Date post: | 06-Apr-2018 |
Category: |
Documents |
Upload: | illreallynevercheck |
View: | 216 times |
Download: | 0 times |
8/3/2019 Solidcore SOX White Paper
http://slidepdf.com/reader/full/solidcore-sox-white-paper 1/10
Sustainable Sarbanes-Oxley Compliance
A Solidcore White Pape
8/3/2019 Solidcore SOX White Paper
http://slidepdf.com/reader/full/solidcore-sox-white-paper 2/10
The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental
shift in corporate governance norms. As corporations come to terms with the implications of
SOX to their businesses, one thing is clear: a SOX compliance program is not a one-time project
but a sustained effort to gain visibility and accountability into business processes that affect the
accuracy of financial reporting. This white paper outlines the issues faced by IT managers in
meeting their compliance requirements and explains how Solidcore can be a core component
of a sustainable and cost-effective SOX compliance program.
8/3/2019 Solidcore SOX White Paper
http://slidepdf.com/reader/full/solidcore-sox-white-paper 3/10
Sustainable Sarbanes-Oxley ComplianceA Solidcore White Paper
Complying with Sarbanes-Oxley.
The Sarbanes-Oxley Act (SOX), passed by the US Congress in2002, represents the most fundamental shift in corporate
governance norms for many decades. In particular, section 404
is often talked about as being the core provision of SOX as it
deals with executive management’s responsibility for
establishing and maintaining adequate internal control over
financial reporting for the company. It requires management to
certify the adequacy and effectiveness of its internal controls
and to disclose any material weaknesses found.
The key to a successful compliance program is to recognize the
fact that Sarbanes-Oxley (SOX) does not simply require that
adequate controls be established – it requires the annual
review of the effectiveness of those controls. In other words,
achieving compliance is not a one-time event; rather it must be
part of an ongoing process that needs to be sustained over
time. Corporat ions that view the compliance provisions of
Section 404 as a burdensome legislative mandate may not be
making the necessary investments for a sustained compliance
program. On the other hand, corporations that view compliance
as a means to establish and maintain good process through a
well defined set of internal controls and the automation of
those controls are the ones that will be more likely to have a
successful long-term compliance program.
The standard that most auditors use to determine adequacy of
internal controls is the standard of due care. A company
exercises due care if it follows current best practices for
establishing accountability and measurability over its internal
controls. If there is an incident in which an internal control is
circumvented in spite of measures that meet the test of “due
care”, then the company is not liable for regulatory penalties
(fines and other sanctions). However, the precise definition of
“due care” is amorphous and changes over time. It simply
refers to a standard of feasibility (most people should be able
to do it) and reasonableness (the benefit should justify the cost
for most people) by enough other companies.
page one
Note that SOX is the most visible of a number of regulatory
standards that have emerged in recent years. While we focus
on SOX in this white paper, information about other standardsis available in Appendix B.
IT Controls are central to SOX Compliance
In today’s corporate environments, control over IT systems is
critical to a sustainable compliance program. The US Public
Company Accounting Oversight Board (PCAOB), which provides
guidelines for auditors, issued a statement (Auditing Statement
No. 2) that made this very clear:
“The nature and characteristics of a company’s use of
information technology in its information system affect the
company’s internal control over financial reporting.”
In the same document, the PCAOB goes on to stress the
centrality of IT controls in an audit of SOX compliance:
“To identify relevant assertions, the auditor should determine
the source of likely potential misstatements in each
significant account. In determining whether a particular
assertion is relevant to a significant account balance or
disclosure, the auditor should evaluate the nature and
complexity of the systems, including the use of information
technology by which the company processes and controls
information supporting the assertion.”
The remainder of this white paper will focus on building and
maintaining effective IT controls to meet Sarbanes-Oxley
requirements.
The conventional approach to establishing and maintaining IT
controls is to exhaustively document IT processes and policies
and increase the frequency of review. This approach, while it
may meet the “due care” standard today, is costly, inefficient
and error-prone. A sustainable compliance program will need
to automate the verification and enforcement of IT controls in a
8/3/2019 Solidcore SOX White Paper
http://slidepdf.com/reader/full/solidcore-sox-white-paper 4/10
manner that causes low operational overhead and decreases
the documentation burden on systems administrators and
audit personnel.
That leads to the primary issue faced by IT departments in
meeting their compliance requirements today: it is very
difficult to control IT systems. Most companies have some
form of change approval process, whether formally captured in
a workflow system, or informally captured via email exchanges.
However, many people have the ability to add to or modify the
software that runs on a system, change configurations, directly
access data, and generally perform actions on the system in
ways that change its state. Regardless of whether the
intentions behind the actions are benign or malicious, they
have an impact on how confident you can be about who did
what on your systems. Consider a situation in which an annual
audit is coming up. People on the staff of the CIO know that
because of SOX, they will need to convince the auditors with
good answers to questions about who modified data when and
for what purpose. How can they reconcile every change on a
system with its purpose and authorization? How can they
demonstrate that their change process was followed, and that
every exception to the process is accounted for in a manner
satisfactory to the audit team?
The typical answer to questions of this sort is to talk about
access and change control policies the company has put in
place. However, this is not satisfactory without adequate
mechanisms to verify that the process was followed. For
example, it is not enough to say “I know that only person X had
access to the data, because that’s our company policy.” Can
you verify that only approved changed were deployed on a
given server? Can you reconcile the approved changes with
the actually implemented changes? Can these questions be
answered in an automated manner so that audit requirements
can be fulfilled without a lot of manual effort?
This is where IT should provide leadership: to enable
companies to enforce policies and report on policy breaches.
page two
Requirements for sustainable compliance.
The key requirement for sustainable compliance is control overchange. Demonstrating to auditors that adequate IT controls
are in place require gaining visibility into the change process,
establishing accountability for changes, and selectively
enforcing limits on how systems may be changed. In other
words, a company’s IT controls should, at a minimum, address
the following requirements:
VisibilityVisibilityVisibilityVisibilityVisibility
Provide extensive logging capabilities that track all relevant
program and data changes, as well as categorize and report
on them in a useful and actionable manner.
AccountabilityAccountabilityAccountabilityAccountabilityAccountability
Reconcile every change with its authorization and purpose
to verify that policies have been followed. Report on
exceptions to the change process.
Selective EnforcementSelective EnforcementSelective EnforcementSelective EnforcementSelective Enforcement
Provide a mechanism to enforce these policies selectively
where appropriate to prevent breaches from occurring.
Meeting the IT requirements for compliance is an onerous task.
The information required to verify IT controls is unavoidably
very large, exists in many different forms and is scattered
widely across a complex IT infrastructure. Reconciliation across
these information sources is a largely manual, tedious, error-
prone and expensive process. In general, it is very difficult for
the IT personnel to use such scattered information to construct
documentation demonstrating the capability to detect policy
violations. For example, leaders in SOX compliance practices
include large financial services companies in which every fiscal
quarter, dozens of people suspend their usual job duties for
several days in order to collect data and create documentation
in the “quarterly compliance fire drill.”
Sustainable Sarbanes-Oxley ComplianceA Solidcore White Paper
8/3/2019 Solidcore SOX White Paper
http://slidepdf.com/reader/full/solidcore-sox-white-paper 5/10
Sustainable compliance with Solidcore
Solidcore’s solutions offer enterprises a simple and efficientway to meet their IT compliance requirements in a sustainable
manner. Solidcore provides visibility, accountability and
selective enforcement of existing processes. These
capabilities enable enterprises to automate and enforce
internal IT controls and thereby build a sustainable compliance
program. The remainder of this section focuses on each of
these capabilities.
Visibility
Solidcore provides real time detection of change across the
enterprise. Solidcore enables you to discover who makes what
changes when, as it happens. A fully featured reporting engine
as well a web-based search tool provides the ability to sift
through large volumes of data quickly and focus only on the
useful and actionable information. Change archives are stored
in a tamper-proof independent system of record. These
capabilities allow enterprises to validate adherence to IT
controls on an ongoing basis with minimal overhead. For
example, any change information requested by an audit team
may be quickly satisfied using the reporting capabilities of the
system.
Accountability
Solidcore provides automated reconciliation with existing
change approval systems to correlate each deployed change
with its authorization and purpose. In cases where
documentation for a change does not exist (for example, in the
case of an emergency or ad-hoc change), Solidcore can
automatically create the required documentation and link it
with the deployed change. Together, these capabilities enable
enterprises to close the documentation loop and demonstrate
accountability for audits. For example, any IT control that
requires verification that the change process was followed can
be quickly satisfied with the reconciliation reports provided by
Solidcore.
page three
Sustainable Sarbanes-Oxley ComplianceA Solidcore White Paper
Selective Enforcement
Solidcore provides the means to selectively enforce changecontrol windows and other custom change policies. Changes
can be restricted to only occur within a specified time interval,
or only to particular servers or files. Further restrictions on who
(a person or a program) can make a change can also be enabled
and enforced. The selective enforcement capability further
automates the IT controls required by SOX. For example, if an
IT control states that no changes are allowed on servers
housing financial data during an audit period, this capability
allows the enforcement of that control in an automated
manner.
Mapping SOX requirements to Solidcore capabil
To map these capabilities to specific internal controls required
by SOX we will use a widely used controls framework, one
provided by COSO, a voluntary private sector organization
dedicated to improving the quality of financial reporting. The
SEC recommends that this framework be followed and in
practice this is the controls framework that is used by most
audit organizations. COSO identifies five essential areas of
control, and every IT manager will need to demonstrate how
their IT controls support the COSO framework. Note that at a
finer level of granularity there is another framework, the COBIT
framework, which identifies thirty-four specific IT controls that
must be satisfied for SOX compliance. These detailed
requirements and their mapping to COSO as well as to
Solidcore capabilities, are included in Appendix A.
COSO identifies 5 areas of effective internal controls (see table
on next page). Solidcore provides the technical means to meet
the internal controls guidelines laid out by COSO. Solidcore’s
capabilities can form a core component of a cost-effective and
sustainable SOX compliance program.
8/3/2019 Solidcore SOX White Paper
http://slidepdf.com/reader/full/solidcore-sox-white-paper 6/10page four
Sustainable Sarbanes-Oxley ComplianceA Solidcore White Paper
Summary
The Sarbanes-Oxley Act (SOX), passed by the US Congress in
2002, represents a fundamental shift in corporate governance
norms. Achieving compliance is not a one-time project but
must be part of an ongoing process that needs to be sustained
over time. In today’s corporate environments, control over IT
systems is critical to any compliance program. A sustainable
compliance program will need to automate the verification and
enforcement of IT controls in a manner that causes low
operational overhead and decreases the documentationburden on systems administrators and audit personnel.
Solidcore’s solutions offer enterprises a simple and efficient
way to meet their IT compliance requirements in a sustainable
manner. Solidcore provides visibility, accountability and
selective enforcement of existing processes. These
capabilities enable enterprises to automate and enforce
internal IT controls and thereby build a sustainable compliance
program.
COSO Requirement Solidcore Capability
Control Environment
This is the foundation of effective internal control and deals mostly withorganizational culture - the "tone at the top." The control environment includesissues such as aligning business and IT objectives and defining roles andresponsibilities with respect to IT controls.
Solidcore provides real-time visibility and accountability of changes occurring in theIT infrastructure. The capabilities of Solidcore's reports and search componentsprovide the means to bring about the culture of openness and accountability that isadvocated by COSO.
Risk Assesment
This portion of internal control deals with identifying the risks associated with agiven control objective. The risks need to be measurable and the control activitiesneed to be designed to provide visibility into how the risks are being addressed.This includes risk assessments built throughout the systems development processas well as the infrastructure operations and change process.
Solidcore provides risk mitigation capabilities that are transparent and measurable,to address this COSO requirement. In particular, Solidcore provides real timenotification of changes so that any breach of process can be tracked as soon as ithappens. Solidcore also includes a tamper-proof Independent System of Record tomitigate the risk of unauthorized access to the audit trail.
Control Activities
Control activities are the policies, procedures and practices that are carried out toensure that business objectives are reached and risks are mitigated.These controls include: Data controls - backup, recovery process.
System software controls: controls over acquisition, implementationand maintenance of software systems.Access controls: rights management.Development controls - controls over systems developmentmethodology.
Solidcore provides the capabilities to selectively enforce how changes are appliedon production systems. Enforcement is flexible and can be tailored for specificrequirements such as restricting changes to a small set of administrators, orpreventing changes during a fiscally sensitive time-window. As with all Solidcorecapabilities, all change activity is tracked so that each control activity can beverified.
Information and Communication
In order to manage risk and ensure process integrity, COSO requires that a clearcommunication plan be established. It is important to identify what information is
needed and to ensure that the information is communicated to the relevant peoplein a timely manner. Of particular importance is to ensure the quality of theinformation: it must be appropriate, timely, current, accurate and accessible.
Solidcore provides a closed-loop documentation capability that(a) Reconciles documented changes with actually deployed changes,
(b) Creates documentation for changes that did not go through theapproval process (e.g. an emergency change).
All changes are tracked in real-time and can be integrated with an alerting systemto provide timely, current, accurate and accessible information on changes toproduction systems.
Monitoring
Monitoring refers to the oversight of internal controls by management throughcontinuous and point-in-time assessment processes. Continuous monitoringrequires that process failures and remediation be detected and corrected on anongoing basis. Point-in time monitoring refers to internal audits, external audits andother scheduled regulatory examinations.
Solidcore provides real-time alerts to meet the continuous monitoring requirement -any change made outside of process can trigger an alert as soon as it happens. Inaddition, Solidcore comes with a fully-featured reporting module that can becustomized to meet the requirements of all scheduled regulatory examinations.
8/3/2019 Solidcore SOX White Paper
http://slidepdf.com/reader/full/solidcore-sox-white-paper 7/10
Sustainable Sarbanes-Oxley ComplianceA Solidcore White Paper
page five
Appendix A: Cobit Framework
While COSO identifies five components of internal control that need to be in place and integrated to achieve financial reporting
and disclosure objectives, COBIT provides a more detailed view of these controls as it relates to IT. Each of the 34 items in the
COBIT framework map to one or more of the five COSO components as detailed in the table below. Solidcore capabilities are
outlined where applicable – Solidcore can help with 21 of the 34 COBIT guidelines. The remaining guidelines deal mostly with
issues of corporate strategy.
Cobit Requirement COSO Requirement Solidcore Capability
Plan and Organize (IT Environment)IT strategic Planning
Gain visibility into change process and createaction plan for process improvement.
Information architecture
Determine technological direction
IT organization and relationships
Manage the IT investment Leverage existing IT investments withSolidcore, and connect disparate silos ofchange information.
Communication of management aims anddirection
Management of human resources
Compliance with external requirements
Monitor policy breaches, produce audit trailsand reports to verify compliance.
Assessment of risks Real-time alerts to gain up-to-the-secondvisibility into changes occurring on productionsystems.
Manage projects
Management of quality
Maintain systems in a verified state forreduced unplanned downtime.
Acquire and Implement (Program Development and Program Change)Identify automated solutions
Acquire or develop application softwareAcquire technology infrastructure
Develop and maintain policies andprocedures
Reconcile deployed changes withactual changes thereby providing verification thatpolicies were followed. Maintain policies byenabling selective enforcement mechanisms.
Install and test application software andtechnology infrastructure
Quicken test cycles by maintaining stagingservers and production servers in a consistentstate.
Manage changes
Complete trail of all changes across theenterprise, categorized and reconciled withauthorization and purpose.
C o n t r o
l
E n v i r o n m e n
t
R i s k
A s s e s s m e n
t
C o n t r o
l
I n f o r m a t i o n
M o n i t o r i n g
(table continued on next page)
8/3/2019 Solidcore SOX White Paper
http://slidepdf.com/reader/full/solidcore-sox-white-paper 8/10page six
Enabling Effective Change ControlA Solidcore White Paper
Cobit Requirement COSO Requirement Solidcore Capability
Deliver and Support (Computer Operations and Access to Programs and Data)
Define and manage service levels
Lower unplanned downtime by maintainingsystems in a known and validated state. Meetor exceed SLA's through improved visibility.
Manage third-party services
Reconcile third party changes with workorders to ensure consistency andcompleteness of service.
Manage performance and capacity
Maintain throughput and computing capacitywith a solution that incurs a low CPU andnetwork overhead.
Ensure continuous service Ensure that production and disaster recoveryor backup systems are kept in a consistentstate and alert on any deviation.
Ensure systems security
Selectively enforce process and ensure thatno changes made outside of approved processmay be implemented.
Identify and allocate costs
Educate and train users
Assist and advise customers
Manage the configuration
View reports on deviations from a "gold" imageand get alerts for changes to configuration.
Manage problems and incidents
Utilize Web-based ad-hoc search tool forforensics and quick remediation.
Manage data
Protect critical data by preventingunauthorized change to it; report on allchanges to a given set of data.
Manage facilities
Manage operations
Enforce process for a proactive changecontrol stance.
Monitor and Evaluate (IT Environment)
Monitoring Get real-time alerts on any change in theenvironment.
Adequacy of internal controls Demonstrate adherence to published processesand controls through validation reports.
Independent assurance
Record changes in a tamper-proof,comprehensive Independent System ofRecord.
Internal audit Automate reconciliation and verification ofapproved changes with deployed changes.
C o n
t r o l
E n v
i r o n m e n
t
R i s k
A s s e s s m e n
t
C o n
t r o l
I n f o r m a t i o n
M o n
i t o r i n g
(table continued from previous page)
8/3/2019 Solidcore SOX White Paper
http://slidepdf.com/reader/full/solidcore-sox-white-paper 9/10
Sustainable Sarbanes-Oxley ComplianceA Solidcore White Paper
page seven
Appendix B: Other regulatory standards
Although we focus on the provisions of the Sarbanes-Oxley Act in this white paper, there are other regulatory measures that
seek to impose better governance and oversight as well. The table below summarizes a few of these compliance regimes.
HIPAA (Health Insurance Portability and Accountability Act, 1996)
HIPAA established privacy requirements and security standards for protecting the confidentiality and integrity of individually identifiable healthinformation. It governs healthcare information of many kinds, ranging from clinical information to billing.
GLBA (Gramm-Leach-Bliley Act, 1999)
The Gramm-Leach-Bliley Act Safeguards Rule requires financial institutions to prevent unauthorized access to non-public personal information.Financial institutions must take steps to ensure the security and confidentiality of non-public personal information, which includes name, address,
social security number and credit history.
CA 1386 (California Senate Bill 1386, 2003)
California enacted legislation that regulates personal financial in formation over and above the requirements of GLBA. Specifically, this bill requiresany firm to disclose to California residents any case of their unencrypted customer data being compromised, regardless or where or how thebreach occurred. Because many companies do business in California, CA 1386 is effectively a national regulation, at least within the financialservices industry.
Basel II (Basel Capital Accord, 2004)
The Basel Capital Accord (Basel II) updates the international bank capital accord (Basel I) to improve consistency of capital regulations, makeregulatory capital more risk sensitive, and to promote risk-management practices among large international banking organizations. Compliance
requires all banking institutions to have sufficient assets to offset any risks they may face.
Payment Card Industry (PCI) Data Security Standard
Introduced by Visa, MasterCard, American Express, Discover and other credit card issuers. All processors of credit card information are required toadhere to its twelve requirements which are geared towards protected cardholder information (please refer to the Solidcore white paper on PCIcompliance for further details).
The Federal Information Security Management Act (FISMA), 2002
FISMA is intended to bolster computer and network security within the Federal Government and affiliated parties by mandating yearly audits.FISMA requires each federal agency to develop, document, and implement an agency-wide information security program for the information andinformation systems that support the operations and assets of the agency.
8/3/2019 Solidcore SOX White Paper
http://slidepdf.com/reader/full/solidcore-sox-white-paper 10/10
Sustainable Sarbanes-Oxley Compliance
A Solidcore White Paper
ContactContactContactContactContact
Email: [email protected]
Web: http://www.solidcore.com
Tel: 888.210.6530
© 2005 Solidcore Systems. Solidcore Systems,
Solidcore, S3 Change Control, and Solidification
are trademarks of Solidcore Systems, Inc. All
rights reserved in the United States and
internationally.