SOX Scorecard 2

This 20-question scorecard, aligned with the sections of the COBIT standard, is designed to help an organization gauge its ability to meet COBIT control objectives that are important in complying with Sarbanes-Oxley Section 404. Each question has four possible responses. If your organization can answer c. or d. to a question, it's likely that you have adequate controls in that area. However, if you choose a. or b., you should consult the COBIT standard and ISO17799 for recommendations for implementation of controls to improve your organization's compliance.

Each answer is assigned a value based on the criticality of the particular issue the question addresses. Critical items that may cause material weaknesses in your financial statements are assigned more significant values. Important items that have may have an adverse effect on your audit but less so than those deemed critical, are weighted to a lesser degree. Advisory items that your organization should address but do not constitute compliance in and of themselves, are weighted the lowest.

How to complete the scorecard
Enter the value associated with each answer in the box after the question and your score will be calculated for you at the end. Bear in mind that an a. or b. answer to a critical question (those that have potential -8 scores) is a failure, regardless of the overall score.

Planning and organization

1. One of the fundamental components of security architecture is an understanding of the importance and sensitivity of information. This allows an organization to determine whether information is adequately protected based on the risk of loss, damage, inaccessibility or exposure. Information classification schemes should specify the value of data and its sensitivity to disclosure. Data catalogues should identify where data is stored, who owns it, who is responsible for caring for it (custodian) and who is authorized to use it.

Does your organization have a data classification scheme and a data dictionary?

1. Organization has no information classification scheme or catalogue of information assets. (-2)
2. Ad hoc scheme exists but no formal documentation. (0)
3. Repeatable but intuitive scheme based on internal knowledge of the organization. (1)
4. Documented process exists. (1)

2. SOX requires a set of checks and balances that are implemented via organizational as well as technological mechanisms. COBIT recommends security officers report directly to high level management and that the following duties be segregated:

Does your organizational structure provide adequate separation of duties?

1. No segregation of duties based on role. (-8)
2. Some segregation, but no formal process. (0)
3. Appropriate separation with some documentation. (6)
4. Formally documented role assignment that is reviewed regularly. (8)

3. Security decisions play an important role in SOX compliance. As such, security decision-makers must have the authority to affect corporate decisions.

Do your security officers report to high-level management?

1. Security management does not exist. (-5)
2. Security management is a shared responsibility for IT operations management. (0)
3. Security management is dedicated but reports to IT. (1)
4. Security management reports to corporate management at the same level as the CIO. (2)

4. Formal security policies, communication of policies and consistent enforcement of policies are critical to running a secure operation. COBIT recommends organizations develop a "framework policy which establishes the organization's overall approach to security and internal control to establish and improve the protection of IT resources and integrity of IT systems."

Does your organization have and maintain a complete set of security policies?

1. No security policies. (-8)
2. Some policies but neither up to date nor comprehensive. (0)
3. Policies for most important issues that affect SOX compliance (e.g., account maintenance, security responsibility, segregation of duties, change control). (6)
4. Full set of up-to-date formal policies and accompanying procedures. (8)

5. SOX requires that organizations be able to provide evidence that they are compliant. This requires an ongoing effort to document and measure compliance continuously. As time goes on, this effort will become part of the everyday operation of all SOX-critical functions.

Does your organization have a program in place to ensure SOX compliance?

1. No established process to produce evidence of compliance. (-8)
2. A one time effort produced past compliance measurements but is not repeatable. (0)
3. A repeatable process but not part of a continuous measurement and improvement process. (6)
4. A formal and continuous program that can provide compliance metrics and status of projects to correct deficiencies. (8)

Acquisition and Implementation

The next phase of the COBIT lifecycle is Acquisition and Implementation. In this phase, organizations need to use well defined processes to ensure that systems and applications are securable, are configured properly and are kept that way, even as bug fixes or software packages change.

6. COBIT specifies that security is an integral part of the requirements for all software that is acquired for an organization.

Are security requirements gathered and documented for all software products to be deployed on all systems that have an impact on financial reporting?

1. Security requirements are not specified. (-3)
2. Security requirements are specified for some products but not consistently. (0)
3. A standard set of requirements is used for all software products but product-specific risks are not always documented and used to derive requirements. (2)
4. Security requirements are documented and used in the selection of all software in the SOX environment. (3)

7. Are SOX-related systems built according to well defined configuration standards that describe the Operating System and application settings required to maintain the security of the applications and services that run on those systems?

1. No built standards; systems are deployed as they come from the supplier. (-8)
2. Ad hoc build approach that is somewhat effective but neither documented nor consistent. (0)
3. Standard intuitive build process with inadequate documentation. (6)
4. Disciplined, well documented build process. (8)

8. Accounting for access (particularly administrative access) to critical systems is an important aspect of SOX compliance. Systems must be configured to capture both administrative and user access, to store the logs for later review and to protect the logs from unauthorized access.

Are SOX-related systems configured to capture logs of administrator and user access?

1. Logging is not enabled. (-8)
2. Logging is enabled but logs do not capture all access and/or logs are written over rapidly. (0)
3. Logging is enabled for all access, and logs are reviewed but not archived. (6)
4. Logging is enabled, logs are reviewed, and logs are archived for one year. (8)

9. Knowing the state of all critical SOX systems and applications is critical to compliance. Change control allows organizations to demonstrate that their state is understood and under control.

Are SOX-related systems (including infrastructure and network) maintained under a strict change control?

1. No change control. (-8)
2. Ad hoc notes regarding changes but no formal process or mechanism. (0)
3. A variety of change control mechanisms are used across various system types, allowing effective, albeit complicated, control of systems. (6)
4. A consistent, well documented, centralized change control system is used throughout the SOX environment. (8)

10. The accreditation process allows organizations to ensure that systems are configured properly and that provisioning and user account management processes and mechanisms are operating effectively. Controlling access to systems and applications involved in financial reporting is one of the most important aspects of SOX compliance.

Are SOX-related systems regularly tested and accredited to ensure that configurations, user accounts and privileges are appropriate and consistent with defined configurations and roles?

1. No regular accreditation process. (-8)
2. Ad hoc accreditation process implemented as a spot check on important systems. (0)
3. Regular testing process that verifies user accounts and system settings but is not documented and/or is not comprehensive. (6)
4. Regular comprehensive, well documented accreditation process with feedback to a remediation process. (8)

Delivery and Support

The Delivery and Support phase of COBIT deals with activities that occur while systems are in production or with systems and services that have an impact on production systems.

11. Does your organization conduct regular security reviews of third-party service providers to determine whether they provide adequate protection of the accuracy, confidentiality and integrity of information and services involved in financial reporting or supporting services?

1. No organized review of third-party services. (-3)
2. Ad hoc review with minimal documented evidence of compliance with corporate standards. (0)
3. Reviews with documented evidence but no formal process for revisiting providers for recertification/accreditation. (2)
4. Regular reviews using a standardized assessment and documented evidence of compliance. (3)

12. SOX requires organizations to control access to critical financial systems and account for all changes both to financial records and to the underlying systems and applications that support them. COBIT requires appropriate strength controls present to prevent unauthorized (and unaccountable) access to data, applications and systems identified in a risk analysis. COBIT and ISO17799 recommend practices such as regular required password changes, strong authentication mechanisms (e.g., tokens, smartcards) and role based access control. Some larger organizations use SOX as a motivation for centralizing identity management and bringing the entire enterprise under tighter control.

Do all systems and applications involved in (or supporting) financial reporting have effective and secure authentication and access control?

1. Systems are configured for authentication, users share accounts and/or are given full rights to the systems and applications that are involved in financial reporting. (-8)
2. Systems are configured once for each user, but there are no additional steps to ensure that duties are appropriately segregated or that interfaces are exposed to unauthorized access. (0)
3. Systems are configured for appropriate strength authentication and no passwords are shared, but these protections are dealt with in an ad hoc manner. (6)
4. Systems and applications use consistently strong authentication and authorization mechanisms that prevent unauthorized access and provide reporting of access rights and account usage. (8)

13. Are user accounts managed in a well defined and timely manner, with appropriate approval workflow through information owners and custodians, logs and documentation, and with appropriate privileges conferred upon users?

1. The organization uses an ad hoc user management approach. (-8)
2. Users are managed in an intuitive manner, but there is little documentation as evidence that proper approvals were received. (0)
3. User management follows appropriately documented approval processes, but the mechanisms differ for various systems. (6)
4. A single centralized account management process and mechanism, with integrated reporting, is used for all SOX related user management. (8)

14. Does your organization conduct regular reviews of user accounts and privileges?

1. Accounts are created and never reviewed. (-8)
2. Accounts are reviewed in an ad hoc manner when systems are maintained, modified or a problem is suspected. (0)
3. Accounts are regularly reviewed by system and application custodians with some input from information owners or managers. (6)
4. Accounts are regularly reviewed through an automated workflow with checks and balances provided by business representatives, system custodians and management. Reports are provided automatically on demand. (8)

15. Does your organization conduct regular security testing of SOX related systems to ensure that configurations are as they should be and the systems remain secure?

1. No testing. (-3)
2. Configuration reviews on an ad hoc basis but no penetration testing. (0)
3. Penetration testing and configuration review on an ad hoc basis. (2)
4. Regular penetration testing and configuration analysis of critical SOX systems. (3)

Monitoring

16. Does your organization manage vulnerabilities and apply remedies in a uniform manner across all SOX related systems?

1. No uniform mechanism exists for tracking vulnerabilities (viruses, system bugs, etc.) and applying patches or remedies. (-3)
2. Organized approach to monitoring vulnerabilities and applying fixes, typically dependent on the administration group and system type. (0)
3. Effective management of vulnerabilities, but not uniform. Implemented by different parties with varying degrees of documentation and reporting. (2)
4. Uniform vulnerability tracking and fix application across the enterprise. (3)

17. SOX compliance is a continuous process, not an annual or quarterly exercise. Auditors will look for integration of compliance processes in day-to-day operations.

Does your organization monitor the effectiveness of the various security (and operational) controls it has implemented for SOX compliance?

1. Compliance is checked as part of an audit. (-3)
2. Controls are checked to determine whether they continue to operate as intended but are not reviewed to check whether they are effective in the changing corporate environment. (0)
3. Controls are reviewed regularly for effectiveness, and changes are scheduled as part of SOX compliance project activities. (2)
4. Controls are reviewed and documented virtually continuously as part of business operations. Improvement of controls is inherent in the operation of the business and IT. (3)

18. COBIT recommends obtaining independent certification/accreditation of security and internal controls prior to implementing critical IT services and requiring re-accreditation periodically during the life of the service.

Does your organization engage third-party experts to review and accredit its processes, designs and IT controls?

1. No independent review. (-3)
2. Some independent review but ad hoc. (0)
3. Independent review of new policies and systems but no re-accreditation. (2)
4. Regular independent review of important policies, systems and applications. (3)

19. Does your organization proactively involve internal Audit prior to finalizing IT plans?

1. Audit is brought in after the design is complete (-1)
2. Audit is consulted but its main impact is after the system is deployed (0)
3. Audit is consulted at multiple points during the design and implementation (1)
4. Audit is a valuable member of the design and deployment team (2)

20. Does your organization consult external experts regarding its compliance with laws and regulations (e.g., SOX and privacy)?

1. No expert legal compliance consultation (-1)
2. Internal legal staff review compliance requirements and effectiveness (0)
3. Some external review of compliance measures and effectiveness (1)
4. Regular independent expert review of compliance effectiveness (2)