Sarbanes-Oxley (SOX) compliance—it’s like checking for holes in your favorite pair, but with consequences beyond public embarrassment. For publicly traded companies, the ordeal is a bit like income tax preparation for the rest of us: a painful, time-consuming evil that—if not carried out judiciously—may result in penalties and fines. Throw in an additional bonus of prison time for good measure, if you’re a C-level executive and discrepancies are found on your watch. Yes, the SEC is serious about SOX compliance, and you should be, too—especially if you’re in IT.
Wait, IT? you ponder. I thought this was a problem for corporate bean counters and number crunchers?
Well, ask yourself this: who’s in charge of the underlying financial and accounting systems churning out the statements and reports under audit? IT is indeed on the hook.
The SOX Compliance Audit
Companies under audit need to demonstrate that their IT systems, policies, and controls are effective in achieving compliance. They must also explain how they generated the figures being reported, and demonstrate how said figures can be validated. In this study by KPMG, IT control issues accounted for a startling 23% of deficiencies and material weaknesses. Since the majority of compliance issues are IT systems-related, auditors consider the IT department low-hanging fruit for finding problems and errors.
Auditors may meet with the CIO, CTO, and/or IT staff to gain insight into how the IT systems are secured and monitored. They may also want to know who has access to these systems, and what other dependencies exist that may potentially impact the ability to deliver accurate financial reporting. To validate claims made by IT, auditors require documentation proving that the control systems are indeed within regulatory compliance parameters.
Interestingly, the SEC provides no concrete guidelines on what SOX compliance entails. Auditors instead defer to the Control Objectives for Information and Related Technology (COBIT)-- a framework created by the Information Systems Audit and Control Association (ISACA) for IT governance and regulatory compliance.
COBIT contains guidelines for designing and implementing IT control policies and procedures, and is used by most publicly-traded companies as a framework for SOX compliance. So while SOX doesn’t provide any specific details on how to comply with regulations, implementing COBIT can suffice in showing auditors that the proper frameworks are in place for monitoring, controlling, and mitigating risks in the IT environment.
Using UpGuard and COBIT for SOX Compliance
COBIT 5 (the latest version of the framework) splits its 37 IT-related practices and activities into into 2 areas: governance and management.
Within these two areas are 5 domains of processes:
Evaluate, Direct, and Monitor (EDM)
Align, Plan and Organise (APO)
Build, Acquire and Implement (BAI)
Deliver, Service and Support (DSS)
Monitor, Evaluate and Assess (MEA)
UpGuard can be easily implemented to serve the processes within these domains, especially for BAI, DSS and MEA. The following are just a few examples of COBIT adherence with UpGuard in selected domains.
BUILD, ACQUIRE, IMPLEMENT (BAI)
BAI encompasses building schedules and deliverables, as well as creating basic system builds. Security controls, policies, and supporting documents are created based on identified threats, vulnerabilities, and risk. To this end, understanding the current state of your systems is key-- UpGuard helps by extending visibility into the configurations of all your servers and devices. This is the initial step to bringing your environment under control: identifying the current state of your systems and differences, if any, from the desired state.
BAI06 (Manage Changes), BAI07 (Manage Change Acceptance and Transitioning), and BAI10 (Manage Configurations)
Monitoring and managing configuration changes is what UpGuard is all about.
After defining a desired state to be achieved, this “golden image” can be compared with other nodes in the environment to address/resolve any detected configuration drift. In the scenario depicted above, UpGuard has identified configuration differences between nodes A and B.
BAI03 (Manage Solutions Identification and Build)
Once the desired state of the environment and systems has been determined and differences in configurations have been resolved, policies can then be exported for use with the automation tool of your choice.
BAI10 (Manage Configurations)
UpGuard makes managing your environment easier through features like comprehensive monitoring. Jobs like system scans can be scheduled to run on a regular basis.
For example, a scan can be scheduled to run every hour to check for deviations from policies.
DELIVER, SERVICE, AND SUPPORT (DSS)
This domain covers the actual delivery of required services--including service delivery, management of security/continuity, and management of data and operational facilities, among others.
DSS04 (Manage Continuity) and DSS05 (Manage Security Services)
UpGuard can be used for ensuring IT services continuity and security by exposing areas that require configuration hardening. This actionable information can then in turn be used to bring systems back in line with security requirements. Permissions policies can be scheduled for verification on a regular basis.
When new vulnerabilities are announced, UpGuard can locate all nodes that require remediation automatically. Fast, comprehensive threat assessment is just one click away.
Finally, UpGuard simplifies validating all these compliance efforts with proper reporting. All monitoring activity is captured and can be exported at a moment’s notice to CSV or PDF, giving firms the ability to deliver documentation immediately upon an auditor’s request.
In short, COBIT offers a coherent, attainable framework for reaching SOX compliance. Though the SEC may be murky in details regarding IT compliance, COBIT is relatively clear in its guidance on meeting compliance rules; subsequently, it’s the most widely implemented standard for SOX compliance. Using UpGuard to satisfy COBIT requirements is the shortest path to gaining SOX auditor confidence that internal controls are in place and have been assessed and verified.