While IT, information security and systems management are not featured specifically in the regulations, the primary source of internal controls is within the IT systems that most companies rely on to track and produce financial data.
The SEC has mandated the use of a 'recognised internal controls framework' and mentioned COSO (Committee of the Sponsoring Organizations of the Treadway Commission) by name. Other frameworks include CobiT (Control Objectives for Information and related Technology) and ISO17799 (International Standards Organization). Most companies are using a custom blend of these elements and incorporating information from the Public Company Accounting Oversight Board, which is responsible for providing direction to the auditing firms.
People and processes comprise two-thirds of the considerations needed to help organisations comply with the legislation, but technology is necessary to document existing system controls, remediate control gaps or automate current manual controls.
Central to enabling these internal controls is the ability to evaluate an IT environment for compliance with corporate IT configuration policies and patch level requirements. Controls should be in place which limit the system usage of different personnel. This access control is one of the primary safeguards that an organisation should have in place to ensure that no unauthorised changes are made to financial data. Key is that administrators are able to automate user account creation and management, password resets and account access audits. By controlling the delegation of these privileges, time-intensive administration tasks can be entrusted to end users while actually lowering the overall number of privileged/admin accounts - and therefore the risk to the business.
Once defined, tools reporting user access will ensure that the defined duties remain suitably segregated between development and operations. These checks will also determine if system parameters have been modified outside of company policy and will scan systems to ensure that an organisation is not vulnerable to the latest computer exploits. Moreover, software should be deployed to automate the repair of any vulnerabilities that are found by disabling users, changing registry settings and deploying the latest security patches. In compliance with SOX, these IT health checks ensure that financial data is not vulnerable to unauthorised changes and from corruption through malicious code attacks by employees or external hackers.
While measures should be taken to prevent issues with financial data, the legislative controls frameworks take into account that not every exploit can be prevented and that controls must be in place to detect incidents that slip past preventative controls.
If an incident is detected, it must be properly managed and documented. This key control is mentioned in the legislation and is essential for SOX compliance. Best practice management once a breach becomes apparent should involve consolidating security events into a report that provides a holistic picture across all devices and platforms in your enterprise, correlating events across multiple platforms and providing comprehensive audit trails and forensics analysis
Another important control identified in the major frameworks is the meeting of internal service level agreements (SLAs). If a system is not available, it is recognised that employees will not be able to follow the standard process for recording financial transactions or events. As a result, IT departments should look to implement tools necessary for monitoring and reporting on service levels. Such automated checks will help ensure that applications are properly authorised, that jobs run according to schedule and that the correct managers are alerted when issues occur.
If compliance managers need a guiding principle it is that all controls must flow from corporate policy, be well-documented, properly communicated and regularly updated. Systems should be available to provide auditors with a list of all corporate technology usage policies, details about who has read and signed each policy, and information about when each policy was last reviewed or updated. While most companies have already begun documenting their key controls with the help of an outside auditing or consulting firm, there still remains the identification of gaps and the implementation of mitigating controls to fill those gaps.
Moreover, after April 2005 when the deadlines have passed, many companies will find themselves looking for ways to automate both the controls themselves and the assessment of those controls to reduce their on-going compliance costs. These systems will automate and safeguard against both.
Luke Brown is director of systems and security management, NetIQ EMEA