Complying with Sarbanes-Oxley.
The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents the most fundamental shift in corporate governance norms for many decades. In particular, section 404 is often talked about as being the core provision of SOX as it deals with executive management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company. It requires management to certify the adequacy and effectiveness of its internal controls and to disclose any material weaknesses found.
The key to a successful compliance program is to recognize the fact that Sarbanes-Oxley (SOX) does not simply require that adequate controls be established – it requires the annual review of the effectiveness of those controls. In other words, achieving compliance is not a one-time event; rather it must be part of an ongoing process that needs to be sustained over time. Corporations that view the compliance provisions of Section 404 as a burdensome legislative mandate may not be making the necessary investments for a sustained compliance program. Corporations that view compliance as a means to establish and maintain good process through a well defined set of internal controls and the automation of those controls are the ones that will be more likely to have a successful long-term compliance program.
IT Controls Testing and Verification are Largely Manual The conventional approach to establishing and maintaining IT controls is to exhaustively document IT processes and policies and increase the frequency of review. This approach is costly, inefficient and error-prone. A sustainable compliance program will need to automate the verification and enforcement of IT controls in a manner that causes low operational overhead and decreases the documentation burden on systems administrators and audit personnel.
The primary issue faced by IT departments in meeting their compliance requirements today lies in the difficultly of controlling IT systems. Most companies have some form of change approval process, whether formally captured in a workflow system, or informally captured via email exchanges. However, there is a gap between the changes documented through the formal process, and actual change activity on infrastructure elements. Consider a situation in which an annual audit is coming up. People on the staff of the CIO know that because of SOX, they will need to convince the auditors with good answers to questions about who modified data when and for what purpose. How can they reconcile every change on a system with its purpose and authorization? How can they demonstrate that their change process was followed, and that every exception to the process is accounted for in a manner satisfactory to the audit team? The typical answer to questions of this sort is to talk about access and change control policies the company has put in place. However, this is not satisfactory without adequate mechanisms verify that the process was followed. We come back to the core issue: there is a gap between change processes and actual changes in the infrastructure. It is this gap, which we call the Change Control Gap, which causes the manual effort in meeting compliance requirements. If organizations could bridge this gap, self-service compliance audits could become a reality.
Requirements for self-service compliance.
Meeting the IT requirements for compliance is an onerous task. The information required to verify IT controls is unavoidably very large, exists in many different forms and is scattered widely across a complex IT infrastructure. Reconciliation across these information sources is a largely manual, tedious, error-prone and expensive process. In general, it is very difficult for the IT personnel to use such scattered information to construct documentation demonstrating the capability to detect policy violations. For example, leaders in SOX compliance practices include large financial services companies in which every fiscal quarter, dozens of people suspend their usual job duties for several days in order to collect data and create documentation in the “quarterly compliance fire drill.”
In order to get to the automated control framework we discussed earlier, let us examine what the requirements for a self-service control framework would be. The key capability for a self-service control framework is automated and comprehensive documentation tied to the change process.
