What IT Pros Must Know About Sarbanes-Oxley

Chances are you've already been affected by sections 404 and 302 of the Sarbanes-Oxley Act (SOX), whether or not you realize it. SOX is intended to mitigate the growing problem of public companies failing to accurately and truthfully report their finances. SOX also addresses the need for companies to effectively manage risk in all its forms—including ensuring that data residing on corporate computers is adequately archived and protected from damage or tampering. SOX has ramifications for everyone in the corporation from the CEO and board of directors all the way down to IT professionals like you and me. Here, we'll examine the various IT areas that SOX affects to help you get a handle on your role in implementing compliance-related mandates from upper management.

BE A CONTROL FREAK
Essentially, SOX legislates what used to be IT security best practices. If you've dealt with IT auditors in the past, either internally or via your company's CPA firm, you're already familiar with controls. (However, you should expect an auditor to go deeper into your company's records and be less forgiving than ever before, because CPA firms are determined to avoid another Arthur Andersen debacle and internal auditors could conceivably be held criminally responsible under SOX.) In a nutshell, SOX requires corporations to implement controls that assure the integrity and accuracy of the company's financial reporting. At the highest level of management, this requirement translates to written policies, memos, meeting minutes, and other documents that demonstrate that management is taking the lead and involved in risk management and financial-reporting controls. At a lower level, corporations must show that they have processes that effectively implement the higher-level policies and directives for risk management and financial-reporting controls.

Your auditors no doubt base their criteria on widely accepted controls frameworks, such as The Committee of Sponsoring Organizations of the Treadway Commission (COSO, http://www.coso.org) and Control Objectives for Information and Related Technology (COBIT, http://www.isaca.org/cobit.htm). You'll find it helpful to peruse these frameworks to learn about the standard criteria that auditors will use to assess your departments' practices. Although COSO and COBIT are too detailed to discuss in this article, we can review the major types of controls that auditors look for. Such knowledge can help you comply with management's directives so that you can reduce your company's and department's exposure to compliance risks. Understanding the language of auditors and some SOX fundamentals will also help you avoid problems when you face auditors who don't really understand your job or the technology you're responsible for.

When auditors assess your organization's IT practices, they'll look for two types of controls: general IT and application-level. Both types of controls can be preventive or detective. As the names imply, preventive controls are designed to prevent a problem, and detective controls are designed to detect problems that slipped through the preventive controls. An example of a preventive control might be a password-lockout scheme that locks out accounts after repeated failed logons that used a bad password. A detective control could be a regular review of group-membership additions compared with access-control changes that an application's owner approves.

General IT controls are those that affect multiple applications or data within your company. General controls can be strictly technical controls or processes that an IT staff follows. For instance, a technical general control might involve elements such as a domain's password and lockout policy and workstation settings such as password-protected screen savers and disk encryption. The latter examples are general controls because they address risks to multiple applications and data (i.e., if you can't log on to the domain, you can't access or modify a spreadsheet that tracks your company's proven oil reserves). General controls might also include technologies and components that you deploy for fault tolerance, disaster recovery, and business continuity.

General controls are valuable for providing overall protection, and auditors will get nervous if your general controls aren't up to par. But general controls can't address every type of risk. For example, general controls can't usually guarantee for an insurance company that a given employee can't originate a claim as well as approve it or that a transaction that involves multiple applications is performed correctly and that all balances are updated accurately. Thus, you need application-level controls, too. Application-level controls assure the integrity of business processes, application transactions, and data.

Some application controls never involve IT and are simply policies and procedures that are implemented within the business process. Other application controls are implemented directly within an application. Although the bulk of technical application controls affect primarily developers and operations staff, such controls can also affect IT administrators. For instance, you're probably subject to certain policies, which dictate that before you grant a user access to certain data or a level of application access, you must get approval from the application or data owner—usually a manager in a department closely related to the resource. Or you might have certain tasks removed or added to your responsibilities to support separation-of-duty controls. Separation of duty means that one person is prohibited from performing a combination of tasks that let him or her circumvent controls, easily perpetrate fraud, or introduce a conflict of interest. Classic examples of separation of duty are assigning one person to administer user accounts and another to monitor user-account changes and delegating an outside entity to perform a security audit of IT, instead of letting IT staff perform the audit.

When an auditor can't verify a given control to his or her satisfaction, the auditor will often accept a compensating control, which provides an alternative means for controlling a risk that management cannot or has chosen not to control by using more traditional methods. For example, perhaps management has decided not to have IT implement a strict password policy requiring a certain length and combination of characters, thereby leaving your network vulnerable to easily guessed passwords. However, as a compensating control, you perform a monthly crack of passwords and follow up with users and their managers, if necessary, to correct passwords that your documented criteria designate as weak.

KEEP MANAGEMENT—AND AUDITORS—INFORMED
To demonstrate that controls are in place, you'll need to show auditors not only that written policies for such controls exist, for example, but also that these policies are being executed actively and consistently. During an audit, you might have to produce monitoring reports from a certain time period as well as a record of who reviewed them, whether the reports contained exceptions that were reported to management, and what actions were taken regarding such exceptions. Therefore, in addition to documenting the existence of controls, SOX requires you to document the performance and enforcement of such controls.

If you work for a publicly held corporation, your management should already be well along in addressing these documentation issues, and you've probably been asked to document your current security and data-protection procedures, develop procedures that implement higher-level policies from management, and begin documenting the actual execution of such procedures. You might also have seen management mandate the use of a formal, auditable method for reporting exceptions. Reporting to management is necessary because SOX requires management to be actively involved in the risk-management process so that executives can make informed decisions that involve risk to the company or affect the accuracy of its financial reports. SOX erases the "I wasn't aware of it..." excuse from the vocabulary of IT and management alike! Proper reporting and documentation is in your best interest because the penalty for failure to comply with SOX is up to 20 years in prison. (Presumably, though, upper management would be the most likely target of the penalty, and criminal intent would also have to be proved.)

Another important aspect of reporting is the requirement for companies to inform investors of any events in "real time" that could affect the next financial report. For IT pros, this requirement means that IT is responsible for keeping management informed of important events such as system changes or security intrusions. It's management's responsibility—not yours—to decide what's important enough to report to investors. As SOX's fuzzy lines come into better focus, management will probably give you criteria for determining what needs to be reported and what doesn't. Until then, though, if in doubt, err on the side of caution and report to management everything you think they need to know about in the IT realm.

TEST YOUR CONTROLS
SOX requires that controls be regularly tested. Your auditors will test controls by collecting policy and procedure directives, interviewing key employees, watching processes being performed, reviewing documentation, and in some cases by repeating execution of a process for a sample set of transactions. In IT administration terms, such testing might take the form of the auditor asking to be walked through an imaginary account creation for a new employee. Or the auditor might randomly select a user and request the documentation that justifies the user's group membership. The auditor will expect to see application­change-control requests signed or otherwise authorized by each group's corresponding business owner.

PAY ATTENTION TO RECORDS RETENTION
Despite what you might have heard, SOX doesn't mandate explicit, definite rules about records retention, other than making it a crime to knowingly destroy records to purposely hide information from investigators. However it's a given that to comply with SOX's governance and reporting requirements, companies must retain the business records they use to produce financial reports, whether those records are email messages, transaction databases, spreadsheets, or other documentation. Email and in some cases even Instant Messaging (IM) communications might need to be archived for years to be available for potential future investigations.

Your company's management, with the help of its internal auditors, public auditors, and legal counsel, must decide how far to take records retention. For example, in messaging systems it can be difficult to define what is a "business record" and what isn't or who generates financial-related messages and who doesn't. Thus, some companies are taking a very broad approach and investing large amounts of money in digital archiving solutions that save everything for 7 years and beyond.

Such a blanket approach has its own pitfalls, however. Although saving the right records might keep you out of trouble with the Securities and Exchange Commission (SEC), hanging on to the wrong records might create other legal snares for your organization. No doubt Microsoft scrutinized its email-retention policy after its infamous email messages about squashing a competitor came to light in the Microsoft antitrust proceedings. But it's easy to forget those earlier lessons in these times when executives and directors fear criminal liability for failing to comply with SOX and other regulations. Additionally, executives worry that investors might punish firms that file initial compliance reports revealing incomplete compliance efforts or whom auditors tag as having material weaknesses in their SOX compliance.

STAY ON TRACK
If your employer is a publicly held company, SOX applies to you and your company's compliance program should already be in place or very close to it, depending on factors such as your company's size and fiscal year-end. If your firm is a larger enterprise that has a market capitalization of more than $75 million, your SOX deadline came and went November 15, 2004. The deadline for other companies is July 15, 2005.

Most large-capitalization firms have concluded their initial compliance effort, but midsize- and small-capitalization companies are still in the midst of implementing their compliance policies. Nevertheless, even companies who have their compliance plans in place can't rest yet. Now everyone—public audit firms, management, and IT folks—will see how their compliance efforts pan out as SOX's many judgment calls are put to the test by the SEC and the courts.

As crunch time comes and goes, make sure you don't let decisions fall to you that aren't yours to make. Only upper management can decide what business records need long-term archiving and guaranteed integrity. The same goes for other controls, reporting, and testing. Even so, an IT professional has no excuse to be ignorant or passive in the compliance process. You know your company's datascape much more intimately than anyone else. Stay on the lookout for areas of your IT infrastructure and databases that the compliance implementation team might be overlooking and, at minimum, communicate your concerns in writing to the right people.

Understanding the fundamentals of SOX and its goals might also help you make a valid case for not implementing unnecessary technology or procedures. Knowledge of SOX and of management's assumptions can also save your neck if you discover that management's expectations don't meet your staff's or technology's capabilities. For instance, besides record retention, SOX implies the concept of "rapid recovery," in which investigators expect you not just to be able to provide archived, tamperproof records but also to provide such information rapidly (i.e., within 48 hours). Your management might expect to have such information available even sooner so that legal counsel can stay ahead in building a legal defense, if necessary.

KNOW YOUR PART
SOX is a huge undertaking for corporations and admittedly creates a lot of extra work—especially documentation, which few IT pros consider a rewarding activity. But it's the law, and everyone from executives on down must do their part to help their company comply and contribute information to ensure accurate reporting to investors. Make sure you understand which of the controls that management has defined affect your job. Also make sure you know when and to whom you should report security and data-protection problems, and document everything you do. Your company—and your career—depend on it.