Like many information security professionals, I spent the last year working with auditors to decipher the new world of compliance. The Sarbanes-Oxley Act has changed how auditors look at controls, in turn challenging IT and Finance departments to interpret the control requirements and implement compliant processes. We spent the better part of eight months updating and documenting IT and information security controls, and working closely with internal auditors to identify areas needing improvement. In the end, we passed our first SOX audit and walked away from the process armed with valuable lessons learned for the next time around. My goal is to share them with you in the hope that you can benefit from our experience.
First, a framework to help put our efforts in perspective: The overall company SOX project was managed by the senior financial management. IT, which included information security, was a sub-project of the overall SOX effort, and information security was a core component of the IT efforts. However, many of the information security functions for the various applications were decentralized and not all were within the IT department. So, one of the first steps I did was to identify all the security administrators for the various applications and organized them into a security administrators working group. With our pooled resources, we developed common, consistent security processes. Our mission was to focus on the information security controls: updating, documenting, improving and implementing new ones where needed. We worked with the auditors to ensure the processes we implemented met the internal control objectives.
Here are the lessons learned based on our experience in preparing for and meeting the SOX challenge.
- Communicate, communicate, communicate – to employees, managers, auditors
For information security, this means taking an active role in communicating new security standards, processes and procedures. Security awareness messages are important in educating employees about security controls. If employees do not know about a new procedure, then you can't expect them to follow it! Also, open and frequent communication with the audit staff is beneficial in both creating a good team-spirited working relationship and proactively addressing potential issues. Frequent follow-ups and reminders to everyone involved is key to ensuring that responses to audit requests are completed on time.
- Document, document, document
If it ain't documented, it ain't done! Auditors perform their audit testing using your documentation. Improper documentation results in non-compliance. Document your procedures, document your day-to-day control tasks, and properly maintain the documentation. Policies, standards and procedures should have version controls and be approved by management. And don't forget -- document your documentation! You should have an inventory of your documents and know where they are stored.
- Learn to love your auditors
They may not budge on the control objectives, but auditors can help brainstorm options and suggest alternatives for controls. They can also be very helpful in interpreting and explaining the control objectives. It is critical that you and your auditors have a common and consistent understanding of the control objectives. Without the right understanding, you may end up implementing a control that is not what the auditors expect and you will not be compliant.
- Respond promptly to audit requests
Delaying or not responding to audit requests will only get you into trouble. Some auditors may interpret your non-responsiveness as an indication of lack of controls. With that said, if you have an issue with an audit request, be up front and let them know right away your concerns. We all have limited resources and competing priorities – stating your concerns can open the conversation for negotiating a new deadline or changing priorities.
- Clarify requests from auditors
Auditors have their own terminology. Take time to clarify exactly what they are asking. Determine the context of the request. What control objective are they testing with this information? Keep asking questions, validate and do not assume anything. Not understanding the requests can lead to misunderstandings, more work and delays. For example, a request for a list of all userIDs for an application seems simple enough. We produced a list of all userIDs – no names, no indication of whether they were active or disabled, date last used, their access permissions, etc. What the auditor meant was a list of active userIDs, with names, access permissions and date last logged on.
- Do not say "No" to management or auditors
SOX is SOX, and compliance has got to be done. You may communicate your issues to further understandings, but don't be a road block. Management removes roadblocks. You do not want to be seen as a roadblock!
- Perform self-audits
This provides a check and balance to ensure employees are following procedures consistently and as described in the controls descriptions. It's better if you find discrepancies and correct them before the auditors do.
- Form an Information Security Administrators Work Group
If you have a decentralized organizational structure for information security activities, create a working group of the various security administrators from around the company. As a group, develop common, consistent processes and standards that satisfy the control objectives. Meet regularly to discuss issues and share security information.
- Include SOX-compliant security requirements in contracts
You are responsible for controls, even if you outsource the application. Be sure to include SOX-compliant security requirements in contracts with vendors and outsourcing partners.
- You don't need a lot of tools – it's mostly procedural
At least initially, SOX compliance is more about defining the processes you want rather than buying a bunch of tools. Tools can be used for efficiency once you have thought out and defined your processes.
- Be open and adaptable to change, new requests and short time frames
With quarterly audit requirements and auditors continuously looking at controls from different perspectives, you need to adapt to constant change and short time lines for audit requests.
Raise the bar
What passed last year may not be good enough this year. Auditors look for improvements in controls over the prior year. Build in quarterly process improvement reviews for your controls.
About the author
Robert Childs is currently the Information Security Analyst for PNM Resources, Inc. He is responsible for the information security architecture, policies, standards and compliance processes for the company. He has approximately 26 years of corporate work experience, including IT audit and information security. He has an MBA in International Management from Thunderbird –The Garvin School of International Management, and a BBA in Finance from University of Texas at Austin. He is a CISSP, CISM and CISA.