Sarbanes-Oxley and its Impact on IT
“Sarbanes-Oxley Act (SOX) Section 404” requires companies to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. One challenge with the SOX 404 mandate is that it offers no specifics as to what controls need to be established within an IT organization to comply with the legislation. Most auditors have adopted the Information Technology Infrastructure Library (ITIL), Six-Sigma or Control Objectives for Information and Related Technology (COBIT) as a compliance framework. Among all of these “best-practice” frameworks, COBIT seems to be the most popular choice among IT professionals.
COBIT and Change Management Challenges
The “Manage Changes” section of the “Acquire and Implement” chapter of the COBIT framework mandates:
“All changes, including emergency maintenance and patches, relating to infrastructure and applications within the production environment must be formally managed in a controlled manner. Changes (including those to procedures, processes, system and service parameters) must be logged, assessed and authorised prior to implementation and reviewed against planned outcomes following implementation. This assures mitigation of the risks of negatively impacting the stability or integrity of the production environment.”
Change Management Systems like those included in HP Service Manager (formerly Peregrine), BMC Remedy Service Management, and CA Unicenter Service Desk let you define the change management process. They also let you run workflows so that the process can be tracked. But none of these systems answer the following question: Are all the changes going through the change management process?
This question is critical when it comes to SOX legislation. If the internal controls of financial systems are not followed, then how can companies sign off on the accuracy of the financial data? Merely having a process is not sufficient. For every control, COBIT requires an audit process for the control. Currently, the process is completely manual where administrators collect all the change tickets or “Requests for Change” from the change management system and then attempt to map the data found in various logs to those tickets.
Questions Auditors Ask about SOX Compliance
Auditors using COBIT framework are asking these questions to assess compliance:
- Are all the changes going through the change management process?
- Do you have a well defined emergency change process?
- What is the ratio of planned changes compared to emergency changes?
- How do you measure the effectiveness of the defined change process?
In summary, what they are seeking is validation that the change management process is effectively being used within the organization.
S3 Control Validates and Enforces the Change Process
Solidcore S3 Control™ tracks all changes throughout the infrastructure including those to the operating system, databases (schema and critical data tables), applications, network devices and directory servers. This is done in real-time, capturing detailed information about each change. This detail includes:
- Who (user),
- What (the object and content changed),
- When (the exact time of the change),
- Where (the server, database or other configuration item), and
- How (the method or agent used to make the change).
This provides a single, cost-effective means for auditing all the changes that may affect financial reporting. This very detailed change information is then used to reconcile the changes with the tickets in the change management system. Each change is either mapped to a ticket or marked as unauthorized. The unauthorized changes can be flagged and retroactively documented in the change management system as emergency changes, or marked as changes that were unauthorized and need to be investigated (and perhaps rolled back).
The net result is continuous and comprehensive validation of the change management process with on-demand reporting for auditors. Let’s look at a common example of this capability in action.
Consider a specific change management control derived from the COBIT framework required for SOX compliance:
“For emergency changes, approval for production migration must be obtained within 72 business hours of implementing the change in Production.”
S3 Control tracks changes in real-time and reconciles changes with change tickets without user intervention. When a matching ticket is not found for emergency changes, a new change ticket is created and assigned to the change management board for approval
