Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
white paper
Configuration Control for Virtual and Physical InfrastructuresContents
3 Executive Summary 4 Sustaining SOX Compliance 5 Tripwire as Part of Your SOX Sustainability Strategy
2 | WHITE PAPER | Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce CostExecutive Summary
"Quality is not a sprint; it is a long-distance event." and internal controls. This decade of heightened compliance -Daniel Hunt is driving major corporate initiatives for greater transpar-ency, governance, accuracy and accountability throughout the enterprise. Each company must identify, track and vali-The passage of information security and technology laws date all business processes to ensure that its operations are and rules over the past 10 years has affected most indus- compliant. In many cases the controls required by many tries and companies. In response to these laws, management of these regulations and standards such as Sarbanes-Oxley must be more accountable and aware of the need for a must be implemented worldwide for affected companies, continuous and proactive operational risk management envi- which may prove challenging for some organizations given ronment that recognizes the links between its technology cultural and legal differences overseas.infrastructure, business processes, reputation, compliance,
3 | WHITE PAPER | Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costreflect the organization's strategic goals and objectives, as Sustaining SOX Compliance well as ensure accurate financial reporting, and transparent Efforts Must be Sustainable and timely disclosures. Many "lessons learned" resulted from the first year's The Sarbanes-Oxley Act (SOX) has significant information implementation of SOX. Numerous public roundtables were security implications for companies governed by the regula- held, such as ones held by the SEC and PCAOB (see their tion. Sections 302, 404 and 409 of SOX, and corresponding web sites for summaries of this extensive public debate). SEC Rules and Regulations, have tremendous ramifications Many webcasts and other public events by FEI, NACD, IIA, for information technology (IT) in the areas of control and numerous other organizations have featured extensive (internal controls), evaluation (governance, measurement debate on enhancing the SOX implementation on a go-and recordkeeping), and disclosure (reporting and certi- forward basis. fication). Perhaps the most talked-about requirements of An IIA research study entitled Sarbanes-Oxley Section 404 SOX are the ones related to internal control over financial Work - Looking at the Benefits (www.theiia.org/download.reporting. Section 302 of SOX and the SEC Regulations that cfm?file=343) provides an extensive summary of some of the were passed to implement it require corporations to adopt key benefits from SOX implementations, along with exten-internal controls over financial reporting and operations. sive discussion regarding the high first year costs involved Specifically, sections 302(a)(4)(A) and (B) of SOX require a in meeting the requirements of the Act and its related SEC company's chief financial officer and chief executive to cer- rules.tify in quarterly and annual reports to the SEC that they: The IIA research study presented three major themes:(A) are responsible for establishing and maintaining First, there are significant benefits associated with the internal controls; control identification, documentation, and testing process. (B) have designed such internal controls to ensure The evaluation process has led to improvements in basic that material information [about the company and internal controls such as reconciliations and segregation of its subsidiaries] is made known to such officers by duties. Substantial improvements in the control environ-others within those entities... ment have resulted from the process. Many companies have These "control, evaluate and disclose" elements must work recognized they have vulnerabilities in the Information together as integral parts of the SOX compliance process. Technology (IT) area and will be devoting more resources to To meet the challenges of SOX compliance, companies need improving and evaluating IT controls as they move forward. to adopt... [download for more]
