1. Read the standard
Be warned, this is a 211- page document -- but if you're responsible for a public company's financials -- you need to know what's in the standard. Section 404 relates to the effectiveness of the financials being reported, and to the processes and controls used to provide the information that's being reported. In addition to CoBiT, mentioned above, auditors use The Public Company Accounting Oversight Board (PCAOB) "Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements" as their guideline.
2. Refine "effectiveness"
While CoBiT and Standard No. 2 provide baselines and guidance for determining what is "effective," there are no black and whites across the board. No accounting firms attested to SOX 404 reporting before last year. You know your business better than anyone else. Determine for your own organization, within the guidelines of Standard No.2, COSO and CoBiT, what effective controls are in your environment.
3. Plan for reuse and real-time
Although financials, once reported, are supposed to be set in stone, the networks and controls related to these are in constant flux. A network audit is obsolete the moment it's complete because networks are changing all the time. And while Sarbanes-Oxley Act (SOX )is a landmark regulation, it's not the only one affecting companies. A few years ago, financial services firms were scrambling to fulfill Title V compliance for GLBA. Today it's SOX, but what about tomorrow? The ability to report, in near real time, on the effectiveness and control across the entire organization's infrastructure in an automated manner will not only ease today's SOX compliance issues, but prepare the company for tomorrow's new regulations. Here's where vendor solutions can be applied to make a big difference. If a company has determined that setting certain policies, such as "lock account after three failed login attempts," on a server housing financial information makes it "effective," then an audit tool that can report this policy is active on the server would help automate the reporting process. Other tools, such as security information management consoles, change reporting and control, and compliance solutions must be used in conjunction with corporate defined policies. These tools can be used to plan ahead for increased effectiveness by reporting on the current state of the companies' policy compliance on-demand.
4. Draw the line
Taken to extremes, everything and everyone at a company could seem to somehow affect the accuracy of the reported financials. But is the temperature control system in a development server center really something that has to be taken into consideration for integrity of controls around financial reporting? Where possible, silo out the financial systems and processes related to them. Look at how your systems are set up. Develop a stronger separation between where financial reporting is handled and the rest of your network. Technology such as firewalls, switches and VLANs that segment the network and keep the financial systems separate can help here.
5. Sanity check, early and often
Since it will be the external auditors that perform the attestation, don't work in a vacuum. We've only just completed the first cycle of 404 attestations, and, as yet, external auditors don't have final, "stand-up-in-court" answers regarding what constitutes complete 404 compliance. Don't assume that you can do this all alone either. Another set of eyes often turns up problems that you may not have been aware of. So, work with reputable compliance consultants to track and check where you are today. Then apply that intelligence to the existing audit, reporting, compliance, and SIM tools. Documentation of controls is a required part of 404 compliance, so comprehensive documentation management tools that help automate and control the document creation, approval and completion process may be a necessary purchase for companies without them. Many vendors provide tools and wizards that can help guide and manage the process of documenting for Sarbanes-Oxley.
>> Read part one of this article and learn about the fallacy of SOX-in-a-box.
- Attend Diana Kelley's expert webcast Command, control, comply: The evolution of security management systems.
- Test your knowledge of Security regulations with our quiz.
- Here's advice on getting a quality SOX audit.
About the author
Diana Kelley is a Senior Analyst with Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.