Achieving SOX Compliance With IAM

Even though the Sarbanes-Oxley Act (SOX) isn’t news – it’s been around for nearly 20 years – companies are still searching for the best way out of the SOX compliance maze and ways to keep up with legislation updates and to adapt their strategies to an ever-changing technological landscape.

In this article, we are going to take a closer look at the role of IT in achieving SOX compliance, what you need to look out for when implementing SOX IT requirements and why identity and access management (IAM) is a good approach to taming those werewolves.

The Sarbanes-Oxley Act was enacted in 2002 as a reaction to multiple accounting scandals that took place in the early 2000s, including Enron, WorldCom and Arthur Andersen. The goal of this new piece of legislation was to prevent corporations and accounting firms from committing accounting fraud by implementing stricter financial governance laws and dictating internal controls which are regularly assessed through independent audits.

Not only does achieving SOX compliance require disclosure of annual financial reports, it also requires disclosure of an internal controls report as proof that internal control measures have been implemented. These internal controls include several IT controls to ensure the documentation provided by companies is true and adequately protected against data breaches and tampering. They also serve as a means for companies to show that they are following a good business code of ethics. These internal controls are regularly assessed by external auditors.

Achieving SOX compliance is a complex and at times confusing undertaking that requires great care, meticulousness, endurance and accuracy from the persons responsible for implementing it. Public companies dealing with the requirements of the Sarbanes-Oxley Act must plan ahead and implement long-term strategies to achieve SOX compliance.

All publicly traded companies in the US, including foreign companies who are publicly traded in the US, must comply with SOX. The act also covers accounting firms who offer auditing services to publicly traded companies.

IT plays a major role in achieving SOX compliance because the financial records affected by the law are processed by and stored in IT systems. It is therefore absolutely crucial that you bring your IT systems up to speed and make sure they are sound and ready for your yearly controls audit.

To pass a SOX audit, your company must adopt and implement security best practices. To be sure you’re on the right track, it is best you lay out your measures against a framework such as COBIT (Control Objectives for Information and Related Technology), which is a comprehensive best practice framework developed by ISACA (Information Systems Audit and Control Association). This is most likely what your auditor will be using as well to measure the performance of your internal controls. Other frameworks to familiarize yourself with include:

Choosing a framework to follow is the first security best practice step you should take toward achieving SOX compliance. It will provide you with more specific guidance for implementing the required improvements. Additional cybersecurity best practices your company should strive to meet include:

How you choose to implement these best practices is up to you. There isn’t a one-fits-all solution out there that will cover your A-Z of best practices. However, an identity and access management solution will cover many of the requirements and help you gain control of user access and rights, which is a major factor in demonstrating that your internal controls are of a good standard.

Once you’ve implemented these best practices in all systems that handle or store financial and other important data, you are on the right track to achieving SOX compliance. But security isn’t the only thing you must ensure to achieve SOX compliance. Further aspects you should be aware of and implement include:

Section 404 of SOX specifies that companies must implement internal controls to protect important financial information against errors and attempted fraud. In addition, organizations must hire external auditors to evaluate and attest to these controls. Companies must be able to immediately provide their auditors with any required documents to demonstrate that their internal control systems work.

This SOX requirement is the most relevant in terms of IT and also the most difficult to implement. Maintaining seamless records of your internal control systems in a way that keeps the documents easily accessible for your yearly audit is no small task. Companies are well advised to invest in tools that can automate the record keeping process and are able to instantly produce reports for auditors to view. A direct extract from the law shows the requirements placed on the yearly financial report:

As stated earlier, implementing best practice principles of data security and protection is absolutely essential to achieving SOX compliance. It is therefore important to choose a tool that covers at least some of the elements listed. Your chosen software solution should help automate tasks required for audits and ensure your financial data (as well as other sensitive information) is sufficiently protected against cyberattacks, insider threats and security breaches. As human error presents one of the greatest risks to security, your chosen product should significantly reduce the risk of human error.

Since SOX affects both physical and electronic records, having a good identity and access management (IAM) strategy is crucial to achieving SOX compliance. IAM solutions automate processes like user provisioning and allow companies to provide users with granular access to information (e.g. Read, Read & Write, Modify or Full Control access).

By removing unnecessary permissions, IAM solutions help protect your business from both cyber attacks and employee data theft. Reporting tools that provide automatic documentation of all changes to access rights also make it easy to provide these details during your yearly SOX audit.

tenfold is an access management solution that covers a large portion of the IT requirements you must achieve in order to reach SOX compliance. It acts as a central hub for managing users and permissions across various IT systems (Active Directory, Sharepoint, Exchange) and automates access governance.

Thanks to the automatic reports generated by tenfold, any information regarding changes or logs can be pulled right away when your SOX auditor asks for it. Not only does access management with tenfold cover many of the requirements dictated by Sarbanes-Oxley, it also covers a multitude of other frameworks, such as the GDPR, ISO 27001 and HIPAA.

In tenfold, you can appoint data owners to be in charge of resources. Any user who wants access to any such resource must first request permission to do so via an approval workflow, as part of which the data owner either approves the request or rejects it. Data owners are also subjected to regular user access reviews, where they go over the permissions and resources they are responsible for and reconfirm or withdraw them. All of this is automated, reducing the risk of human error and privilege creep (which is when users have way more permissions than they should). But that isn’t all – automation also means your admins are not bound by redundant tasks, but finally have time to address more important matters.