In particular, section 404 is often talked about as being the core provision of SOX as it deals with executive management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company. It requires management to certify the adequacy and effectiveness of its internal controls and to disclose any material weaknesses found. The key to a successful compliance program is to recognise the fact that Sarbanes-Oxley (SOX) does not simply require that adequate controls be established – it requires the annual review of the effectiveness of those controls. In other words, achieving compliance is not a one-time event; rather it must be part of an ongoing process that needs to be sustained over time. Corporations that view the compliance provisions of Section 404 as a burdensome legislative mandate may not be making the necessary investments for a sustained compliance program. Corporations that view compliance as a means to establish and maintain good process through a well defined set of internal controls and the automation of those controls are the ones that will be more likely to have a successful long-term compliance program.
IT Controls Testing and Verification are Largely Manual
The conventional approach to establishing and maintaining IT controls is to exhaustively document IT processes and policies and increase the frequency of review. This approach is costly, inefficient and error-prone. A sustainable compliance program will need to automate the verification and enforcement of IT controls in a manner that causes low operational overhead and decreases the documentation burden on systems administrators and audit personnel. The primary issue faced by IT departments in meeting their compliance requirements today lies in the difficultly of controlling IT systems. Most companies have some form of change approval process, whether formally captured in a workflow system, or informally captured via email exchanges. However, there is a gap between the changes documented through the formal process, and actual change activity on infrastructure elements.
The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporategovernance norms. As corporations come to terms with the implications of SOX to their businesses, one thing isclear: a SOX compliance program is not a one-time project but a sustained effort to gain visibility and accountabilityinto business processes that affect the accuracy of financial reporting. Most IT controls are manual, error-prone andresource intensive. This paper lays out the problem and suggests a radical solution: build a self-service, automatedIT control framework in which all the information required to verify compliance is available in a single reportingsystem, at the click of a button. Solidcore S3 Control has helped a large number of customers do just that, and weexplain how we helped them do it.Complying with Sarbanes-Oxley.The Sarbanes-Oxley Act (SOX), passed by the US Congressin 2002, represents the most fundamental shift in corporategovernance norms for many decades. In particular, section404 is often talked about as being the core provision of SOXas it deals with executive management s responsibility forestablishing and maintaining adequate internal control overfinancial reporting for the company. It requires managementto certify the adequacy and effectiveness of its internalcontrols and to disclose any material weaknesses found.The key to a successful compliance program is to recognizethe fact that Sarbanes-Oxley (SOX) does not simply requirethat adequate controls be established it requires the annualreview of the effectiveness of those controls. In other words,achieving compliance is not a one-time event; rather it mustbe part of an ongoing process that needs to be sustainedover time. Corporations that view the compliance provisionsof Section 404 as a burdensome legislative mandate may notbe making the necessary investments for a sustainedcompliance program. Corporations that view compliance asa means to establish and maintain good process through awell defined set of internal controls and the automation ofthose controls are the ones that will be more likely to have asuccessful long-term compliance program.IT Controls Testing and Verification are Largely ManualThe conventional approach to establishing and maintaining ITcontrols is to exhaustively document IT processes andpolicies and increase the frequency of review. This approachis costly, inefficient and error-prone. A sustainablecompliance program will need to automate the verificationand enforcement of IT controls in a manner that causes lowSelf-Service SOX AuditingSelf-Service SOX AuditingSelf-Service SOX AuditingSelf-Service SOX AuditingSelf-Service SOX AuditingWith S3 ControlWith S3 ControlWith S3 ControlWith S3 ControlWith S3 ControlSelf-Service SOX AuditingSelf-Service SOX AuditingSelf-Service SOX AuditingSelf-Service SOX AuditingSelf-Service SOX AuditingWith S3 ControlWith S3 ControlWith S3 ControlWith S3 ControlWith S3 ControlUntitled DocumentSelf-Service SOX Auditing with S3 Controloperational overhead and decreases the documentationburden on systems administrators and audit personnel.The primary issue faced by IT departments in meeting theircompliance requirements today lies in the difficultly ofcontrolling IT systems. Most companies have some form ofchange approval process, whether formally captured in aworkflow system, or informally captured via emailexchanges. However, there is a gap between the changesdocumented through the formal process, and actual changeactivity on infrastructure elements. Consider a situation inwhich an annual audit is coming up. People on the staff of theCIO know that because of SOX, they will need to convincethe auditors with good answers to questions about whomodified data when and for what purpose. How can theyreconcile every change on a system with its purpose andauthorization? How can they demonstrate that their changeprocess was followed, and that every exception to theprocess is accounted for in a manner satisfactory to the auditteam? The typical answer to questions of this sort is to talkabout access and change control policies the company hasput in place. However, this is not satisfactory withoutadequate mechanisms verify that the process was followed.We come back to the core issue: there is a gap betweenchange processes and actual changes in the infrastructure. Itis this gap, which we call the Change Control Gap, whichcauses the manual effort in meeting compliancerequirements. If organizations could bridge this gap, self-service compliance audits could become a reality.Requirements for self-service compliance.Meeting the IT requirements for compliance is an oneroustask. The information required to verify IT controls isunavoidably very large, exists in many different forms and isscattered widely across a complex IT infrastructure.Reconciliation across these information sources is a largelymanual, tedious, error-prone and expensive process. Ingeneral, it is very difficult for the IT personnel to use suchscattered information to construct documentationdemonstrating the capability to detect policy violations. Forexample, leaders in SOX compliance practices include largefinancial services companies in which every fiscal quarter,dozens of people suspend their usual job duties for severaldays in order to collect data and create documentation in the quarterly compliance fire drill. In order to get to the automated control framework wediscussed earlier, let us examine what the requirements for aself-service control framework would be. The key capabilityfor a self-service control framework is automated andcomprehensive documentation tied to the change process.Demonstrating to auditors that adequate IT controls are inplace require coming gaining visibility into the changeprocess, establishing accountability for changes, andselectively enforcing limits on how systems may bechanged. In other words, a company s IT controls should,at a minimum, address the following requirements:VisibilityVisibilityVisibilityVisibilityVisibility: Provide extensive logging capabilities that track allrelevant program and data changes, as well as categorizeand report on them in a useful and actionable manner.AccountabilityAccountabilityAccountabilityAccountabilityAccountability: Reconcile every change with itsauthorization and purpose to verify that policies have beenfollowed. Report on exceptions to the change process.Change Policy EnforcementChange Policy EnforcementChange Policy EnforcementChange Policy EnforcementChange Policy Enforcement: A mechanism to enforcethese policies selectively where appropriate to preventbreaches from occurring.Automating compliance with S3 ControlSolidcore Systems is the leading provider of real-timechange control solutions. Solidcore S3 Control softwareimproves IT service availability and compliance by closingthe change control gap between IT service management andthe IT infrastructure.Solidcore S3 Control gives customers the ability to automatethe validation of controls, thereby eliminating the expensive,time consuming and error-prone manual processes thatconsume IT time and resources. Solidcore s real-timechange detection capability along with its automated andhighly accurate change reconciliation provides an automatedway to validate changes against authorizations. Out ofprocess changes (for example, emergency fixes) areautomatically documented and reconciled for easierUntitled DocumentSelf-Service SOX Auditing with S3 Controlauditability. Customers using S3 Control for Sarbanes-Oxleyauditing have realized significant benefits both in terms ofreduced risk as well s reduced cost. In most cases, the firstphase of benefits comes in the form of automating currentlymanual controls. The second phase of benefits comes fromrationalizing and reducing the control set, based ondemonstrating to auditors that control capabilities are builtinto the fabric of the environment.The Solidcore benefits include: Significantly less manual effort required to comply withSOX audits. Reduction in frequency of testing due to demonstrableautomation. Reduction in number of controls due to processenforcement capabilities. Reduction in risk due to completeness of coverage.We have divided these benefits into two phases. The firstphase will consist primarily of automating the large number ofmanual controls currently in the framework. Auditrequirements can be demonstrated on-demand with a selfservice audit portal consisting of the required reporting anddocumentation. The second phase will consist of reducingthe number of controls by demonstrating that the processenforcement capabilities of S3 Control render periodicvalidation redundant. Determining which controls may beeliminated from the framework will require discussions andapproval from a customer s internal and external audit teamas well.To quantify the benefits of this approach, Figure 1summarizes this two phased approach to the SOX Controlframework, as implemented by an actual customer. Thecustomer expects that in phase 1 the percentage ofautomated key controls will increase to 67% from 27%. Inphase 2, they expect a 36% reduction in the total number ofcontrols required for SOX compliance.05101520253035Phase 0: CurrentPhase 1: Automation Phase 2: OptimizationSox Control FrameworkKey: ManualKey: AutomatedNon-KeyEliminatedFig 1: Towards self-service SOX auditing.The cost savings and risk reduction in moving to this controlmodel are enormous and they expect to recover theirinvestment in less than six months.What improvements can we make in your SOX Controlframework?SummarySolidcore S3 Control gives customers the ability to automatethe validation of controls, thereby eliminating the expensive,time consuming and error-prone manual processes thatconsume IT time and resources. Customers using S3 Controlfor Sarbanes-Oxley auditing have realized significant benefitsboth in terms of reduced risk as well s reduced cost. Inmost cases, the first phase of benefits comes in the form ofautomating currently manual controls. The second phase ofbenefits comes from rationalizing and reducing the controlset, based on demonstrating to auditors that controlcapabilities are built into the fabric of the environment.Copyright 2006, Solidcore Systems, Inc. All Rights Reserved. Solidcore , Solidcore Systems, and Solidification are trademarks of Solidcore Systems, Inc. All othertrademarks are the property of their respective owners.Untitled DocumentSelf-Service SOX Auditing with S3 ControlAppendix A: Mapping S3 Control to the Cobit FrameworkTo map Solidcore capabilities to specific internal controls required by SOX we will use a widely used controls framework, the COBITframework, which identifies thirty-four specific IT controls that must be satisfied for SOX compliance.Cobit RequirementCOSO ComponentSolidcore CapabilityPlan and Organize (IT Environment)IT strategic PlanningGain visibility into change process and createaction plan for process improvement.Information architectureDetermine technological directionIT organization and relationshipsManage the IT investmentLeverage existing IT investments withSolidcore, and connect disparate silos ofchange information.Communication of management aims anddirectionManagement of human resourcesCompliance with external requirementsMonitor policy breaches, produce audit trailsand reports to verify compliance.Assessment of risksReal-time alerts to gain up-to-the-secondvisibility into changes occurring on productionsystems.Manage projectsManagement of qualityMaintain systems in a verified state forreduced unplanned downtime.Acquire and Implement (Program Development and Program Change)Identify automated solutionsAcquire or develop application softwareAcquire technology infrastructureDevelop and maintain policies andproceduresReconcile deployed changes withactual changes thereby providing verification thatpolicies were followed. Maintain policies byenabling selective enforcement mechanisms.Install and test application software andtechnology infrastructureQuicken test cycles by maintaining stagingservers and production servers in a consistentstate.Manage changesComplete trail of all changes across theenterprise, categorized and reconciled withauthorization and purpose.(table continued on next page)Untitled DocumentSelf-Service SOX Auditing with S3 ControlCobit RequirementCOSO ComponentSolidcore CapabilityDeliver and Support (Computer Operations and Access to Programs and Data)Define and manage service levelsLower unplanned downtime by maintainingsystems in a known and validated state. Meetor exceed SLA's through improved visibility.Manage third-party servicesReconcile third party changes with workorders to ensure consistency andcompleteness of service.Manage performance and capacityMaintain throughput and computing capacitywith a solution that incurs a low CPU and network overhead.Ensure continuous serviceEnsure that production and disaster recoveryor backup systems are kept in a consistentstate and alert on any deviation.Ensure systems securitySelectively enforce process and ensure thatno changes made outside of approved process may be implemented.Identify and allocate costsEducate and train usersAssist and advise customersManage the configurationView reports on deviations from a "gold" image and get alerts for changes to configuration.Manage problems and incidentsUtilize Web-based ad-hoc search tool forforensics and quick remediation.Manage dataProtect critical data by preventingunauthorized change to it; report on allchanges to a given set of data.Manage facilitiesManage operationsEnforce process for a proactive changecontrol stance.Monitor and Evaluate (IT Environment)MonitoringGet real-time alerts on any change in theenvironment.Adequacy of internal controlsDemonstrate adherence to published processesand controls through validation reports.Independent assuranceRecord changes in a tamper-proof, comprehensive Independent System of Record.Internal auditAutomate reconciliation and verification ofapproved changes with deployed changes.(table continued from previous page)Untitled DocumentAbout Solidcore SystemsSolidcore Systems is the leading provider of real-time change control solutions. Solidcore S3Control software improves IT service availability by closing the change control gap between ITservice management and the IT infrastructure. Solidcore s innovative solutions enable comprehensive control of the computing environment of anenterprise. Solidcore s solutions are operationally-friendly, low-touch, and low overhead; they canbe deployed on a wide range of enterprise infrastructure including servers, databases and networkdevices,Solidcore facilitates real-time visibility and enforcement of control to realize immediate value inchange control, compliance and security. Leading Fortune 500 companies and U.S. governmentorganizations use Solidcore to understand and control change. Solidcore is a private, venture-backed enterprise software company with its headquarters in Palo Alto, California.Solidcore Systems, Inc.3408 Hillview Avenue, Suite#180Palo Alto, CA 94304Email: firstname.lastname@example.orgWeb: http://www.solidcore.comTel: 888.210.6530Self-Service SOX Auditing with S3 ControlAppendix B: Other regulatory standardsAlthough we focus on the provisions of the Sarbanes-Oxley Act in this white paper, there are other regulatory measures that seek toimpose better governance and oversight as well. The table below summarizes a few of these compliance regimes.HIPAA (Health Insurance Portability and Accountability Act, 1996)HIPAA established privacy requirements and security standards for protecting the confidentiality and integrity of individually identifiable healthinformation. It governs healthcare information of many kinds, ranging from clinical information to billing.GLBA (Gramm-Leach-Bliley Act, 1999)The Gramm-Leach-Bliley Act Safeguards Rule requires financial institutions to prevent unauthorized access to non-public personal information.Financial institutions must take steps to ensure the security and confidentiality of non-public personal information, which includes name, address,social security number and credit history.CA 1386 (California Senate Bill 1386, 2003)California enacted legislation that regulates personal financial information over and above the requirements of GLBA. Specifically, this bill requiresany firm to disclose to California residents any case of their unencrypted customer data being compromised, regardless or where or how thebreach occurred. Because many companies do business in California, CA 1386 is effectively a national regulation, at least within the financialservices industry.Basel II (Basel Capital Accord, 2004)The Basel Capital Accord (Basel II) updates the international bank capital accord (Basel I) to improve consistency of capital regulations, makeregulatory capital more risk sensitive, and to promote risk-management practices among large international banking organizations. Compliancerequires all banking institutions to have sufficient assets to offset any risks they may face.Payment Card Industry (PCI) Data Security StandardIntroduced by Visa, MasterCard, American Express, Discover and other credit card issuers. All processors of credit card information are required toadhere to its twelve requirements which are geared towards protected cardholder information The Federal Information Security Management Act (FISMA), 2002FISMA is intended to bolster computer and network security within the Federal Government and affiliated parties by mandating yearly audits.FISMA requires each federal agency to develop, document, and implement an agency-wide information security program for the information andinformation systems that support the operations and assets of the agency.