status § 1102 Implied

Writing of Disposition Authority document § 5.2.2

Training ¶ 17 (3.9)

Records Discovery

Retrieval of records

Documentation and validation of collection procedures § 105.2

Production of discovered documents R 5013(b)

Production within a set time frame R 5422(c)

Technical Security SOX

PCAOB Rel. 2004-001


AICPA/CICA Privacy

Framework


Technical security Implied § 67 § 319.16

Security and access classification scheme ¶.17§1.1

Development of security access classification ¶.17§1.2(a)

Data classification

Access and security classification steps § 319.13 8.2.2

Identification, Authentication, and Access 8.2.2(a)&(b) ¶.17§3.1(b)

User Account Management 8.2.2(d)

Control the addition, deletion, and modification of user IDs, credentials, or other identifier objects 8.2.2(c) ¶.17§3.1(a)&(c)

Immediately revoke accesses of terminated users ¶.17§3.1(c)

Remove inactive user accounts at least every 90 days

Records Discovery & Records Management (continued)

SOX PCAOB SAS 94

AICPA/CICA Privacy

Framework



21


Distribute password procedures and policies to all users who have access to cardholder information 8.1.1

Do not permit group passwords

Change user passwords at least every 90 days ¶.17§3.1(b)

Require a minimum password length of at least seven characters

Use passwords containing both numeric and alphabetic characters

Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used

Review access capabilities for any functional change in user status

Management Review of User Accounts 8.2.2(e)&(f)

User Control of User Accounts

Security Surveillance 8.2.1

Central Identification and Access Rights Management

Network Access § 319.45

Network configuration

Create a network diagram

DMZ areas

Segregate security restricted servers into their own domain

Plan for, and have approved, all network changes

Track and log all network changes

Scan for unknown workstations and default deny access

Protocols and ports

Protocol policies

TCP/IP packets

Routing and the DNS system

Secure router configurations against unauthorized changes

Router configuration should have an ACL list

Disable Telnet for remote administration

Firewall Design 8.2.2(i) ¶.17§3.3

Enable NAT or PAT

Firewall policies

Deny all traffic except designated traffic

Ensure firewall change policies are formalized

Ensure firewall logs are capturing correct data

All laptops should be equipped with a firewall

Operating system access § 319.18

Ensure accounts (and stored information) are segregated

Employ sign-on authentication management

Log all access attempts

Limit repeated attempts by locking out the user ID after not more than six attempts ¶.17§3.3

Set the lockout duration to 30 minutes or until administrator enables the user ID

Technical Security (continued) SOX

PCAOB Rel. 2004-001


AICPA/CICA Privacy

Framework



22


If a session has been idle for more than 15 minutes, require the user to reenter the password to reactivate the terminal

Application access

Remote access

Explicitly deny all modems except for documented and authorized systems

Implement two-factor authentication

Protect remote access accounts against eavesdropping

Monitor remote access usage

Transaction Security Implied § 69, 120 § 319.17

Protection of sensitive messages

Transaction Authorization

Non-Repudiation

Trusted Path

Protection of Security Functions Implied

Encryption ¶.17§3.5

Cryptographic Key Management

Protect keys against disclosure

Document all key management practices

Malicious code 8.2.2(j) ¶.17§3.4

Install anti-virus software

Ensure that signature files are up to date

Maintain and audit log of all malicious code

Ensure anti-virus system works on e-mails

Intrusion detection and response ¶.17§3.6

Intrusion detection ¶.17§3.3

Automated IDS

Honeypots

Registry control monitoring

Preparation for breach notifications Implied § 49 ¶.17§2.4

Internal control monitoring

Timely Operation of Internal Controls

Internal Control Level Reporting

Operational Security and Internal Control Assurance

Intrusion response ¶.17§3.7

Operational anomalies

Incident Handling, notification, and actions

Violation and Security Activity Reports

Reaccreditation

Logging and data collection

Audit logs must contain timestamp that tracks user activity

Ensure that it is impossible to disable an audit log

Review audit logs regularly

Technical Security (continued) SOX

PCAOB Rel. 2004-001


AICPA/CICA Privacy

Framework



23


Physical Security (continued)SOX

PCAOB Rel. 2004-001


AICPA/CICA Privacy

Framework


Physical Security § 8.2.3

Facilities management

Physical Security App ¶ 9.3 ¶ 17 (3.2)

Low Profile of the IT Site

Visitor Escort

Visitor identification

Maintain visitor log

Personnel Health and Safety

Cabinet and vault security § 8.1.1

Physical Security of distributed IT assets

Desktop and notebook security

Physical Information and Media security § 8.1.1

Server security

Physically separate systems that store sensitive data from those that don’t

Physical LAN access ¶ 17 (3.2)

Environmental controls ¶ 20 (3.1)

Uninterruptible power supplies and secondary power ¶ 20 (3.1)

Duplicate telecom feeds

HVAC equipment ¶ 20 (3.1)

Heat and smoke detection ¶ 20 (3.1)

Fire suppression systems ¶ 20 (3.1)

Water detection ¶ 20 (3.1)

Systems ContinuitySOX

PCAOB Rel. 2004-001


AICPA/CICA Privacy

Framework


The Need for Business Continuity ¶ 24 (3.18), ¶ 20 (3.2)

Business Continuity Framework

Roles and responsibilities ¶ 24 (3.18), ¶ 20 (3.2)

Business Continuity Plan Strategy & Philosophy

Business Continuity Plan Strategies

Critical business functions

Critical records identification

Operational management

Critical personnel ¶ 24 (3.18), ¶ 20 (3.2)

Critical IT Resources ¶ 24 (3.18), ¶ 20 (3.2)

SLAs include continuity planning

Alternate Site Strategies


24


Network Recovery Strategies ¶ 24 (3.18), ¶ 20 (3.2)

Alternate Site Preparations

Contingency Arrangements list

Contingency Arrangements for all offices

Off-site Media Storage

Off-site data backup and storage ¶ 24 (3.19), ¶ 20 (3.3)

Off-site software backup and storage ¶ 24 (3.19), ¶ 20 (3.3)

Writing the Business Continuity Plan ¶ 24 (3.18), ¶ 20 (3.2)

Business Continuity Plan Contents ¶ 24 (3.18), ¶ 20 (3.2)

Minimizing Business Continuity Requirements

Emergency communications planning

Problem escalation

Maintaining the Business Continuity Plan

Testing the Business Continuity Plan

Annual Testing ¶ 24 (3.18), ¶ 20 (3.2)

Simulation Testing

Updating the Plan

Business Continuity Plan Training

Business Continuity Plan Distribution ¶ 24 (3.18), ¶ 20 (3.2)

User Department Alternative Processing Backup Procedures

Wrap-up Procedures

Insurance

Monitoring, Measurement & ReportingSOX

PCAOB Rel. 2004-001


AICPA/CICA Privacy

Framework


Continued monitoring and auditing § 104 § 49 § 10 .17 § 4.0

Establishing overall monitoring and logging operations § 319.53

Key concepts

Measurement § 13

Traceability

Thoroughness § 104(d) § 13

Frequency § 104(b)

Collecting Monitoring Data § 319.54

All accesses to cardholder data

All actions taken by any individual with root or administrative privileges

Access to all audit trails

Systems Continuity (continued)SOX

PCAOB Rel. 2004-001


AICPA/CICA Privacy

Framework



25


Invalid logical access attempts

Use of identification and authentication mechanisms

Initialization of the audit logs

Creation and deletion of system-level objects

Assessing Performance § 7, 13

Assessing Customer Satisfaction .24 § 3.2

Management Reporting and logging § 404(b) § 10.2.3

Security Testing § 8.2.6 .17 § 4.1

Penetration testing

Run both internal and external vulnerability scans

Assessments .17 § 4.2

Risk monitoring § 49 § 319.37

Overall testing strategy § 319.39

Testing scope and objectives § 319.39

Specific test plans

Test plan review

Validation of assumptions

Completeness of procedures

Testing methods

Analyzing the reports

Performance monitoring §3 19.41

Monitor for capacity

Monitor for uptime status

Outcome-based measurements

Compliance monitoring and auditing § 404 § 49 § 319.54 § 10.2.3

Provide transactional walk-through capabilities for third-party auditor Implied § 81, 82

Availability of audit results

Preservation of audit results

Follow-up Activities § 319.29

Report Monitoring statistics and follow-up to the Board of Directors § 102(d)

Monitoring, Measurement & ReportingSOX

PCAOB Rel. 2004-001


AICPA/CICA Privacy

Framework


S O L U T I O N S F O R S A R B A N E S - OX L E Y

26

High-ranking executives, such as chief compliance officers, and board members now actively oversee many compliance activities. As a result, it has become a critical priority for many companies to find technology solutions that quickly increase the efficiency of compliance processes and generate significant return-on-investment (ROI). A key requirement for achieving these objectives is selecting a solution that embraces the successful processes companies have used during compliance “projects” and makes them part of daily business practices.

For example, most companies initially took a tactical, manual approach to Sarbanes-Oxley compliance by creating projects that included dedicated employees, consultants, project plans, ongoing meetings, executive status reports and specialized technology—a standard practice in developing methodologies for new compliance efforts. However, now that companies understand the methodology necessary for 404 compliance, they must create a more efficient, long-term compliance strategy by incorporating their successful Sarbanes-Oxley compliance processes into daily business practices.

When companies concentrate on managing regulated business processes, demonstrable compliance simply becomes a by-product of everyday work activities.

Stellent: Turning Compliance Projects Into Ongoing ProcessesStellent’s compliance and records management applications allow companies to turn compliance projects into ongoing processes that are conveniently and inherently carried out during the normal course of business. In particular, Stellent’s full suite of Web-based document management solutions effectively manage the massive amounts of content involved in compliance documentation and testing—providing the necessary foundation for storing, managing, processing and tracking content in a central, secure repository.

Stellent can support multiple compliance initiatives with a single technology architecture that utilizes a common repository and interface. Consequently, companies can leverage Stellent’s infrastructure to comply with a variety of government mandates from Sarbanes-Oxley, JCAHO (Joint Commission on Accreditation of Healthcare Organizations) and HIPAA (Health Insurance Portability and Accountability Act), to ISO (International Organization for Standardization) regulations in the manufacturing industry. In this way, customers reduce the number of software applications they must purchase for compliance efforts and lower the duplication of documents and data across multiple compliance applications—leading

to less complex IT integrations, faster user adoption, lower total cost of ownership and an overall substantial cost savings.

Based on Stellent’s content management platform, the integrated suite of compliance applications allow companies to manage the full scope of their compliance responsibilities while reducing operational costs. Stellent’s compliance platform is based on five key components: document management, records management, workflow, enterprise risk management and vertical applications.

DOCUMENT MANAGEMENT

Enables organizations to effectively and efficiently capture, secure, share and distribute digital and paper-based documents and reports. Retention policies, escalation flows and audit trails are accessed quickly and easily by only those authorized to see them.

RECORDS MANAGEMENT

Stellent’s built-in, Department of Defense (DoD) 5015.2-certified Active and Fixed Records Management solutions help companies control the creation, declaration, classification, retention and destruction of all types of business records—whether they are “active” such as documents and graphics, or “fixed” such as scanned images and email. These records are stored and managed, along with other business content, within one server and accessed using a single interface.

Transitioning Compliance Projects into Inherent Business Processes

In the not too distant past, compliance initiatives often were characterized by back office operations

that involved large volumes of records stored in basement filing cabinets. Recently, this situation

has changed. Accounting scandals; the growing number of regulatory mandates; and the litigation

consequences associated with those regulations have prompted many businesses to bring compliance

initiatives out of the back office and into the boardroom.



27

WORKFLOW

Stellent’s workflow capabilities provide periodic “check-ups” on progress toward compliance goals by automating assessment, audit, remediation, approval and review processes.

ENTERPRISE RISK MANAGEMENT

The Stellent solution provides an enterprise-wide view of compliance efforts, enabling leveragability across the organization and diminishing project “silos.” Enterprise risk management prioritizes compliance initiatives based on areas of greatest risk and aligns all strategies with corporate goals.

VERTICAL APPLICATIONS

Stellent’s compliance offerings include vertical applications such as the Stellent® Sarbanes-Oxley Solution and Stellent® Email Management. The Stellent Sarbanes-Oxley Solution effectively automates and supports long-term Sarbanes-Oxley compliance methodologies, enabling companies to efficiently manage and approve documentation supporting financial and non-financial disclosures and Section 404 compliance. The solution is highly personalized for non-technical business users, allowing auditors, accountants and CFOs to easily create, manage, share, track, approve and archive information with minimal training, using only a Web browser. Stellent Email Management facilitates the intelligent integration of email into customers’ business processes. With rule-based, centralized email archiving, the solution guarantees seamless records and fulfillment of legal requirements.

Powering Multiple Compliance Initiatives with a Single SolutionCompanies across a variety of industries use Stellent’s compliance and records management solutions to comply with a wide range of regulations, including Sarbanes-Oxley, JCAHO, Basel II, HIPAA, FDA approvals and ISO 9001. Examples of successful customer implementations include:

SARBANES-OXLEY COMPLIANCE

Reliant Energy, Inc., a provider of electricity and energy services, has streamlined its Sarbanes-Oxley compliance processes by using Stellent technology to distribute documentation tasks to process owners and smooth its attestation process. Specifically, the Stellent solution provides Reliant’s core compliance team with an enterprise-wide view of the company’s internal control makeup. This view allows the core team to keep track of and schedule control changes based on company priorities, which helps the company meet its goal of automating as many internal controls as possible.

Additionally, the Stellent solution provides Reliant with centralized process management capabilities and a centralized content repository. The core compliance team easily manages the overall process of Sarbanes-Oxley compliance through an automated workflow system that involves process owners. Reliant has customized specific features within the workflow that monitor contributions from process owners to ensure all work and processes meet the quality

standards set by the company. In addition, the centralized repository has eliminated Reliant’s disparate content repositories and disconnected areas of the company carrying out compliance efforts on their own.

Another benefit of Reliant’s compliance solution is the ability to easily share content with multiple audiences, including external auditors, process owners, company executives and managers, and internal auditors. Users log in to the system through an easy-to-use, Web-based interface and access information immediately, 24 hours a day. Auditors easily access the latest documentation they need for external audits —resulting in significantly less preparation time for internal staff.

Providing Your Company with the Most Effective Compliance SolutionsBecause most compliance mandates are primarily a process of massive documentation and testing, comprehensive document management-based solutions, rather than stand-alone compliance systems, are best equipped to effectively support compliance initiatives.

Stellent’s compliance and records management solutions are built upon Stellent’s proven, industry-leading content management system, used by more than 1,600 customers worldwide. Stellent drives rapid success for customers by enabling fast implementations, easy integrations with existing systems, and generating quick, broad user adoption. Consequently, customers can promptly transition their resource-intensive compliance projects into ongoing, productive business processes and reap the substantial benefits these evolutions can generate.

Enterprise Risk Management

Sarbanes-Oxley,

Euro SOX

InternalAudit

Operations

PatriotAct Sec 17a ISO HIPAA,

JCAHO

BASEL II,IAS,

GLBAFDA

Workflow

Records Management

Document Management

STELLENT COMPLIANCE FRAMEWORK


28

BackgroundThe Sarbanes-Oxley Act of 2002 was created to restore investor confidence in public markets following many high-profile cases of corporate malfeasance and deceptive practices. In a nutshell, it holds CEOs and CFOs accountable for the veracity of their company’s financial statements.

Sarbanes-Oxley is a comprehensive law designed to prevent corporate crime, and it fundamentally changes the business environment. Yet it does not detail exactly how to become compliant. It broadly states, in Section 302, that certifying officers in a company are responsible for establishing and maintaining internal controls over financial accounting that will verify the accuracy, reliability and accountability of corporate disclosures. In Section 404, Sarbanes-Oxley requires annual assessments of the effectiveness of whatever internal controls the corporation has established.

Sarbanes-Oxley requires publicly held companies to implement internal controls over their financial reporting, operations and assets, to evaluate the strengths and weaknesses of these internal controls in official documents filed with the SEC and to make regular disclosures concerning the viability of these controls and potential fraud or losses that may affect the company’s financial position. Because most companies’ financial reporting and operations depend heavily on information technology, and because many corporate assets now exist in the form of critical data, Sarbanes-Oxley has

significant information security implications for companies governed by the law.

The Role of ITAt first glance, Sarbanes-Oxley seems pointed solely at a company’s finance department. What does that have to do with the IT department? Everything. Technology is what gathers, protects and reports the financial information that CEOs and CFOs must attest is correct.

Without a well-controlled IT environment, there is no proof that financial reporting is complete, free from error, or hasn’t been tampered with.

For most businesses, the IT department is where controls over financial systems will reside. IT’s own processes and infrastructure can, therefore, can be considered a key part of the “internal controls” required by Section 302, and the tools it uses to test the efficacy of controls are a key part of meeting Section 404.

Meeting the Requirements with TripwireAlthough Sarbanes-Oxley does not explicitly detail how to achieve compliance, the Security and Exchange Commission (SEC) recognizes the

“COSO” framework as the official framework for establishing internal controls over financial reporting. Accordingly, COSO has become the most commonly adopted framework.

COBIT (Control Objectives for Information and related Technology) is the IT-specific aspect of COSO’s control framework. Tripwire change audit solutions support many elements of the Delivery and Support (DS)

and the Acquisition and Implementation (AI) guidelines of COBIT. The following are just of few of the COBIT recommendations where Tripwire excels as the solution.

• Implement change control monitoring/auditing tools. Tripwire is a recognized leader in change monitoring and auditing solutions.

• Implement a change management system. Tripwire change information can be integrated with other enterprise management systems and reporting packages, such as Remedy AR System, HP OpenView, and other similar systems

• to provide validation and documentation of planned changes, as well as storing

"before and after" snapshots of systems, which can be appended to work orders.

• Document and implement preventative controls procedures. Tripwire validates that all changes are tracked, synchronized with documentation, and applied consistently across the appropriate systems.

• Document and implement detective controls. Tripwire is commonly used to monitor the configuration, applications, and underlying OS of security software and devices in order to detect and report change. In this way, Tripwire provides independent validation that security applications and their configurations have not been compromised or changed without authorization. Tripwire also monitors and cryptographically protects its own files to protect itself from compromise.

Tripwire: The Proof You Need

Tripwire brings all-inclusive change auditing practices to operations. Tripwire change auditing solutions

enable you to prove that all authorized change is properly implemented, and that no change of any type

goes undetected. Detailed change audit trails verify that IT process controls are effective, that the IT

infrastructure is secure, and that your change management policy is enforced. This ensures compliance

with Sections 302 and 404 of the Sarbanes-Oxley Act.


29

• Document change management workflow approval processes. Tripwire enables user-scheduled integrity checks to monitor files and their attributes, comparing them against the baseline. Changes are immediately pinpointed and appropriate IT staff can be notified by email or pager.

• Document and report all unauthorized changes. Detailed reports and audit logs of any change are provided. If the change is not desired, Tripwire software enables rapid restoration of files to a known good state.

• Provide accurate auditing of authorized changes as it relates to approved change management work flow process. Tripwire not only detects and reports unauthorized change, it also can verify that authorized changes were indeed successfully made, thus supporting change management policy and procedures.

Services to Achieve Sarbanes-Oxley Compliance Sometimes ensuring that IT systems are controlled requires more than software—

it calls for expertise and deep knowledge of data, devices and how change happens. That’s what Tripwire Professional Services contributes so you can quickly get the most out of your Tripwire change audit solution.

From initial network discovery to policy file writing and customization, our experienced consultants work to get your solution up and running as quickly and effectively as possible.

Aligning IT to support Sarbanes-Oxley compliance is only one benefit. Tripwire also delivers consulting services that help build an integrated, stable and effective IT environment. This includes complete solutions to ensure the security of a company’s data assets, as well as developing strategies for using change monitoring and analysis to maximize IT service delivery uptime.

Tripwire and its network of certified partners have a proven history of delivering results to customers, and providing benefits that enable you to achieve your business objectives. Additionally, we can craft compliance solutions for you that return value far beyond your compliance requirements.

More InformationTripwire’s SOX Solutions Center contains links to live webcasts, white papers, and case studies that show you how to integrate change auditing practices into your operations to demonstrate Sarbanes-Oxley compliance.

In addition to Sarbanes-Oxley, a growing list of industry and regulatory issues is affecting change management requirements for organizations with IT infrastructure. Fortunately, Tripwire enables IT organizations to automate change detection, reconciliation and reporting, ensuring compliance with almost any regulation, including: Gramm-Leach-Bliley Act, OCC guidelines, Visa CISP, US FDA CFR11, HIPAA, NSSC, E-Government Act, NCUA Guidelines, Common Criteria, ISO 17799, and CA Civil Code 1386. Find out more at www.tripwire.com.


Tripwire: The Proof You Need (continued)

http://www.tripwire.com/solutions/change_auditing.cfm?djinn=2019

http://www.tripwire.com/solutions/sarbox.cfm?djinn=2019

30


Stellent, Inc. (www.stellent.com) is a global provider of content management software solutions that drive rapid success for customers by enabling fast implementations and generating quick, broad user adoption. With Stellent, customers can easily deploy multiple line-of-business applications—such as Web sites, call centers, dealer extranets, compliance initiatives, accounts payable imaging and claims processing—and also scale the technology to support enterprise-wide content management needs.

More than 4,300 customers worldwide—including Procter & Gamble, Merrill Lynch, Los Angeles County, The Home Depot, British Red Cross, ING, GlaxoSmithKline, Georgia Pacific, Bayer Corp., Coca-Cola FEMSA, Emerson Process Management and Genzyme Corp.—have selected Stellent solutions to power their content-centric business applications. Stellent is headquartered in Eden Prairie, Minn. and maintains offices throughout the United States, Europe, Asia-Pacific and Latin America.

Stellent Compliance Solutions

Stellent provides content management-based solutions to help companies streamline processes related to complying with a variety of regulations, such as the Patriot Act, Health Insurance Portability and Accountability Act (HIPAA), ISO, and the Sarbanes-Oxley Act. Stellent’s compliance solutions allow companies to efficiently manage and approve content related to financial and non-financial disclosures, as well as documentation associated with an organization’s enterprise risk management process. The solutions are based on the award-winning Stellent Universal Content Management system, which offers a full array of content management functionality—featuring document management, Web content management, digital asset management and imaging—supported by collaboration, records management and business process management services.

Solution Sponsors

About Tripwire Solutions

A comprehensive change auditing solution requires three critical pieces: process, people and technology. Correspondingly, Tripwire Solutions include both software and professional services offerings. Its software offerings include Tripwire Enterprise and Tripwire for Servers, which is a proven change monitoring and analysis solution for servers and network infrastructure running in small to enterprise organizations. Tripwire Professional Services offers a complete set of services to help organizations define change control processes, integrate Tripwire software with existing Configuration and Change Management systems, as well as Tripwire software implementation and tuning.

About Tripwire, Inc.

Tripwire, Inc. is the world leader in Change Auditing solutions that enable enterprises to reduce operational risk and gain control over IT systems. With Tripwire software, you ensure the security of your systems, instill accountability for change, gain visibility across your enterprise and increase the availability of critical IT infrastructure. Tripwire customers include Global 2000 companies such as Intuit, AT&T, Ernst & Young and the U.S. House of Representatives. Tripwire is headquartered in Portland, Ore., with offices in the UK, France and Japan and customers in 92 countries around the world. For more information visit: http://www.tripwire.com/.

http://www.tripwire.com/

www.stellent.com



Cass Brewer Editorial and Research Director, IT Compliance Institute

When you look at how little impact reporting material

weaknesses has had on the issuers’ stock prices, you

might wonder whether all of the worry and expense

of compliance is worthwhile. There’s been little

immediate investor backlash. Moreover, the business

community hasn’t seen a campaign of Sarbanes-Oxley

(SOX) indictments. The SEC seems neither staffed nor

motivated to prosecute companies to the degree that

companies have braced to be prosecuted.

If SOX compliance were only about preventing fraud

and looking good to investors, it would be tempting to

sideline it on the evidence that failure in either effort

remains almost as unlikely to incur penalty now as it

did prior to SOX’s passage. But SOX isn’t really about

legislating ethics.

SOX is a deterrent in the sense it makes it harder to get

away with bad business. But, in the long run, its main

goal is to restore investor faith in the idea that companies

do reliably communicate their financial health and risk,

acknowledge corporate responsibility, and know the

penalties for straying.

Perhaps the best reason to actively embrace compliance,

however, is that SOX is simply good business. In survey

after survey, IT managers, CIOs, and CTOs say their

companies are in better shape because of compliance

efforts. Finding more efficient ways to perpetuate and

grow these benefits is what sustainable compliance is all

about. How can you keep up with compliance pressures

while reducing costs? That’s really the name of the game

going forward. And it’s much of what this paper addresses.

Epilogue: Ten steps for sustaining compliance benefits



Ten steps for sustainable compliance

Fundamentally, IT’s challenge in SOX compliance is that

it’s practically as pervasive as information itself. When

you look at the major general-control areas—records

management, technical and physical security, and

application management—it’s almost everything in the

IT realm.

As it turns out, this everything-everywhere-anytime

challenge of SOX is also why compliance potentially

offers such broad business benefits. It is an opportunity,

and perhaps an imperative, to assess, align, streamline,

and improve processes and technologies across the

organization.

1. Get Past FUD

The most important step to sustaining compliance

benefits is getting past FUD: fear, uncertainty, and doubt.

In reality, fear is a poor motivator, especially when threats

are abstract, distant, or inconsistent. If enforcers aren’t

breathing down your neck and investors aren’t going to

abandon you, it’s easy to become complacent: let controls

slip, disregard changes in regulatory guidelines, and so

forth. That’s where you can get into trouble—because

enforcers are still out there, and another filing deadline

is right around the corner.

FUD is also ultimately expensive. By focusing too

tightly on avoiding negative consequences, you miss

opportunities; for example, seeing that your investment

in a records management solution for financial data

might also benefit your legal or sales department.

To sustain compliance, companies must learn to

see compliance investments both as challenges and

opportunities for innovation. If you’re going to audit or

integrate data sources, can those processes serve broader

business initiatives? Could your SOX security solution

also solve a security issue in another part of the business?

Are there projects for which you can’t otherwise get

funding that will fit under the compliance umbrella?

2. See the Whole

In many cases, getting past FUD involves a conscious

effort to reevaluate the role of IT compliance more

holistically. In year one of SOX, most companies’ efforts

have been intensively deadline driven, reactive, and

tactical. Going forward, companies should proactively

assess the potential role of individual compliance processes

in meeting business goals and even other compliance

goals. Sustainability lives in these relationships.

3. Be the Whole

It might seem counterintuitive, but expanding your

compliance view can actually simplify your IT challenge.

Our natural impulse is to fight complexity with

complexity; so, for each SOX requirement, there’s a

potential to architect a discrete solution. This approach

can limit your options, decreasing solution compatibility,

flexibility, and extensibility, while increasing downstream

integration and maintenance costs.

A more holistic take on compliance processes can liberate

you from one-off, project-centric implementations.

Instead of thinking about solving a discrete compliance

problem, such as records storage, you can think about

how granular IT controls, such as records archiving, can

meet compliance, IT, and business goals—and those goals

can be tied to any number of projects.

From this foundation, you can more easily build an

efficient, well-leveraged plan for high-profile, high-

reward, low-risk projects with sweeping benefits—which,

coincidentally, is a great way to get support and additional

funding for future projects.

4. Get Business Buy-in

IT managers must train business-side compliance

stakeholders to ask “how?” every time a compliance goal

is on the table: how will the goal will be met and what are

the IT implications? Once the strategic team is on the

same page with “how,” it becomes much easier to align

business support behind the technical “what” you need to

do to get the job done.

5. Automate

Year-one compliance is all about need—the need to meet

complex requirements by the first SOX deadline. In a

sustainable compliance environment, however, the focus

should from need to speed (and cost reduction).



constantly shifts around you. Regulations change,

enforcer expectations evolve, regulatory trends migrate,

technology emerges, business and technology standards

practices evolve. Knowledge is power, when it comes to

SOX compliance, but it requires constant research. In

sustained compliance, companies should develop regular

research practices, schedules, and channels.

For more information on sustainable compliance and related topics, visit the IT Compliance Institute at www.ITCinstitute.com.

To date, companies have been reticent to invest in

software until they’ve defined needs, mapped processes,

and tested and remediated controls. Once these

prerequisites are filled, however, companies should

look for ways to reduce the burden and cost of manual

processes through automation.

6. Don’t Forget Human Factors

Don’t forget the people part of the compliance equation.

Corporate governance belongs to the entire corporation

and extends beyond products to encompass people

and processes. Ultimately, sustainable compliance must

belong to every worker every day.

7. Build Communicative Culture

We all make the mistake sometimes of thinking people

can read our minds, and SOX compliance offers ample

opportunity for this error. New roles, responsibilities, and

relationships; new processes and practices; and unfamiliar

topics all facilitate misalignment between individuals

and groups. To promote smooth compliance processes,

compliance managers should act as communication role

models. Moreover, it pays to stay on top of potential hot

zones—in particular, cross-functional groups.

8. Measure, Monitor, Enforce

Continuing to spend heavily on compliance without

tracking its costs or benefits is not a sustainable practice.

Companies should bring compliance in line with

other business practices by finding ways to monitor

and measure it; for example, tracking expenses via a

dedicated budget or billing code. Setting tangible goals,

such as storage metrics, data quality metrics, and security

incident targets, can also help.

9. Be Vigilant, but Not Too Vigilant

For sustained compliance, companies must align

compliance cost with material relevance—gauged by their

internal standards, the broader regulatory arena, and

peer activities. You must assess what’s a real risk, what

isn’t, and what becomes more or less risky over time.

10. Keep Your Eye on the Ball

Staying on top of SOX compliance can seem like

standing on a skateboard on a patch of ice on a glacier:

your job is to remain upstanding, even as everything



15d-15: Controls and procedures.

17 CFR. 240.15d-15.

(2001). Information and documentation—Records

management Part 1: General, International Standards

Organization.

(2001). Information and documentation—Records

management Part 2: Guidelines, International Standards

Organization.

(2002). The Sarbanes-Oxley Act of 2002.

(2003). DIRKS, National Archives of Australia.

(2003). Final Rule: Management’s Reports on Internal

Control Over Financial Reporting and Certification of

Disclosure in Exchange Act Periodic Reports. 17 CFR

PARTS 210, 228, 229, 240, 249, 270 and 274. Release nos.

33-8238; 34-47986; IC-26068.

(2003). Final Rule: Mandated Electronic Filing and

Website Posting for Forms 3, 4 and 5. 17 CFR Parts 230,

232, 239, 240, 249, 250, 259, 260, 269 and 274. Release

nos. 33-8230, 34-47809, 35-27674, IC-26044.

(2004). Internal Control—Integrated Framework

Executive Summary, The Committee of Sponsoring

Organizations of the Treadway Commission.

(2004). Proposed auditing standard—an audit of

internal control over financial reporting performed in

conjunction with an audit of financial statements, Public

Company Accounting Oversight Board.

Beaver, K. (2004). Sarbanes-Oxley discusses internal

controls, but what exactly does that mean in regards to

infrastructure? SearchSecurity.com.

Cougias, D., E. L. Heiberger, et al. (2003). The Backup

Book, Disaster Recovery from Desktop to Data Center.

Silicon Valley, CA, Shaser-Vartan Books.

Staff, I. (2003). Sarbanes-Oxley Compliance—The Cloud

or the Silver Lining? Tripwire.

Taub, S. A. (2003). The SEC’s Internal Control Report

Rules and Thoughts on the Sarbanes-Oxley Act, U.S.

Securities and Exchange Commission.


References

Date post:	06-Mar-2018
Category:	Documents
Upload:	ngothu
View:	216 times
Download:	2 times