The early 2000s were a time of significant turmoil in Corporate America. Otherwise-reputable corporations including Enron, WorldCom and Arthur Andersen came crashing down under the weight of shocking accounting scandals. As billions of dollars in shareholder wealth were wiped out and investor confidence nose-dived, radical measures were needed to close ‘creative accounting’ loopholes in order to restore credibility in the financial markets.
Thus was born the Sarbanes-Oxley Act (or SOX) that was enacted in mid-2002. SOX had a profound effect on how US public companies were governed. Whereas SOX is geared towards streamlining financial reporting, it inadvertently had repercussions in the application of IT security. For organizations to comply with SOX they need to know what is SOX compliance, and have to align their IT procedures with certain principles of IT security.
We look at some of the most important below.
1. IT Security Policies
An IT security policy addresses a specific area of technology security such as email management, network access or telecommuting. Comprehensive IT security policies are the foundation of data protection. They define the processes and standards that ensure IT systems are safe and secure.
For SOX audit and compliance, IT security policies are an important piece of documentation that proves to auditors and regulators that the organization is committed to creating an environment that keeps its information (financial and non-financial) safe. For the policies to satisfy SOX, they must cover all major areas of cybersecurity, be approved by the board and management, and be clearly communicated to employees.
2. Access Management and User Authorization
Ensuring that only individuals permitted to use a financial reporting system have access to it is a fundamental SOX-related IT security control. It’s about ensuring proper user authorization and access management. It’s also about developing methods that confirm the rules are constantly and consistently adhered to.
Access management methods range from the basic, like enforcing unique user IDs and passwords, to the more advanced including two-factor authentication and biometric controls such as fingerprint and retina scans. Password rules are critical too (e.g. specifications on password length, complexity, age, reuse, and sharing).
3. User Management
User management encompasses the various processes involved in creating, modifying and deleting user accounts in information systems. To comply with SOX, the user accounts that facilitate financial reporting must be managed by formal and well-documented procedures.
These include procedures for user account creation, change of user requests, approval of user accounts, prompt removal of terminated or resigned employees, and regular review of user account privileges.
4. Network Security
Network perimeters must be shielded by intrusion detection systems, intrusion prevention systems, and firewalls. In large organizations, these perimeter defenses shouldn’t only be used to protect the organization’s digital assets from external threats but also to separate financial reporting systems from other systems and users within the organization.
Encryption of sensitive financial information is also necessary. SSL/TLS, PGP, digital certificates and similar methods could be deployed to protect confidential data in transit. Antimalware solutions are also necessary to detect and eliminate network-disseminated viruses, worms, Trojans, ransomware and other forms of malware.
All these measures must be complemented by a regular independent assessment and test of the state of the organization’s network security. This may entail contracting a third party to perform penetration testing or ethical hacking.
5. Monitoring
The technology infrastructure of a medium-sized or large business is a complex ecosystem with millions of events taking place per day. While the overwhelming majority of these events are harmless, routine activities, some may have more sinister, harmful intent. This is why monitoring of logs is an essential component of securing financial reporting systems.
Notable system events that should warrant additional investigation include port scans, failed logins, new administrator accounts, change of administrator passwords and administrator logins outside business hours. In large organizations, the volume of notable security events may be enormous. In this case, automated monitoring tools would come in handy in distinguishing the harmless from the dangerous.
6. Segregation of Transaction Roles
The ability to initiate, execute and review transactions should be segregated to ensure no one person can perform a transaction end-to-end. Transactions here doesn’t only refer to financial payments but any system-related process such as creating user accounts, deleting accounts, configuring system backups, or setting up and bringing online a new server.
Segregation reduces the risk of fraud and error.
7. Physical Security
Physical access to technology infrastructure that supports financial reporting must be tightly controlled. Control could be as simple as having a lock and key. However, given the sensitivity of financial systems, more sophisticated means of managing physical access such as card-operated security doors, entry PINs and biometric systems are often required.
It’s not always easy to establish a clear physical barrier in today’s world of cloud and distributed computing. So physical security must be complemented by robust virtual restrictions.
The enactment of SOX greatly increased senior management’s appreciation and awareness of IT security. IT security controls and the integrity of financial reporting are closely intertwined. While aligning IT security controls with SOX requirements initially come with an added expense, the improvement in governance and risk management eventually leads to more effective operations and thus cost savings.
