What is Sarbanes-Oxley (SOX) and How Did It Highlight The Need for Identity Governance?
In 2002, after a wave of corporate scandals and in the midst of the dot-com crash, new policy controls were introduced requiring US public companies to maintain strict controls over financial reporting, including ensuring that only authorized individuals have access to financial systems. The requirement for governance over access to financial systems established a major driver for investment in Identity and Access Governance.
Public companies are audited for compliance with the SOX regulations, requiring audit “proofs” be provided to meet the standards established by the law.
What are SOX 404 Controls and Why Do They Require Me To Do Access Reviews?
SOX 404 controls refer to the internal control requirements outlined in Section 404 of the Sarbanes-Oxley Act of 2002. They are designed to ensure the accuracy and reliability of financial reporting and to prevent financial fraud in public companies. Identity governance helps ensure that the right individuals have the right access to the right resources at the right times, which is fundamental to many SOX 404 controls.
Key components:
1. Internal Control over Financial Reporting (ICFR):
2. Management Assessment:
3. External Auditor Attestation:
What Are The Types of SOX Controls and How Do They Relate to Identity Governance?
There are five primary types of controls that SOX outlines to accomplish its mission:
Preventive Controls:
Preventative Controls are designed to stop errors or fraud before they occur.
Example: Segregation of duties in financial transactions ← Role Based Access Controls + SOD Policies
Detective Controls:
Detective Controls are aimed at identifying errors or irregularities after they have occurred
Example: Regular account reconciliations ← Access Reviews and Orphan Account Detection
Corrective Controls:
Corrective Controls are designed to address problems identified by detective controls
Example: Procedures for correcting and re-running erroneous financial reports
Entity-level Controls:
Entity-level Controls are broad controls that impact the entire organization
Example: Company-wide full user access review ← Access Certification
Process-level Controls:
Process-level Controls are specific controls within individual business processes
Example: Approval procedures for the ability to make large expenditures ← Access Request + Role Access Policies
What Are The SOX Access Management Requirements?
- User Access Controls: Verify that user access to financial systems and data is granted based on the principle of least privilege and that access rights are reviewed and approved before being granted.
- Periodic Access Reviews: Ensure that periodic reviews of user access rights are conducted to verify their appropriateness based on current job functions and that remediations are handled promptly
- Termination Remediation: Verify that access rights are promptly revoked when an employee leaves the organization or changes roles.
- Monitoring and Logging: Ensure that all access to financial systems and data is logged and monitored for suspicious activities.
- Authentication Mechanisms: Check that strong authentication mechanisms, such as multi-factor authentication (MFA), are in place to secure access to financial systems and strong password policies are in place
- Audit Trail: Verify that a comprehensive audit trail is maintained for all access changes to financial systems and data.
What Are SOX Access Certification Best Practices?
For SOX access reviews, the recommended best practices for access controls frequency and scope are:
Frequency:
- Quarterly reviews: This is generally considered the gold standard for SOX compliance.
- At minimum, semi-annual reviews: This is often acceptable for lower-risk systems or smaller organizations.
Scope:
- All financially relevant systems and applications
- User accounts with access to sensitive financial data or processes
- Privileged accounts (e.g., admin accounts, service accounts)
- Third-party or vendor accounts
Best practices for the review process include:
- Comprehensive coverage: Review all user accounts, not just a sample.
- Risk-based approach: Focus more attention on high-risk systems and privileged accounts.
- Involvement of business process owners: They should review and certify the appropriateness of access for their area.
- Documentation: Maintain detailed records of the review process, findings, and actions taken.
- Follow-up: Ensure that identified issues are addressed promptly.
- Independence: The reviewer should be independent of the access provisioning process.
- Use of automated tools: Leverage technology to streamline the review process and improve accuracy.
- Alignment with changes: Conduct additional reviews after major organizational changes or system implementations.
- Integration with other processes: Align access reviews with user provisioning/de-provisioning and change management processes.
- Metrics and reporting: Track key metrics (e.g., number of issues identified, time to resolve) and report results to management.
Different job functions have different focus areas and access to data related to a SOX audit:
Executive Leadership:
- Enterprise Resource Planning (ERP) system (high-level access)
- Business Intelligence (BI) tools
- Financial reporting systems
|
Finance/Accounting:
- ERP system (finance modules)
- General ledger software
- Accounts payable/receivable systems
- Financial consolidation tools
- Tax compliance software
|
IT Department:
- Network administration tools
- Database management systems
- Security information and event management (SIEM) tools
|
Human Resources:
- Human Resource Information System (HRIS)
- Payroll processing software
|
Sales/Customer Service:
- Customer Relationship Management (CRM) system
- Order processing system
- Point of Sale (POS) system
|
Procurement:
- Vendor management system
- Contract management system
- ERP system (procurement module)
|
| |
Inventory Management:
- Warehouse Management System (WMS)
- Inventory tracking software
- ERP system (inventory module)
|
|
What Are The Segregation of Duties (SoD) Requirements for SOX?
- Role Definitions: Verify that roles and responsibilities are clearly defined and documented.
- Ensure that critical financial tasks are separated among different employees to prevent fraud and errors.
- Documentation of compensating controls where SoD conflicts cannot be avoided
- Policy Enforcement: Check that SoD policies are enforced through the organization’s systems and processes.
- Review and Approval Processes: Confirm that access requests and changes to roles are reviewed and approved by authorized personnel.
- Conflict Resolution: Document how the organization identifies and resolves SoD conflicts.
How can Clarity Security Help?
Implementation of these kinds of controls isn’t easy! Clarity Security is here to help. If your current process is complex or expensive, let our team show you how we can make meeting complex SOX requirements simple.
