Among the most critical laws impacting public corporations passed in years is the Sarbanes-Oxley Act of 2002, referred to as SOX throughout this paper enacted on July 30, 2002 and signed into law by President George W. Bush. SOX was created by Congress in the wake of the major corporate accounting scandals that occurred in 2001 and 2002, notably Enron & Tyco, in an effort to restore investor confidence and to improve corporate governance and financial transparency.
There are many elements to SOX, including sections that were intended to enhance and tighten financial disclosures, improve "whistle-blower" processes and the well-known requirement for the corporation's financial statements to be certified by the CEO and CFO. Very importantly, SOX also creates and expands on existing criminal penalties for misrepresentations. No longer will "I didn't know" provide any legal protection for management.
The primary focus of this white paper is on the impact of SOX requirements on an organization's IT systems, practices and controls. Specific IT areas that have relevance to SOX compliance activities include data center operations, system software maintenance, application development and maintenance, business continuity and application software integrity. One further critical area of IT control where the relevance of SOX is particularly high is in the control over application access through the use of identity and access management (IAM) processes and technologies. Given this broad area of potential impact on IT, it is clear that IT organizations often will have an important role to play in meeting the requirements of SOX.
IAM solutions, such as those available from CA help to secure and administer access to enterprise information assets and business applications, including financial systems. IAM systems, in support of business processes, manage the digital identities of users who access assets so that access decisions can be made using the best available information about the user. Essentially, IAM systems bring together people, processes and technologies, enabling organizations to manage the lifecycle of relationships with internal and external users, from identity creation to access termination.
With regard to IT controls and the IAM processes needed for SOX compliance, there is limited specificity within the SOX legislation or the final rules adopted by the Securities and Exchange Commission (SEC) on June 5, 2003. Therefore, much of SOX compliance regarding IT controls has been left to interpretation by each company's management. This paper provides a review of the IT control environment that compliance with SOX will require; the primary focus is on IAM for large companies.
This paper also describes how specific functionality contained in the IAM solution from CA can be used by organizations to meet some of the requirements of SOX and do so in a cost effective and leverage-able manner.
While the widespread use of IAM solutions for SOX related compliance projects remain in the early stages, two points are clear:
SOX will typically require the use of separate IT control frameworks to define what are sufficient IT controls, unlike other regulations with specific IT control requirements, such as HIPAA. Two control frameworks are described in this paper; and
SOX will require close collaboration among Security and IT enterprise architects whose focus is on general use of IAM across an enterprise, and finance, audit and regulatory compliance professionals and external accounting auditors who must define, plan, execute and test for SOX compliance. A key point of this paper is that there are important areas of overlap and that these groups should work closely together.
Sarbanes-Oxley: Section 404
There are many elements to the SOX legislation, but Section 404: Management Assessment of Internal Controls is the part that addresses the internal control over financial reporting, where IAM's related IT controls need to be carefully considered. Section 404 is creating a challenge for management and is one area where budget for addressing control issues is typically being directed.
Compliance with section 404 is also a challenge for the organization's external auditors who now for the first time must sign-off on management's assertions regarding the sufficiency of internal controls over financial reporting. This means that IAM related IT controls are one area where the external auditors will be focusing close attention during their audit related activities.
