Last week, we discussed about the importance of ISO 27001, today we bring you another important compliance check.
The Sarbanes–Oxley Act of 2002, also known as the "Public Company Accounting Reform and Investor Protection Act" and "Corporate and Auditing Accountability and Responsibility Act" and more commonly called Sarbanes–Oxley, Sarbox or SOX, is a Federal law for all publicly held USA corporations, and establishes extensive civil and criminal penalties for non-compliance.
Who Needs to Comply with SOX?
According to the underlying terms on the regulation, the requirements of SOX must be fulfilled by all the American businesses which are publicly held. The regulation is also applicable to international businesses that have registered any debt securities or equity with the U.S. Securities and Exchange Commission in the past. All the accounting or any other third party fintech firm which provides financial assistance to the earlier mentioned firms also must comply with SOX.
Purpose of SOX
The main intention of SOX is to establish verifiable security controls to protect against disclosure of confidential data, and tracking of personnel to detect data tampering that may be fraud related. The central purpose of the act is to reduce fraud, build public confidence and trust, and protect data that may affect companies and shareholders.
COBIT and ISO 27000 Support
Sarbanes-Oxley makes multiple references to "internal control" of data. To meet this requirement, companies must establish rules and guidelines by which the organization is controlled and audited.
There are many acceptable techniques for establishing this type of governance; one of the most popular methods of establishing "internal control" is to implement the "COBIT Framework", created by ISACA. COBIT (Control Objectives for Information and Related Technology) is an extensive set of guidelines and tools that describe processes and organizational requirements needed to promote security and create good governance capable of satisfying SOX requirements. The framework consists of its own standards, as well as many other standards, including ISO/IEC 27000.
ISACA is an international professional association focused on IT Governance. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves. The ISACA standards will provide access to the full COBIT standard which will include the control objectives, the guidelines of Audit and the materials for helping to implement COBIT in the enterprise. Though it is useful, but COBIT's control objectives aren't directly and universally applicable to SOX, so you'll have to look closely at each control objective in the SOX context, but many will be appropriate. COBIT control objectives refer somewhat broadly to policies that the standard requires rather than specify policies directly. The policy authors can determine if their policies achieve the stated goals by assembling the list of policies referred to by COBIT and understanding why the policy must exist.
Important Sections Of SOX
This act consists of multiple sections, all of which require compliance by a company. The two principle sections that relate to security are Section 302 and Section 404, summarized below:
• Section 302: This section pertains to 'Corporate Responsibility for Financial Reports'. It intends to safeguard against faulty financial reporting. As part of this section, companies must safeguard their data responsibly so as to ensure that financial reports are not based upon faulty data, tampered data, or data that may be highly inaccurate.
• Section 404: This section pertains to 'Management Assessment of Internal Controls'. It requires the safeguards stated in Section 302 (as well as other sections) to be externally verifiable by independent auditors, so that independent auditors may disclose to shareholders and the public possible security breaches that affect company finances. Specifically, this section guarantees that the security of data cannot be hidden from auditors, and security breaches must be reported.
Policies Aspects in Business Context
The main feature of writing policy is that those should not only be technically correct but also be applicable to the business. In short, all your policies should adhere to the size of the organization in the market with technology and employees. When you will be drafting a policy for your organization, you need to make sure that policies recommended by ISO 27000 and COBIT make sense in your context. As for instance, in case of smaller organizations, there may be enough transparency in the creation of account and changes to the access controls but in larger organizations, there has to be a long chain of approvals in multiple departments.
What are the Compliance Requirements of SOX?
The Sarbanes-Oxley Act of 2002, also referred to as the ‘Public Company Accounting Reform and Investor Protection Act’ sets lawful compliance requirements for public and private accounting firms and companies. Regarding corporate governance and financial disclosure, the Sarbanes-Oxley Act has set up criminal and civic penalties in case of non-compliance and increased financial disclosure.
Provisions of the Sarbanes-Oxley Act take a detailed account of corporate governance and financial disclosure of both U.S. and non-U.S. based companies. This act demands all financial reports to encompass an Internal Controls Report which is an accurate indication of the financial data of a company. An auditor at SoX is required to make a complete assessment of controls, policies, and procedures during the auditing of section 404 and make sure that the internal controls and procedures can be audited with the help of a control framework like COBIT.
An audit trail of all activity and access leading to sensitive business information must be provided by log collection and monitoring systems. Sarbanes-Oxley also plays a very important role in protecting whistleblower employees of publicly traded companies and their subsidiaries by disclosing corporate fraud of illegal activities.
There are a number of provisions of Sarbanes-Oxley which affect private-held companies, either directly or indirectly. For instance, the intention of impeding or falsifying authentic documents or trying to influence a federal agency investigation may result in fines and imprisonment for up to 20 years. Additionally, whistleblower protection is applicable to retaliation against someone who provides information against any kind of possible federal offense which may lead to up to 10 years imprisonment.
SoX sections 302, 404 and 409 take into account a number of parameters that must be monitored, logged as well as audited which are
Login activity (success and failures)
One of the largest components of any SoX compliance audit is a review of the internal controls of a company which includes all IT assets, networks, hardware, and other electronic equipment. An IT audit of SoX will include the following internal control listings:
Data Backup: Sensitive data must be protected by maintaining backup systems. Data centers that contain stored-off sites or third-party applications that are subject to the same SoX compliance requirements and are hosted on-site are also subject to the same SoX compliance requirements.
Accessibility Controls: Access controls refers basically to the physical and electronic controls which prevent unauthorized users from gaining control of sensitive financial information. This also takes into account the servers and data centers that need to be protected at secure locations and implementing several other measures for keeping the password safe and secure.
Change Management: Change management involves the procedure of adding new users and computer systems, installing and updating new software, and keeping data infrastructure safe by adding new changes to the databases, apart from keeping a precise record of things which were changed, when they were changed and who changed them.