The following is an excerpt from Security controls for Sarbanes-Oxley section 404 IT compliance: Authorization, authentication, and access.
Understanding the new definition of adequate
The big story in Sarbanes-Oxley for the IT professional is that earlier approaches to quickly getting applications built and in place to support the business (punch a few holes in the firewall and worry about security later) will no longer pass the inevitable audit. Access controls that give everyone in the same OU (organizational unit container) the same access rights are no longer considered "adequate" security controls. Meeting the test of maintaining effective internal control structure and processes supporting accurate financial reporting requires treating Sarbanes-Oxley 404 compliance with a focus and discipline not always evident in existing information systems designs.
The annual audit findings that report substantial weaknesses in controls will attest to these shortcomings in existing IT designs in small and large companies alike. Looking forward, there's just no point to building tomorrow's audit failures today. Legacy systems and existing applications must be brought into compliance. Failure to do so has the potential of a big negative impact on the value of the public companies that do not meet the compliance tests during audits. Public audit of internal controls linked to Section 404(b) requires auditors to assess whether the internal control structure and procedures contain any substantial weaknesses of any kind. The audit reports are expected to attest to the success of the company's internal control structure and procedures for financial reporting purposes.
Any flaw in an organization's control relationship between identity, authentication, access
control measures, and the links made to financial or privacy data are subject to audit and adverse
reporting. As the rules are refined and auditors become more knowledgeable about the technologies
involved, any imperfections in the controls will likely be discovered over time.
High Stakes for Sarbanes-Oxley Compliance Failures
One could easily imagine a corporation that doesn't look too bad on its first audit, but some material findings emerge related to SOX 404 issues. The company fixes some things and then gets audited by a different team capable of a more detailed technology audit, leading to more negative findings in audit year two. The company fixes the year-two findings only to be audited in year three by yet another more sophisticated team, and behold, more negative audit findings related to the quality of controls. After a scenario like that, Wall Street analysts may feel compelled to point out to the stock-buying public that company X seems to be having difficulty correcting its compliance issues, and they may downgrade the outlook for the company because it just can't seem to get a grip on instituting the necessary controls.
The control issues surrounding compliance with Sarbanes-Oxley-like mandates do not apply only to public companies. Governments at all levels, the nonprofit sector, and closely held companies all face the need to satisfactorily protect the integrity of their confidential information and provide adequate controls on access to data stores and to counter the liability of losses of clients and members personally identifying information. For some nonprofit organizations, the financial risk of litigation resulting from inadequate controls may be far greater than any harm from adverse audit findings.
- Continue reading about Sarbanes-Oxley compliance.
- Read more excerpts from data management books in the Chapter Download Library.
This was first published in December 2005