While many of you have undergone the rigors of meeting compliance requirements for Sarbanes-Oxley (SOX), some of you are new to the role, or are associated with companies that are just going public and have not previously been subject to this legislation. For those of you lucky enough to have drawn the assignment, the task may seem quite daunting. However, there are a few steps you might want to consider that could help slice the sizeable task of Sarbanes-Oxley compliance into manageable servings.
For starters, you'll likely be driving this Sarbanes-Oxley compliance effort on your own. I have yet to encounter an organization that has a staff dedicated solely to the purpose of Sarbanes-Oxley compliance. I know of a few organizations that may have a person dedicated to it, but most companies either reassign existing personnel or simply add the associated tasks to existing personnel – with the latter being the more common option.
As you're trying to get your arms around the task of Sarbanes-Oxley compliance, here are some suggestions that might help you frame your approach and increase your chances of success.
Select a framework
Before you can evaluate your organization's structure, policies, practices, etc., you need to have an accepted baseline against which you can compare your company. Two common frameworks in use are COSO and CobiT. COSO (the Committee of Sponsoring Organizations of the Treadway Commission) is "designed to improve the quality of financial reporting through business ethics." The CobiT (the Control Objectives for Information and Related Technology) basis for auditing the IT management function was developed by the Governance Institute, and is an open standard for control over information technology. These are both examples of frameworks, but in my opinion, CobiT is more suitable for use in an IT environment.
Establish audit guidelines, management guidelines and identify roles
If your organization has the luxury/curse of an internal IT audit group, select a point of contact within that group. Your communications with an internal IT audit group will be more consistent than with an external audit group, which may vary from season to season. The internal audit contact will also, most likely, be the interface with any third-party auditor. This will not only relieve you of that task, but will provide a more knowledgeable interface between your company and the external auditors. If, however, your organization does not have an internal audit group, identify the point person within the third-party audit team with whom you will be working. Whether through you or an internal audit team, consistency throughout your testing and documentation is a key to success, and having the same person in that key role will make the overall task more bearable. Once the audit team has outlined test criterion and objectives, you will need to coordinate test procedures.
Identify a testing team that will be able to devote a great deal of their time to the SOX effort for the duration of the testing and documentation. This may prove to be the most difficult part of the process. You will likely find yourself dealing with members of upper management who want to expedite this process by designating individuals who create, perform, observe, document and retest the processes within their respective groups. However, as with all audit procedures and IT security measures, there is a specific need to have a segregation of duties. Testing for Sarbanes-Oxley compliance is no different.
You'll need to specify roles that are distinct and independent from each other. Then – and this is where you get to prove your sales talents – you must convince upper management of the need to separate these roles and responsibilities. First and foremost is the coordinating effort. This will most likely fall to you. However, given the number of systems and procedures you will be called on to validate, three specific roles should be singled out: one who performs the tests, one who observes the tests and one who documents the tests. These roles can be duplicated from group to group, but a segregation of responsibilities dictates that these three roles should not be performed by the same person(s). Any retesting that is then required can be evaluated and retested with less possibility of compromise due to frustration or inconvenience until compliance is achieved.
While you may consider meeting the Sarbanes-Oxley requirements to be a necessary evil of doing business (rest assured, you are not alone), compliance is not an insurmountable task. Look on the bright side; it is a good opportunity to hone your project management skills. Then, when you're done, you can start preparing for HIPAA, Graham-Leach-Bliley, SB-1386, etc.
About the author
Mike Lamkin, CISSP, is the IT Security Manager of a chemical company based near Houston, Texas. Mike has been an IT security practitioner for the last eight years and has been in the IT industry for more than 28 years. Mike has spoken at seminars and conferences, conducted training and authored several articles on networking, security and related issues.