Chapter Download

Security controls for Sarbanes-Oxley section 404 IT compliance

The following is an excerpt from Security controls for Sarbanes-Oxley section 404 IT compliance: Authorization, authentication, and access.

Understanding the new definition of adequate

Sarbanes-Oxley compliance
 

The big story in Sarbanes-Oxley for the IT professional is that earlier approaches to quickly getting applications built and in place to support the business (punch a few holes in the firewall and worry about security later) will no longer pass the inevitable audit. Access controls that give everyone in the same OU (organizational unit container) the same access rights are no longer considered "adequate" security controls. Meeting the test of maintaining effective internal control structure and processes supporting accurate financial reporting requires treating Sarbanes-Oxley 404 compliance with a focus and discipline not always evident in existing information systems designs.

More Sarbanes-Oxley compliance resources
Sarbanes-Oxley compliance tips

Complying with Sarbanes-Oxley Act

Sarbanes-Oxley compliance: Building a directory services model for adequate access controls

The annual audit findings that report substantial weaknesses in controls will attest to these shortcomings in existing IT designs in small and large companies alike. Looking forward, there's just no point to building tomorrow's audit failures today. Legacy systems and existing applications must be brought into compliance. Failure to do so has the potential of a big negative impact on the value of the public companies that do not meet the compliance tests during audits. Public audit of internal controls linked to Section 404(b) requires auditors to assess whether the internal control structure and procedures contain any substantial weaknesses of any kind. The audit reports are expected to attest to the success of the company's internal control structure and procedures for financial reporting purposes.

More info on this book
Security Controls for Sarbanes-Oxley Section 404 IT Compliance: Authorization, Authentication, and Access 
By Dennis C. Brewer
Published by John Wiley & Sons
ISBN: 0-7645-9838-4
262 pages; October 2005 

Any flaw in an organization's control relationship between identity, authentication, access control measures, and the links made to financial or privacy data are subject to audit and adverse reporting. As the rules are refined and auditors become more knowledgeable about the technologies involved, any imperfections in the controls will likely be discovered over time.

High Stakes for Sarbanes-Oxley Compliance Failures

One could easily imagine a corporation that doesn't look too bad on its first audit, but some material findings emerge related to SOX 404 issues. The company fixes some things and then gets audited by a different team capable of a more detailed technology audit, leading to more negative findings in audit year two. The company fixes the year-two findings only to be audited in year three by yet another more sophisticated team, and behold, more negative audit findings related to the quality of controls. After a scenario like that, Wall Street analysts may feel compelled to point out to the stock-buying public that company X seems to be having difficulty correcting its compliance issues, and they may downgrade the outlook for the company because it just can't seem to get a grip on instituting the necessary controls.

The control issues surrounding compliance with Sarbanes-Oxley-like mandates do not apply only to public companies. Governments at all levels, the nonprofit sector, and closely held companies all face the need to satisfactorily protect the integrity of their confidential information and provide adequate controls on access to data stores and to counter the liability of losses of clients and members personally identifying information. For some nonprofit organizations, the financial risk of litigation resulting from inadequate controls may be far greater than any harm from adverse audit findings.

 


This was first published in December 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: