Solidcore SOX White Paper

8/3/2019 Solidcore SOX White Paper

http://slidepdf.com/reader/full/solidcore-sox-white-paper 1/10

Sustainable Sarbanes-Oxley Compliance

A Solidcore White Pape



The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental

shift in corporate governance norms. As corporations come to terms with the implications of

SOX to their businesses, one thing is clear: a SOX compliance program is not a one-time project

but a sustained effort to gain visibility and accountability into business processes that affect the

accuracy of financial reporting. This white paper outlines the issues faced by IT managers in

meeting their compliance requirements and explains how Solidcore can be a core component

of a sustainable and cost-effective SOX compliance program.



Sustainable Sarbanes-Oxley ComplianceA Solidcore White Paper

Complying with Sarbanes-Oxley.

The Sarbanes-Oxley Act (SOX), passed by the US Congress in2002, represents the most fundamental shift in corporate

governance norms for many decades. In particular, section 404

is often talked about as being the core provision of SOX as it

deals with executive management’s responsibility for

establishing and maintaining adequate internal control over

financial reporting for the company. It requires management to

certify the adequacy and effectiveness of its internal controls

and to disclose any material weaknesses found.

The key to a successful compliance program is to recognize the

fact that Sarbanes-Oxley (SOX) does not simply require that

adequate controls be established – it requires the annual

review of the effectiveness of those controls. In other words,

achieving compliance is not a one-time event; rather it must be

part of an ongoing process that needs to be sustained over

time. Corporat ions that view the compliance provisions of

Section 404 as a burdensome legislative mandate may not be

making the necessary investments for a sustained compliance

program. On the other hand, corporations that view compliance

as a means to establish and maintain good process through a

well defined set of internal controls and the automation of

those controls are the ones that will be more likely to have a

successful long-term compliance program.

The standard that most auditors use to determine adequacy of

internal controls is the standard of due care. A company

exercises due care if it follows current best practices for

establishing accountability and measurability over its internal

controls. If there is an incident in which an internal control is

circumvented in spite of measures that meet the test of “due

care”, then the company is not liable for regulatory penalties

(fines and other sanctions). However, the precise definition of

“due care” is amorphous and changes over time. It simply

refers to a standard of feasibility (most people should be able

to do it) and reasonableness (the benefit should justify the cost

for most people) by enough other companies.

page one

Note that SOX is the most visible of a number of regulatory

standards that have emerged in recent years. While we focus

on SOX in this white paper, information about other standardsis available in Appendix B.

IT Controls are central to SOX Compliance

In today’s corporate environments, control over IT systems is

critical to a sustainable compliance program. The US Public

Company Accounting Oversight Board (PCAOB), which provides

guidelines for auditors, issued a statement (Auditing Statement

No. 2) that made this very clear:

“The nature and characteristics of a company’s use of

information technology in its information system affect the

company’s internal control over financial reporting.”

In the same document, the PCAOB goes on to stress the

centrality of IT controls in an audit of SOX compliance:

“To identify relevant assertions, the auditor should determine

the source of likely potential misstatements in each

significant account. In determining whether a particular

assertion is relevant to a significant account balance or

disclosure, the auditor should evaluate the nature and

complexity of the systems, including the use of information

technology by which the company processes and controls

information supporting the assertion.”

The remainder of this white paper will focus on building and

maintaining effective IT controls to meet Sarbanes-Oxley

requirements.

The conventional approach to establishing and maintaining IT

controls is to exhaustively document IT processes and policies

and increase the frequency of review. This approach, while it

may meet the “due care” standard today, is costly, inefficient

and error-prone. A sustainable compliance program will need

to automate the verification and enforcement of IT controls in a



manner that causes low operational overhead and decreases

the documentation burden on systems administrators and

audit personnel.

That leads to the primary issue faced by IT departments in

meeting their compliance requirements today: it is very

difficult to control IT systems. Most companies have some

form of change approval process, whether formally captured in

a workflow system, or informally captured via email exchanges.

However, many people have the ability to add to or modify the

software that runs on a system, change configurations, directly

access data, and generally perform actions on the system in

ways that change its state. Regardless of whether the

intentions behind the actions are benign or malicious, they

have an impact on how confident you can be about who did

what on your systems. Consider a situation in which an annual

audit is coming up. People on the staff of the CIO know that

because of SOX, they will need to convince the auditors with

good answers to questions about who modified data when and

for what purpose. How can they reconcile every change on a

system with its purpose and authorization? How can they

demonstrate that their change process was followed, and that

every exception to the process is accounted for in a manner

satisfactory to the audit team?

The typical answer to questions of this sort is to talk about

access and change control policies the company has put in

place. However, this is not satisfactory without adequate

mechanisms to verify that the process was followed. For

example, it is not enough to say “I know that only person X had

access to the data, because that’s our company policy.” Can

you verify that only approved changed were deployed on a

given server? Can you reconcile the approved changes with

the actually implemented changes? Can these questions be

answered in an automated manner so that audit requirements

can be fulfilled without a lot of manual effort?

This is where IT should provide leadership: to enable

companies to enforce policies and report on policy breaches.

page two

Requirements for sustainable compliance.

The key requirement for sustainable compliance is control overchange. Demonstrating to auditors that adequate IT controls

are in place require gaining visibility into the change process,

establishing accountability for changes, and selectively

enforcing limits on how systems may be changed. In other

words, a company’s IT controls should, at a minimum, address

the following requirements:

VisibilityVisibilityVisibilityVisibilityVisibility

Provide extensive logging capabilities that track all relevant

program and data changes, as well as categorize and report

on them in a useful and actionable manner.

AccountabilityAccountabilityAccountabilityAccountabilityAccountability

Reconcile every change with its authorization and purpose

to verify that policies have been followed. Report on

exceptions to the change process.

Selective EnforcementSelective EnforcementSelective EnforcementSelective EnforcementSelective Enforcement

Provide a mechanism to enforce these policies selectively

where appropriate to prevent breaches from occurring.

Meeting the IT requirements for compliance is an onerous task.

The information required to verify IT controls is unavoidably

very large, exists in many different forms and is scattered

widely across a complex IT infrastructure. Reconciliation across

these information sources is a largely manual, tedious, error-

prone and expensive process. In general, it is very difficult for

the IT personnel to use such scattered information to construct

documentation demonstrating the capability to detect policy

violations. For example, leaders in SOX compliance practices

include large financial services companies in which every fiscal

quarter, dozens of people suspend their usual job duties for

several days in order to collect data and create documentation

in the “quarterly compliance fire drill.”




Sustainable compliance with Solidcore

Solidcore’s solutions offer enterprises a simple and efficientway to meet their IT compliance requirements in a sustainable

manner. Solidcore provides visibility, accountability and

selective enforcement of existing processes. These

capabilities enable enterprises to automate and enforce

internal IT controls and thereby build a sustainable compliance

program. The remainder of this section focuses on each of

these capabilities.

Visibility

Solidcore provides real time detection of change across the

enterprise. Solidcore enables you to discover who makes what

changes when, as it happens. A fully featured reporting engine

as well a web-based search tool provides the ability to sift

through large volumes of data quickly and focus only on the

useful and actionable information. Change archives are stored

in a tamper-proof independent system of record. These

capabilities allow enterprises to validate adherence to IT

controls on an ongoing basis with minimal overhead. For

example, any change information requested by an audit team

may be quickly satisfied using the reporting capabilities of the

system.

Accountability

Solidcore provides automated reconciliation with existing

change approval systems to correlate each deployed change

with its authorization and purpose. In cases where

documentation for a change does not exist (for example, in the

case of an emergency or ad-hoc change), Solidcore can

automatically create the required documentation and link it

with the deployed change. Together, these capabilities enable

enterprises to close the documentation loop and demonstrate

accountability for audits. For example, any IT control that

requires verification that the change process was followed can

be quickly satisfied with the reconciliation reports provided by

Solidcore.

page three


Selective Enforcement

Solidcore provides the means to selectively enforce changecontrol windows and other custom change policies. Changes

can be restricted to only occur within a specified time interval,

or only to particular servers or files. Further restrictions on who

(a person or a program) can make a change can also be enabled

and enforced. The selective enforcement capability further

automates the IT controls required by SOX. For example, if an

IT control states that no changes are allowed on servers

housing financial data during an audit period, this capability

allows the enforcement of that control in an automated

manner.

Mapping SOX requirements to Solidcore capabil

To map these capabilities to specific internal controls required

by SOX we will use a widely used controls framework, one

provided by COSO, a voluntary private sector organization

dedicated to improving the quality of financial reporting. The

SEC recommends that this framework be followed and in

practice this is the controls framework that is used by most

audit organizations. COSO identifies five essential areas of

control, and every IT manager will need to demonstrate how

their IT controls support the COSO framework. Note that at a

finer level of granularity there is another framework, the COBIT

framework, which identifies thirty-four specific IT controls that

must be satisfied for SOX compliance. These detailed

requirements and their mapping to COSO as well as to

Solidcore capabilities, are included in Appendix A.

COSO identifies 5 areas of effective internal controls (see table

on next page). Solidcore provides the technical means to meet

the internal controls guidelines laid out by COSO. Solidcore’s

capabilities can form a core component of a cost-effective and

sustainable SOX compliance program.


http://slidepdf.com/reader/full/solidcore-sox-white-paper 6/10page four


Summary

The Sarbanes-Oxley Act (SOX), passed by the US Congress in

2002, represents a fundamental shift in corporate governance

norms. Achieving compliance is not a one-time project but

must be part of an ongoing process that needs to be sustained

over time. In today’s corporate environments, control over IT

systems is critical to any compliance program. A sustainable

compliance program will need to automate the verification and

enforcement of IT controls in a manner that causes low

operational overhead and decreases the documentationburden on systems administrators and audit personnel.

Solidcore’s solutions offer enterprises a simple and efficient

way to meet their IT compliance requirements in a sustainable

manner. Solidcore provides visibility, accountability and

selective enforcement of existing processes. These

capabilities enable enterprises to automate and enforce

internal IT controls and thereby build a sustainable compliance

program.

COSO Requirement Solidcore Capability

Control Environment

This is the foundation of effective internal control and deals mostly withorganizational culture - the "tone at the top." The control environment includesissues such as aligning business and IT objectives and defining roles andresponsibilities with respect to IT controls.

Solidcore provides real-time visibility and accountability of changes occurring in theIT infrastructure. The capabilities of Solidcore's reports and search componentsprovide the means to bring about the culture of openness and accountability that isadvocated by COSO.

Risk Assesment

This portion of internal control deals with identifying the risks associated with agiven control objective. The risks need to be measurable and the control activitiesneed to be designed to provide visibility into how the risks are being addressed.This includes risk assessments built throughout the systems development processas well as the infrastructure operations and change process.

Solidcore provides risk mitigation capabilities that are transparent and measurable,to address this COSO requirement. In particular, Solidcore provides real timenotification of changes so that any breach of process can be tracked as soon as ithappens. Solidcore also includes a tamper-proof Independent System of Record tomitigate the risk of unauthorized access to the audit trail.

Control Activities

Control activities are the policies, procedures and practices that are carried out toensure that business objectives are reached and risks are mitigated.These controls include: Data controls - backup, recovery process.

System software controls: controls over acquisition, implementationand maintenance of software systems.Access controls: rights management.Development controls - controls over systems developmentmethodology.

Solidcore provides the capabilities to selectively enforce how changes are appliedon production systems. Enforcement is flexible and can be tailored for specificrequirements such as restricting changes to a small set of administrators, orpreventing changes during a fiscally sensitive time-window. As with all Solidcorecapabilities, all change activity is tracked so that each control activity can beverified.

Information and Communication

In order to manage risk and ensure process integrity, COSO requires that a clearcommunication plan be established. It is important to identify what information is

needed and to ensure that the information is communicated to the relevant peoplein a timely manner. Of particular importance is to ensure the quality of theinformation: it must be appropriate, timely, current, accurate and accessible.

Solidcore provides a closed-loop documentation capability that(a) Reconciles documented changes with actually deployed changes,

(b) Creates documentation for changes that did not go through theapproval process (e.g. an emergency change).

All changes are tracked in real-time and can be integrated with an alerting systemto provide timely, current, accurate and accessible information on changes toproduction systems.

Monitoring

Monitoring refers to the oversight of internal controls by management throughcontinuous and point-in-time assessment processes. Continuous monitoringrequires that process failures and remediation be detected and corrected on anongoing basis. Point-in time monitoring refers to internal audits, external audits andother scheduled regulatory examinations.

Solidcore provides real-time alerts to meet the continuous monitoring requirement -any change made outside of process can trigger an alert as soon as it happens. Inaddition, Solidcore comes with a fully-featured reporting module that can becustomized to meet the requirements of all scheduled regulatory examinations.




page five

Appendix A: Cobit Framework

While COSO identifies five components of internal control that need to be in place and integrated to achieve financial reporting

and disclosure objectives, COBIT provides a more detailed view of these controls as it relates to IT. Each of the 34 items in the

COBIT framework map to one or more of the five COSO components as detailed in the table below. Solidcore capabilities are

outlined where applicable – Solidcore can help with 21 of the 34 COBIT guidelines. The remaining guidelines deal mostly with

issues of corporate strategy.

Cobit Requirement COSO Requirement Solidcore Capability

Plan and Organize (IT Environment)IT strategic Planning

Gain visibility into change process and createaction plan for process improvement.

Information architecture

Determine technological direction

IT organization and relationships

Manage the IT investment Leverage existing IT investments withSolidcore, and connect disparate silos ofchange information.

Communication of management aims anddirection

Management of human resources

Compliance with external requirements

Monitor policy breaches, produce audit trailsand reports to verify compliance.

Assessment of risks Real-time alerts to gain up-to-the-secondvisibility into changes occurring on productionsystems.

Manage projects

Management of quality

Maintain systems in a verified state forreduced unplanned downtime.

Acquire and Implement (Program Development and Program Change)Identify automated solutions

Acquire or develop application softwareAcquire technology infrastructure

Develop and maintain policies andprocedures

Reconcile deployed changes withactual changes thereby providing verification thatpolicies were followed. Maintain policies byenabling selective enforcement mechanisms.

Install and test application software andtechnology infrastructure

Quicken test cycles by maintaining stagingservers and production servers in a consistentstate.

Manage changes

Complete trail of all changes across theenterprise, categorized and reconciled withauthorization and purpose.

C o n t r o

l

E n v i r o n m e n

t

R i s k

A s s e s s m e n

t

C o n t r o

l

I n f o r m a t i o n

M o n i t o r i n g

(table continued on next page)


http://slidepdf.com/reader/full/solidcore-sox-white-paper 8/10page six

Enabling Effective Change ControlA Solidcore White Paper

Cobit Requirement COSO Requirement Solidcore Capability

Deliver and Support (Computer Operations and Access to Programs and Data)

Define and manage service levels

Lower unplanned downtime by maintainingsystems in a known and validated state. Meetor exceed SLA's through improved visibility.

Manage third-party services

Reconcile third party changes with workorders to ensure consistency andcompleteness of service.

Manage performance and capacity

Maintain throughput and computing capacitywith a solution that incurs a low CPU andnetwork overhead.

Ensure continuous service Ensure that production and disaster recoveryor backup systems are kept in a consistentstate and alert on any deviation.

Ensure systems security

Selectively enforce process and ensure thatno changes made outside of approved processmay be implemented.

Identify and allocate costs

Educate and train users

Assist and advise customers

Manage the configuration

View reports on deviations from a "gold" imageand get alerts for changes to configuration.

Manage problems and incidents

Utilize Web-based ad-hoc search tool forforensics and quick remediation.

Manage data

Protect critical data by preventingunauthorized change to it; report on allchanges to a given set of data.

Manage facilities

Manage operations

Enforce process for a proactive changecontrol stance.

Monitor and Evaluate (IT Environment)

Monitoring Get real-time alerts on any change in theenvironment.

Adequacy of internal controls Demonstrate adherence to published processesand controls through validation reports.

Independent assurance

Record changes in a tamper-proof,comprehensive Independent System ofRecord.

Internal audit Automate reconciliation and verification ofapproved changes with deployed changes.

C o n

t r o l

E n v

i r o n m e n

t

R i s k

A s s e s s m e n

t

C o n

t r o l

I n f o r m a t i o n

M o n

i t o r i n g

(table continued from previous page)




page seven

Appendix B: Other regulatory standards

Although we focus on the provisions of the Sarbanes-Oxley Act in this white paper, there are other regulatory measures that

seek to impose better governance and oversight as well. The table below summarizes a few of these compliance regimes.

HIPAA (Health Insurance Portability and Accountability Act, 1996)

HIPAA established privacy requirements and security standards for protecting the confidentiality and integrity of individually identifiable healthinformation. It governs healthcare information of many kinds, ranging from clinical information to billing.

GLBA (Gramm-Leach-Bliley Act, 1999)

The Gramm-Leach-Bliley Act Safeguards Rule requires financial institutions to prevent unauthorized access to non-public personal information.Financial institutions must take steps to ensure the security and confidentiality of non-public personal information, which includes name, address,

social security number and credit history.

CA 1386 (California Senate Bill 1386, 2003)

California enacted legislation that regulates personal financial in formation over and above the requirements of GLBA. Specifically, this bill requiresany firm to disclose to California residents any case of their unencrypted customer data being compromised, regardless or where or how thebreach occurred. Because many companies do business in California, CA 1386 is effectively a national regulation, at least within the financialservices industry.

Basel II (Basel Capital Accord, 2004)

The Basel Capital Accord (Basel II) updates the international bank capital accord (Basel I) to improve consistency of capital regulations, makeregulatory capital more risk sensitive, and to promote risk-management practices among large international banking organizations. Compliance

requires all banking institutions to have sufficient assets to offset any risks they may face.

Payment Card Industry (PCI) Data Security Standard

Introduced by Visa, MasterCard, American Express, Discover and other credit card issuers. All processors of credit card information are required toadhere to its twelve requirements which are geared towards protected cardholder information (please refer to the Solidcore white paper on PCIcompliance for further details).

The Federal Information Security Management Act (FISMA), 2002

FISMA is intended to bolster computer and network security within the Federal Government and affiliated parties by mandating yearly audits.FISMA requires each federal agency to develop, document, and implement an agency-wide information security program for the information andinformation systems that support the operations and assets of the agency.



Sustainable Sarbanes-Oxley Compliance

A Solidcore White Paper

ContactContactContactContactContact

Email: [email protected]

Web: http://www.solidcore.com

Tel: 888.210.6530

© 2005 Solidcore Systems. Solidcore Systems,

Solidcore, S3 Change Control, and Solidification

are trademarks of Solidcore Systems, Inc. All

rights reserved in the United States and

internationally.

Documents

Solidcore SOX White Paper