Compliance with the Sarbanes-Oxley Act (SOX) is a major part of today's corporate culture. The threat of non-compliance, its financial headaches, and worse yet, the spectre of legal penalties to the highest levels of a corporation, appear to have achieved one of the Act's goals. Organizations take compliance very seriously.
Not surprisingly, this pressure on corporate executives flows downhill and projects a significant burden on finance departments and IT. However, while corporate finance groups may have a relatively easy time understanding the checks, balances and documentation required to prove accurate accounting, they do not typically understand the impact of IT controls on these activities. Worse yet, the rank and file of IT departments typically do not deeply involve themselves in corporate business practices, instead focusing on the operation of systems rather than their role in accurate reporting. The disjoint nature of the two disciplines is counter to the requirements of SOX. Both IT and corporate finance need to work together to ensure and demonstrate that financial, corporate and technological controls work effectively to provide accurate financial reporting.
One of the most important elements of SOX compliance is providing evidence that the financial applications and supporting systems and services are adequately secured to ensure that financial reports can be trusted. This places a special burden on IT security departments. They need to understand which systems, services and processes need to be controlled, which aspects of security are most critical to compliance and what it takes to demonstrate that their company is in compliance.
This article provides a brief introduction to dealing with the challenges that face IT security, including:
Step 1: Understanding compliance -- Financial and technical standards
Step 2: Scope of compliance
Step 3: Establishing an IT Control Framework
Step 4: Detailed objectives and policies
Step 5: Measuring compliance
Step 6: Managing and tracking compliance
Step 7: The changing nature of compliance
This was first published in February 2006