The following is an excerpt from Security controls for Sarbanes-Oxley section 404 IT compliance: Authorization, authentication, and access.
Understanding the new definition of adequate
The big story in Sarbanes-Oxley for the IT professional is that earlier
approaches to quickly getting applications built and in place to support the
business (punch a few holes in the firewall and worry about security later) will
no longer pass the inevitable audit. Access controls that give everyone in the
same OU (organizational unit container) the same access rights are no longer
considered "adequate" security controls. Meeting the test of maintaining effective
internal control structure and processes supporting accurate financial
reporting requires treating Sarbanes-Oxley 404 compliance with a focus and discipline not
always evident in existing information systems designs.
The annual audit findings that report substantial weaknesses in controls
will attest to these shortcomings in existing IT designs in small and large companies
alike. Looking forward, there's just no point to building tomorrow's
audit failures today. Legacy systems and existing applications must be
brought into compliance. Failure to do so has the potential of a big negative
impact on the value of the public companies that do not meet the compliance
tests during audits. Public audit of internal controls linked to Section 404(b)
requires auditors to assess whether the internal control structure and procedures
contain any substantial weaknesses of any kind. The audit reports are
expected to attest to the success of the company's internal control structure
and procedures for financial reporting purposes.
Any flaw in an organization's control relationship between identity, authentication,
access control measures, and the links made to financial or privacy
data are subject to audit and adverse reporting. As the rules are refined and
auditors become more knowledgeable about the technologies involved, any
imperfections in the controls will likely be discovered over time.
High Stakes for Sarbanes-Oxley Compliance Failures
One could easily imagine a corporation that doesn't look too bad on its first
audit, but some material findings emerge related to SOX 404 issues. The company
fixes some things and then gets audited by a different team capable of a
more detailed technology audit, leading to more negative findings in audit
year two. The company fixes the year-two findings only to be audited in year
three by yet another more sophisticated team, and behold, more negative audit
findings related to the quality of controls. After a scenario like that, Wall Street
analysts may feel compelled to point out to the stock-buying public that company
X seems to be having difficulty correcting its compliance issues, and they
may downgrade the outlook for the company because it just can't seem to get
a grip on instituting the necessary controls.
The control issues surrounding compliance with Sarbanes-Oxley-like mandates do not
apply only to public companies. Governments at all levels, the nonprofit sector,
and closely held companies all face the need to satisfactorily protect the integrity
of their confidential information and provide adequate controls on access to
data stores and to counter the liability of losses of clients and members personally
identifying information. For some nonprofit organizations, the financial risk
of litigation resulting from inadequate controls may be far greater than any
harm from adverse audit findings.
