SOX: Inspired by Toxic Business Practices, Is It the Key to Better Business?
It's based on business accountability, and has been called an IT challenge and a boon to business. Scandals and theft inspired the Sarbanes-Oxley Act in 2002 (SOX), and although it was business executives who made the mess, Information Technology (IT) professionals have a large role to play in cleaning it up. Lawmakers' main goal in putting the Sarbanes-Oxley Act in place was to restore trust in U.S. financial markets by forcing publicly-traded companies to vouch for the reliability of financial data. Investors, of course, want reliable information to guide their investment strategies. But what does it take to provide the assurances they need to feel confident about the companies that they invest in? Because most information, financial and otherwise, is now electronic, SOX provides a metaphoric "kick in the pants," and encourages companies to take a fresh look at all their data assets. Doing so determines not just how they are used and treated, but also what the data's overall value will be in a world where those with the best data practices will succeed.
Though not to be minimized, SOX is a small part of the organizational imperatives that drive the governance of data. In that sense, management's overall attitude towards data directly impacts how successful the company will be when it comes to meeting SOX requirements. After the initial wailing and gnashing of teeth during SOX's introductory phase, public companies fell into one of two broad categories vis-a-vis their approach to compliance.
The first group took a "check box" approach, focusing on financial systems and processes in order to compartmentalize the work that needed to be done. If the auditors were happy, they were happy.
The second group took a broader stance. They viewed SOX as a clarion call, in concert with other regulations such as the California SB 1386, Basil II and the Payment Card Industry Data Security Standard, to gain better control over their new most valuable asset - data. The latter group saw SOX as an opportunity to improve overall IT process and controls.
It is this viewpoint--SOX as an opportunity to improve overall IT process and controls--that has led SOX to become the catalyst for a new way of looking at data for both corporate governance and IT practices, which will have an impact far beyond complying with just one regulation. And for those who looked at the challenges of regulation through the right lens, a reality began to emerge - though the varied regulations seemed to demand specific operational or technical specifics, the underlying goals and processes are remarkably similar.
It is safe to say that SOX has had a tremendous effect on how companies view and manage data. As noted, it has inspired companies to think long and hard about data and its governance, and how compliance can result in a significant competitive advantage. An effective data governance strategy has an upside far beyond SOX compliance. Forward-thinking companies are crafting data governance frameworks that form the basis for a rational and logical compliance and data protection strategy that will accommodate a myriad of regulations, as well as a changing information security environment. These same governance programs not only provide improved control over one of businesses' greatest and most valuable assets - information - but can provide critical insight into the use of those assets. This insight could ultimately translate into powerful competitive advantages for companies that know how to leverage it.
It is not surprising that the successful dot-com companies have learned before most that data is their true unique corporate asset and that wringing every possible drop of value from that data was deeply instilled from the beginning. But what about long-established companies that recognize their formerly hard-goods value (e.g. inventory, equipment, buildings) is now in electronic form? For them, SOX, et al. are the catalysts, or the "kicks in the pants," that are waking them up to the new reality and the new game of business. But recognition is only that. How can awareness of the need to protect and leverage data transition into operational realities? SOX compliance isn't a bad place to start.
SOX Compliance and the Elephant: Where to Start?
In an old proverb, a man given the task of eating an elephant asks the sage how he can possibly accomplish this. The answer: "one bite at a time." When it comes to IT controls, SOX section 404 is an important and large bite of the elephant. SOX section 404 demands that companies evaluate the adequacy of internal controls for financial reporting, institute new controls as needed, and perform and report on an assessment of these controls each year. Organizations must also demonstrate that appropriate controls are in place. What SOX does not provide is precise guidance on what internal controls are needed or how those controls can be established. This disconnect between what the law calls for and what it actually takes to deliver on the mandated controls has been the genesis of some very interesting interactions between the groups tasked with signing off on the controls - the auditors and the IT staff. Many have discovered that to eat this elephant, companies have to progress one bite at a time.
So where is your auditor coming from? According to the US Securities and Exchange Commission (SEC), the Public Company Accounting Oversight Board (PCAOB) has defined the process in a document called Auditing Standard No. 2. This standard requires management to base its 404 assessment on "a suitable, recognized control framework established by a body of experts that followed due process procedures." This same group recommends the framework created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO mandates that a company's management set control objectives, identify events that can cause substantial negative consequences and therefore impacts shareholder value and assess risk associated with those events. But, again, COSO does not provide guidance for putting IT controls into place. This is where many organizations turn to CobIT as a framework for implementing IT governance and audit control.
Similar to COSO, CobIT has a pre-compliance history. CobIT, or Control Objectives for Information and Related Technology, was created by the IT Governance Institute in 1996 long before SOX came into play. In literature describing the latest version, 4.0, CobIT is described as "an IT Governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risk." It goes on to say that "CobIT organizes IT activities into a generally accepted process model, identifies IT resources to be leveraged and defines the management objectives to be considered." With that said, there are some who believe that CobIT actually complicates the process of SOX 404 compliance. The truth is that there is no easy answer, no one-size-fits-all for SOX 404 compliance, but at least there are frameworks to help organizations get started. And it is these same frameworks, along with other notables such as ISO 27001, 17799:2005 and the work of industry groups like the IBM sponsored Data Governance Council, that form the basis for more global, economical and manageable data governance practices, providing a platform for companies to benefit from the new era of data-based business.
IT Controls for SOX 404: The Biggest Challenges
Frameworks can act as generic thinking tools. It is for the individual organization to identify both the risks and opportunities available to them, and take the actions that are correct for them. One area of commonality that has emerged is a recognition that all companies share as a potential Achilles Heel - the "privileged user." It is the privileged user who holds the greatest potential for good and evil. As a result, many companies have come to understand that solving the privileged user SOX problem is one of the most effective ways to take the first bite of the elephant. Because of its generality, examining the resolution of this problem provides an object lesson in the benefits that can accompany SOX compliance.
Different from the ordinary user who accesses data for limited and defined reasons, the nature of a privileged user's data interaction is ad hoc, undefined and critical. And so, from a regulator's perspective, are the risks. As any IT professional knows, full-access-credential users create a challenge because they not only have the ability to access information regulated by SOX and other regulations, but they also have the ability to alter it and then cover their tracks. Privileged users are highly valued and trusted workers who are critical to a smooth-running data environment. The first letter in CobIT stands for "control" - but can privileged users be controlled? If you limit their access privileges can they still do their job? The answer that has been dawning on stakeholders, auditors, business owners and IT personnel is "no." However, the problem persists. Auditors need proof of the integrity of regulated data and a privileged user's stellar reputation alone does not suffice. So, as a result, many organizations are curtailing DBA privileges because they see no other course of action. Obviously, this is not an ideal solution.
As SOX compliance has matured, so has its interpretations. One such interpretation is that restricting privileged users is counterproductive, but that monitoring their behavior is not. Auditors have now recognized this special class of high-value data users and have created new activity monitoring-based metrics to satisfy the requirements.
In response, many organizations are evaluating and deploying database activity auditing tools that can monitor the activities of privileged users like DBAs and system administrators, as well as provide audit trails and reports to auditors. Not surprisingly, privileged user monitoring has become the primary objective of many SOX compliance projects that are underway.
Monitoring a privileged user is now a recognized alternative to controlling that user and satisfies a nagging problem posed by SOX - but is there a bigger arena for such monitoring? The answer is a resounding, "yes!" If the goal of data governance is to both protect and leverage data, then the prerequisite to any data governance initiative is first and foremost to know what is actually happening to the data. Without this insight, it is impossible to identify risk and value; it is impossible to be compliant with regulation; and, it is impossible to extract and build on the intrinsic value of the data - the lifeblood of an organization. Deployed on an enterprise basis, across all users and applications, data activity auditing thus provides an invaluable knowledge base for using that data to its greatest value for all involved: employees, customers, partners and stockholders.
The lesson, then, is that while SOX has been viewed by some as an expensive exercise with little measurable ROI, many others have woken up to the reality that SOX is just asking us to take the first steps necessary to prepare for a new data-based economy. Companies that understand this fully and incorporate it into their world views, will be in a unique position to rise to the top. Those who don't may sink.
About the Author
Marv Goldschmitt, vice president of business development for Tizor, has served as senior management in the technology sector for more than 25 years and has chaired the software industry's first major committee on software security. He is also the author of several innovative papers on bringing early-stage technology products to market. Tizor provides the world's largest companies with the only data auditing and protection solutions that can monitor and report on all critical data activity across the enterprise - including databases, file servers, and mainframe applications - for compliance assurance, data protection and theft detection.
© Copyright 2007 Auerbach Publications.