Achieving SOX Compliance With IAM
“Achieving SOX compliance truly is a walk in the park!” Said no one ever. Staying on top of all SOX requirements can be a daunting task: financial records, internal controls, yearly audits – if preparing for SOX compliance is a walk in the park, then that park is a gigantic maze infested with booby traps, sinkholes and werewolves.
Even though the Sarbanes-Oxley Act (SOX) isn’t news – it’s been around for nearly 20 years – companies are still searching for the best way out of the SOX compliance maze and ways to keep up with legislation updates and to adapt their strategies to an ever-changing technological landscape.
In this article, we are going to take a closer look at the role of IT in achieving SOX compliance, what you need to look out for when implementing SOX IT requirements and why identity and access management (IAM) is a good approach to taming those werewolves.
What Is SOX Compliance?
The Sarbanes-Oxley Act was enacted in 2002 as a reaction to multiple accounting scandals that took place in the early 2000s, including Enron, WorldCom and Arthur Andersen. The goal of this new piece of legislation was to prevent corporations and accounting firms from committing accounting fraud by implementing stricter financial governance laws and dictating internal controls which are regularly assessed through independent audits.
What Does Achieving SOX Compliance Encompass?
Not only does achieving SOX compliance require disclosure of annual financial reports, it also requires disclosure of an internal controls report as proof that internal control measures have been implemented. These internal controls include several IT controls to ensure the documentation provided by companies is true and adequately protected against data breaches and tampering. They also serve as a means for companies to show that they are following a good business code of ethics. These internal controls are regularly assessed by external auditors.
Achieving SOX compliance is a complex and at times confusing undertaking that requires great care, meticulousness, endurance and accuracy from the persons responsible for implementing it. Public companies dealing with the requirements of the Sarbanes-Oxley Act must plan ahead and implement long-term strategies to achieve SOX compliance.
Who Must Comply With SOX?
All publicly traded companies in the US, including foreign companies who are publicly traded in the US, must comply with SOX. The act also covers accounting firms who offer auditing services to publicly traded companies.
You can find more background information about SOX compliance, the audit process and the specific wording of the act in our blogpost on the subject.
The Role of IT in Achieving SOX Compliance
IT plays a major role in achieving SOX compliance because the financial records affected by the law are processed by and stored in IT systems. It is therefore absolutely crucial that you bring your IT systems up to speed and make sure they are sound and ready for your yearly controls audit.
SOX IT Requirements
To pass a SOX audit, your company must adopt and implement security best practices. To be sure you’re on the right track, it is best you lay out your measures against a framework such as COBIT (Control Objectives for Information and Related Technology), which is a comprehensive best practice framework developed by ISACA (Information Systems Audit and Control Association). This is most likely what your auditor will be using as well to measure the performance of your internal controls. Other frameworks to familiarize yourself with include:
IT Security Best Practices
Choosing a framework to follow is the first security best practice step you should take toward achieving SOX compliance. It will provide you with more specific guidance for implementing the required improvements. Additional cybersecurity best practices your company should strive to meet include:
Prevention of data loss
Regular data backups
Prevention of data breaches and fraud scams
Educating staff (of all levels) on security policies and the proper use of technologies and services
Regular software and system updates
Defining a clear use policy for employees and outsiders who have access to corporate IT systems
Defining an incidence response strategy which your IT department and executives must be familiar with
How you choose to implement these best practices is up to you. There isn’t a one-fits-all solution out there that will cover your A-Z of best practices. However, an identity and access management solution will cover many of the requirements and help you gain control of user access and rights, which is a major factor in demonstrating that your internal controls are of a good standard.
Once you’ve implemented these best practices in all systems that handle or store financial and other important data, you are on the right track to achieving SOX compliance. But security isn’t the only thing you must ensure to achieve SOX compliance. Further aspects you should be aware of and implement include:
User identification and authorization
Securing online data and user controls
Monitoring of system utilities and applications
Detecting and removing malware and ransomware
Download our white paper for a deep dive into the Sarbanes-Oxley Act, its purpose and the role of IT in achieving compliance.
Section 404 Compliance
Section 404 of SOX specifies that companies must implement internal controls to protect important financial information against errors and attempted fraud. In addition, organizations must hire external auditors to evaluate and attest to these controls. Companies must be able to immediately provide their auditors with any required documents to demonstrate that their internal control systems work.
This SOX requirement is the most relevant in terms of IT and also the most difficult to implement. Maintaining seamless records of your internal control systems in a way that keeps the documents easily accessible for your yearly audit is no small task. Companies are well advised to invest in tools that can automate the record keeping process and are able to instantly produce reports for auditors to view. A direct extract from the law shows the requirements placed on the yearly financial report:
(a) Rules Required. The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 to contain an internal control report, which shall–
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) Internal Control Evaluation and Reporting. With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
Good to know
Smaller reporting companies (SRCs) with an annual revenue of less than 100 million dollars are exempt from complying with Section 404 of Sarbanes-Oxley. The SEC approved amendments to this effect in 2018 in order to make it easier for smaller businesses to achieve SOX compliance.
Achieving SOX Compliance: 3 Tips!
Document all relevant policies, procedures and processes in your organization.
Inventory your controls. Properly document your internal controls over financial reporting (ICFR). Internal controls refer to the procedures you have put in place to ensure compliance with your company’s policies.
Implement segregation of duties (SoD) – make sure all roles and responsibilities are clearly defined. Keep access rights to the minimum level required to perform any given job, in accordance with the Principle of Least Privilege.
What Types of Software Can Assist With Achieving SOX Compliance?
As stated earlier, implementing best practice principles of data security and protection is absolutely essential to achieving SOX compliance. It is therefore important to choose a tool that covers at least some of the elements listed. Your chosen software solution should help automate tasks required for audits and ensure your financial data (as well as other sensitive information) is sufficiently protected against cyberattacks, insider threats and security breaches. As human error presents one of the greatest risks to security, your chosen product should significantly reduce the risk of human error.
SOX and IAM
Since SOX affects both physical and electronic records, having a good identity and access management (IAM) strategy is crucial to achieving SOX compliance. IAM solutions automate processes like user provisioning and allow companies to provide users with granular access to information (e.g. Read, Read & Write, Modify or Full Control access).
By removing unnecessary permissions, IAM solutions help protect your business from both cyber attacks and employee data theft. Reporting tools that provide automatic documentation of all changes to access rights also make it easy to provide these details during your yearly SOX audit.
Achieving SOX Compliance – With tenfold
tenfold is an access management solution that covers a large portion of the IT requirements you must achieve in order to reach SOX compliance. It acts as a central hub for managing users and permissions across various IT systems (Active Directory, Sharepoint, Exchange) and automates access governance.
Thanks to the automatic reports generated by tenfold, any information regarding changes or logs can be pulled right away when your SOX auditor asks for it. Not only does access management with tenfold cover many of the requirements dictated by Sarbanes-Oxley, it also covers a multitude of other frameworks, such as the GDPR, ISO 27001 and HIPAA.
In tenfold, you can appoint data owners to be in charge of resources. Any user who wants access to any such resource must first request permission to do so via an approval workflow, as part of which the data owner either approves the request or rejects it. Data owners are also subjected to regular user access reviews, where they go over the permissions and resources they are responsible for and reconfirm or withdraw them. All of this is automated, reducing the risk of human error and privilege creep (which is when users have way more permissions than they should). But that isn’t all – automation also means your admins are not bound by redundant tasks, but finally have time to address more important matters.
Identity & Access Management Solutions Compared
Our white paper will help you navigate the IAM market, familiarize you with available products and explain key questions to ask yourself when evaluating IAM solutions.