The Nov. 15 deadline for Sarbanes-Oxley (SOX) compliance is on more than a few executive officers' minds these days. Knowing that your company's CEO and CFO can go to prison for failure to adequately protect company financial information is a great motivator for an increase in both attention and funding from the boardroom.
I don't think there were too many security professionals who heard about Sarbanes-Oxley while it was being debated in Congress. It wasn't on anybody's radar screens, nor did people pay much attention to it when it was signed into law. Out of nowhere, security became a must. The problem is that there is now a mandate to make sure you have acceptable security, but you have no idea how to do it or where to start. This has created a rash of pre-audit audits, and that is for the lucky companies.
This should be a good thing; for a change, security is a priority for management. There is little that management can now do to deny security funding deemed necessary by their auditors. So you now have to decide what actions to take.
A pre-audit to make sure you perform acceptably for the formal audit is a great way to start. Even if you have a good security program in place, there may be deficiencies that never occurred to you. These deficiencies can result from small policy or procedural issues that you never thought of before.
It would be great if all SOX audits could be consistent from one audit firm to another, or at least within an audit firm. Unfortunately, the interpretation and implementation of SOX regulation varies greatly. Examples include differing views of appropriate password policies, such as changing passwords every 90 days compared to every 60 days. Some firms may want to see special characters in passwords, while others believe that alphanumeric passwords are sufficient. Established auditor firms realize this and should create a well-defined audit plan. However, because each firm generally considers its methodology proprietary, there will be differences in the audits from one firm to another. There should not, however, be significant differences, so a good pre-audit should take care of most of your issues and the actual audit firm should incorporate the pre-audit findings into its own, assuming the pre-audit was performed by a legitimate organization.
Remember that an audit is an audit. The purpose of a SOX audit is to ensure regulatory compliance -- not to help you have better security. The purpose of an pre-audit is to pass the actual one. Most important is that your management understand this and ensure you have everything you need to pass.
Get your act together, and tell management that you need a good pre-audit performed. Make sure that you use a good firm that goes beyond a typical SOX audit to help provide recommendations for security beyond your financial systems. Take the results to your management to justify any required funding to "become compliant." Make sure you document your efforts. Make sure you mention to your management is that if the pre-audit is well documented and well performed, the results can be used during the actual SOX audit, and lower the cost. Additionally, the penultimate audit is performed by people that you theoretically have more control over; the actual audit is more of an adversarial process.
SOX audits are now a fact of life. You can let them control your security program, or you can become proactive and you can take control. Use SOX as a justification to get the funding you need. SOX audits will be performed every year. Accept it as a fact of life, and figure out how to use it for your benefit.
About the author
Ira Winkler, CISSP, CISM has almost 20 years of experience in the intelligence and security fields, and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.
Have an opinion on this article? E-mail your letters to Shawna McAlearney, and include your name, title and organization. Letters may be edited for space and clarity.