SOX, data protection and compliance: Part 2
Security teams can relatively easily monitor and enforce data classification and data handling policies in enterprises and large corporations as we saw in Part 1 yesterday. Depending on how sensitive, specific data sets are, and what regulations apply, data may need to be compressed, encrypted, or saved to a specific format.
When a business has the right policies in place, it can stop unauthorised users from seeing the regulated data, even if they have administrative rights to the system, says Ian McClarty, president at Phoenix NAP LLC.
One of the best solutions includes stopping data egress by storing data on secure IT infrastructure, whether it is a private or public cloud. Other options that are worth the investment are disaster recovery and business continuity solutions, as well as end-point and DDoS protection software.
The list continues, but these are some of the basics to think about when preparing for SOX compliance.
SOX audit and compliance
It is impossible to be SOX compliant without the right security solutions in place. If you do not have written evidence of compliance, it is hard to improve, enforce, and communicate the requested controls. The right security software solution gives supportable evidence that makes your efforts to comply worthwhile.
Make sure to have a software solution so that you have a system to meet compliance requirements in enforcing policies, monitoring data, and logging each user’s actions. When you have this type of evidence, you will have all the compliance proves you need. A software solution can protect your business and data guaranteeing SOX compliance making your next audit a lot easier.
Compliance requirements for SOX
When the Sarbanes-Oxley Act (SOX) was initially passed over ten years ago, many organisations were struggling to fulfill the compliance requirements. Today’s situation is not much better.
SOX Compliance is often seen as an expensive, counterproductive, or time-consuming obligation. If you want to make sure you implement it efficiently, plan of an audit so that you will have an effective and seamless process.
Compliance and data security for SOX
If you have high-level security goals for your data, SOX compliance can be a vital ongoing issue.
Remember, that SOX compliance is more than passing an audit and it can provide you several tangible benefits when they are correctly implemented:
- SOX compliance initiative has allowed 78% of organisations to drive continual improvement with financial reporting
- There has also been moderate and significant improvement for 52% of organisations in internal control over the organisation’s financial reporting since SOX implementation
When it comes to the direct benefits you can have from SOX compliance, they include:
- Identify inefficiencies, superfluous controls, and redundancies and audit your existing IT infrastructure.
- Streamline auditing and reporting processes, reduce costs and increase productivity.
- Manage security risks efficiently and respond promptly in case of a breach.
What are SOX compliance key controls?
Key controls are actions that your business takes to detect fraud or errors within your financial statements. Having a financial review and follow-up activities are also vital in this process, and all departments should review these events and identify critical controls to fulfill documentation requirements to determine:
- That key controls are present
- The key controls are working
- The key controls are documented as well as correctly performed and certified
Documenting key controls
Departments should be required to show documentation that key controls are being regularly used as decided by SAS 12. Since your business’s critical controls need to be documented, you will be able to demonstrate that they have been reviewed and that follow-up activities were done.
All of this documentation needs to be provided to auditors to show so that the key controls have been done. Key controls have the benefit of helping you discover problems or issues that may not be in line with compliance requirements. This also allows you to find the source of the problem and develop a solution in a timely manner.
With ongoing monitoring activities, you can address any issues with an adequate internal control system to guarantee sound business practices that will lessen the risk of incorrect financial information so you can maintain public trust.
In addition to this, a proper segregation of tasks should be included in effective internal controls to avoid having a single person take total control of these activities. Employees that are responsible for completing key controls should not certify their work. This should be done by a department head within the chosen accounting period.
Key controls include the following:
- Overdraft funds review
- Fiscal operations review
- Payroll expense verification
- Ledger transaction verification
- Credit card activity verification
- Physical inventory
- Petty cash and change verification
- Reconciliation of permanent staffing list
- Individual security access
SOX compliance checklist
Every business is different, so there isn’t a universal SOX compliance checklist that is very useful. Yet, there are a few fundamental questions that your business can consider:
- Are we using an accepted framework?
- Have we established policies that develop, change, and maintain an accounting system that includes programs that are handling financial data?
- Do we have safeguards in place to stop tampering with our data? Have we tested these safeguards to make sure they were operational?
- Do we have a protocol that deals with security breaches?
- Are we able to monitor and record access to sensitive data?
- Have we disclosed to auditors any previous failures and breaches and failures of security safeguards?
- Have recent valid SAS 70 been collected?
- In closing
SOX compliance should not be a daunting process, and there are numerous ways of practical implementation. While it is true that there is no a single solution or pattern to comply with the Act, the steps above should be followed by all organisations looking to achieve this. Compliance will result in helping businesses develop sound business and security practices, as well as operate successfully long term.