|
From the seemingly endless testing of IT controls, to the escalating costs, to the extra burden on limited staff resources, IT professionals know full well the pains of Sarbanes-Oxley (SOX) compliance. SOX Section 404 has been roundly criticized by both IT and business executives for lax guidelines that have bred a checklist approach to assessing companies’ internal controls. This prescriptive approach to auditing has led, in some cases, to serious over-testing of IT general controls, encompassing even those with only peripheral connections to business processes that impact on corporate financial statements— or worse yet, no relationship at all.
Now, organizations have the opportunity to reap the benefits of SOX compliance with far less pain.  Thanks to the May 2007 adoption of Auditing Standard No. 5 (AS 5), auditors now have greater authority in making judgments about which IT general controls must be tested.
IT Defense Magazine discussed these SOX developments and how automation can help organizations with their compliance efforts with Ellen Libenson, vice president of product management at Symark Software. Libenson has more than 20 years of experience in product management and communications for hi-tech companies, including Thinque Systems, New Era of Networks, Inc., SeeBeyond Technology Corporation and MAI Systems Corporation.
ITD: What is Auditing Standard No. 5 and why was it adopted?
EL: Auditing Standard No. 5 (AS 5) was adopted in May 2007 to give auditors greater authority in making judgments about which IT general controls must be tested. The SEC collaborated with the Information Systems Audit and Control Association (ISACA), the auditing and control standards of which are followed by practitioners worldwide. This resulted in a new standard which provided more guidance for auditors on how to “size” a SOX audit. They now focus their attention on the controls that relate to processes that should help a company avoid material weaknesses in financial statements. AS 5 followed on the heels of the SEC’s new guidelines for Section 404—which advises companies to hone in on controls that present the greatest risks for impacting their financial reports.
AS 5 takes a complementary, principles-based and top-down approach to risk assessment. This means that auditors have greater authority in making judgments about which systems must be tested, and can focus their attention on the ones that relate to processes that should help a company avoid material weaknesses in financial statements. Such anti-fraud controls are a cornerstone of governance. They support the proper operations of applications and automated calculations for “in-scope” systems. For example, any software programs that eventually contribute data to a company’s financial statements, as well as operating systems security, to insure proper application functionality.
ITD: How does A5 benefit an enterprise?
EL: The savings in SOX compliance work and costs can be substantial now that auditors can be guided by their own judgments and scoping methodologies such as the Guide to the Assessment of IT (GAIT) General Controls Scope Based on Risk. GAIT was developed by the Institute of Internal Auditors to help organizations identify key IT general controls where a failure might indirectly result in a material error in a financial statement. But to realize these savings—along with the other potential benefits of SOX compliance—companies need to automate their anti-fraud controls. Manual controls are not as effective and they are certainly more time-consuming to test. And while the initial cost of adding new technology and changing processes can be high, the efficiencies gained in other areas will ultimately offset those costs.
ITD: When assessing risk, what areas do auditors typically target?
EL: When it comes to exercising judgment about testing anti-fraud controls, auditors target two areas in the security domain. The first is default user names and passwords in vendors’ products that are never changed or removed (and thus can be used to perpetrate fraud). The second is privileged passwords or accounts such as the administrator or root password that, if freely shared, can give fraudsters the anonymous ability to access an in-scope financial system and change its data or schema, and erase their tracks. These areas are targeted because for auditors, it is all about accountability and the proper identification of users and their activities—and specifically the privileged account users who administer corporate systems.
Compliance is largely about preventing fraud, and if you ask yourself where fraud is most likely to occur, chances are it is in the area of privileged accounts. The people we entrust with systems administration are highly intelligent and highly skilled. If for some reason one of them chooses to access and change or steal data, they certainly have the know-how and the access level to succeed.
ITD: What are the disadvantages to companies that do not have these processes automated?
EL: Auditors who are not satisfied with a company’s anti-fraud IT general controls—whether it is because they are manual or non-existent—may be forced to review back-end processes to see if there is a mitigating control on the business end to catch a fraudulent activity. This includes going through the rigmarole of questioning who has root account access, why and whether they should be using that access in certain ways. Without automation, getting the information to prove compliance in an efficient way is a chore. This can take time, especially if the firm conducting the audit deems that baseline testing by its staff is needed. More time then translates into more billable hours and higher fees. Most auditors will recommend purchasing automated solutions whenever possible, especially if they also audit activity. A system that clearly defines who has what privileges can streamline the testing process and drastically reduce testing costs.
So, for public companies, it is all about proving to auditors that they are effectively managing Windows Administrator passwords and database administrator passwords—as well as the root passwords within UNIX and Linux systems—by automating the provisioning of administrative privileges at a very granular level. It is also important to implement security policies that define role, user or system access restrictions while automatically maintaining an audit trail of administrative user tasks that confirms to auditors that these restrictions are being enforced. In addition, by automatically monitoring logs and generating reports, companies can verify that certain tasks have been performed by authorized administrative users.
ITD: What are the benefits to implementing automated IT controls?
EL: The immediate benefits of AS 5 for companies that have automated their processes to manage all user accounts—including privileged users, and maintain automated logs for tracking their activities—is a reduction in the number of controls that are being tested, and more importantly, a reduction in the costs of that testing. But the longer-term benefits of a process-driven approach to SOX will manifest themselves year-round, in automated and more efficient business processes and financial controls. It is vitally important not to view the audit as a dreaded year-end process or evil because if you do, it will always feel that way. Compliance is an ongoing process which usually results in better overall information security for your organization as well.
When administrative root privileges are routinely delegated at a granular level and automatic activity monitoring is integrated into IT processes—and when companies institute security best practices from ISO and the IT Governance Institute—a major SOX compliance burden can be lifted off of IT management. The year-end ritual of coordinating and sitting in on interviews with process owners, gathering screen shots to prove process flow and otherwise answering to the auditors may become a distant memory.
Go Back
|
