Achieving SOX compliance requirements is the mandatory for all publicly traded companies. But when it comes to most IT teams, SOX compliance can be quite vague and confusing. SOX compliance is not written with technology mandate in mind, but rather a mandate for accounting, legal, and financial reporting. In the SOX Act there’s no reference can be found to anything specific related to IT. It is often said that SOX was “written by lawyers, for lawyers”
In order to address SOX compliance from an IT perspective, the COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework, makes some general references to IT controls, and COBIT (Control Objectives for Information and Related Technology) framework which sets ahead specific IT control objectives (and closely aligned with COSO) are established.
A SOX Primer
Although the legislation is long and covers a wide range of financial matters, below outlines the sections that have been interpreted as being pertinent to IT (information technology) departments:
- SOX Section 302 – Corporate Responsibility for Financial Reports ◦The CEO and CFO must review and approval all financial reports. They are responsible for any misrepresentations, internal accounting controls, any fraud involving the management of the audit committee and they must indicate any material changes in internal accounting controls.
- SOX Section 404: Management Assessment of Internal Controls ◦All annual financial reports must include an Internal Control Report stating that management is responsible for an “adequate” internal control structure and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the management’s assertion that internal accounting controls are in place, operational and effective.
- SOX Section 409 – Real Time Issuer Disclosures ◦Companies are required to disclose on almost real-time basis information concerning material changes in its financial condition or operations.
- SOX Section 902 – Attempts and Conspiracies to Commit Fraudulent Offenses ◦It is a crime for any person to corruptly alter, destroy, mutilate, or conceal any document with the intent to impair the integrity or availability for use in an official proceeding.
SOX Preparation Checklist for DBAs
- Data integrity ownership and responsibilities communicated to appropriate business owner’s acceptance of responsibilities.
- Key database systems inventoried and owners identified
- Database Management staff understands and accepts their responsibility regarding internal controls
- Division of roles and responsibilities, a segregation of duties between logical DBAs (SQL Developers) and physical DBAs that prevents single DBA from unauthorized alterations
- Review documented database management processes
- Review documented database management risks
- Documented database management process controls
- Testing of database management control methods
- Gap identification and controls improvement process
- Update database management processes and document controls
Data Auditing Checklist
- Pervasive – Monitor and record critical data activity across the full range of databases, applications and systems.
- Transparent – Non-intrusive and invisible to users, especially privileged users. In addition, transparent from a performance perspective such that the databases, overall system, users or network are not negatively impacted.
- Intelligent – Ability to filter and collect only specified target activities as required to achieve compliance and discard the unneeded items. This enables an organization to efficiently manage compliance and data, reducing both storage costs and liability.
- Scalable – Scale easily and cost-effectively to keep pace with changes in the enterprise IT environment.
- Flexible – Allow an organization to easily tailor data auditing to its specific needs. Flexible, policy-based rules will enable easy customization. Create and modify policies to meet the data auditing needs of other regulations, handling multiple compliance challenges with a single solution.
- Real-time – Isolate and identify unusual activity in real time to help detect, alert and stop non-compliant data activity rapidly to mitigate risk.
- Historical – Document a comprehensive, easily searchable audit trail for monitored data activity. Then provide rich reporting capabilities, in alignment with an organization’s own corporate business processes.
- Monitoring database access by privileged users
- Monitoring changes in privileges
- Monitoring access failures
- Monitoring schema changes
- Monitoring direct data access
- Documentation review and verification
- Review of audited data from monitoring system
- Don’t let anyone authorize and/or implement changes they initiate.
- Allow the DBA the right to refuse any implementation that does not have proper documented authorization.
- Do not make record level changes to application data unless fully authorized, justified and documented. These kinds of changes often help users out of a jam, but they go completely around the application controls. Denying users this ability might lead to better business process in the end, and get you off the hook for problems that might crop up from such changes.
- Document the day-to-day configuration changes you make.
- Have processes written for both. Test them regularly. Document the testing.
- Review backup logs, and document the reviews to show that you’re looking at them. You don’t want to be caught saying I check them every day, and they’re fine. If the auditor finds an unreported error, their trust in what you say will take a hit.
- Review backup schedules, and make sure they represent current agreements with your business units.