Easing Sarbanes-Oxley Compliance by Giving Business Users Control of Their Data

The Sarbanes-Oxley Act (SOX) of 2002 is one of the top priorities at US-based public companies today. In companies that have implemented SAP, one of the most common open SOX audit issues is that users in the IT departments have very broad access to production data in SAP. Therefore, companies are finding that they have to take many data access privileges away from IT users. This has severely limited the ability of IT support staff to assist in routine data maintenance activities. Thus, there is a pressing need at many companies for business users to be responsible for their own production data maintenance activities. This paper describes how companies can give the business users control of their own data, and not only ease their compliance to the Sarbanes Oxley Act, but also improve corporate productivity.

In response to allegations of dubious financial accounting practices culminating in major corporate scandals, the Public Company Reform and Investor Protection Act of 2002, also known as the Sarbanes-Oxley Act (SOX), was implemented to establish good corporate governance and restore confidence in public companies.

Section 404 of SOX requires top management to establish an adequate internal control structure and include an assessment of the effectiveness of this control structure in the company?s annual report. Additionally, an external auditor needs to verify the management?s assertions.

Technical safeguards play an important role in complying with SOX Section 404 due to the extensive role of IT infrastructure and applications in today?s financial reporting and accounting processes. Enforcing Segregation of Duties (SoD), strong user authentication, fine tuning of authorization rights, and access controls are among the technical controls needed to ensure the validity of the accounting information and to prevent fraudulent access to financial data in the process.

One key aspect of a Sarbanes-Oxley audit is checking that rights and duties are separately assigned to different individuals so that no individual has the power to divert business or transactions in a fraudulent manner.

It is the Sarbanes-Oxley IT auditor's job to check that individual permissions and roles are organized in such a way as to not make the company vulnerable to fraud. For example, no single individual should be able to access all systems involved in financial transactions, because knowledge of the full path through those systems could make it easier for that person to commit fraud. One often cited example is that a person who is authorized to create vendor payments should not be able to create new vendor accounts as well.

The principle of separation of duties and rights is often implemented using the concept of "roles" within an IT system. SAP already provides an extensive framework for maintaining role-based security and segregation of duties.

A key principle in the setting up of role-based security, however, is the principle of least privilege and it should be applied when assigning permissions within the ERP system. Any individual should be given only the permissions he/she needs in order to carry out his/her job.

This violation of the least privilege principle is one of the most prevalent open SOX audit issues across many corporations. Typically IT support staff has very broad access to the SAP production system, in part to enable them to handle business user's data maintenance and data upload and download tasks. Auditors have been requesting that such super user access be removed to reduce the risk of fraud.

Many companies are responding to the audit findings by taking many data access privileges away from IT users. Such restrictions are severely limiting the ability of IT support staff to assist in routine data maintenance, data upload, and reporting activities.

Thus, there is a pressing need at many companies to give more control of data to the business users and making the business users responsible for their own production data maintenance activities.

Every time a mass change is to be made to SAP production data or new data needs to be uploaded to a production SAP system, the business users should be able to upload the data themselves without requiring support from the IT staff.