What is SOX Compliance?
The Sarbanes-Oxley Act (SOX) defines the requirements for the integrity of source data related to financial transactions and disclosures. SOX Section 404 requires implementation of technical controls and continuous access auditing to assure the reliability of data related to financial transactions. In order to establish internal controls, public companies look to implement frameworks like COSO, CobiT, ISO and more. Imperva provides enterprise-ready solutions which enable companies to conduct risk assessments, validate configurations, audit changes that impact financial data and streamline compliance processes.
SOX Compliance Requirements
Following are the key requirements of the SOX regulation:
- Senior management responsibility – financial reports filed with the Securities Exchange Commission (SEC) are the direct responsibility of the CEO and CFO of a publicly-traded company. These senior officials face severe criminal penalties, including prison time, for violations.
- Internal Control Report – SOX requires a report demonstrating that management is responsible for the internal control structure related to financial records. Any flaws must be reported to senior management immediately to ensure transparency.
- Data security policies – SOX requires companies to maintain a formal data security policy that adequately protects the use and storage of financial data. The SOX data policy should be communicated to all employees, and consistently implemented.
- Proof of compliance – SOX requires companies to maintain compliance documentation, provide them to auditors when needed, and continually perform SOX testing, monitor and measure SOX compliance objectives.
What Are SOX Controls?
SOX security controls are measures put in place by companies in order to identify and prevent errors or inaccuracies, whether intentional or unintentional, in financial reporting. These controls must be applied for all business processes and cycles related to financial reporting or financial results.
To be SOX compliant, companies must record, test, maintain, and regularly review controls for financial report management. Internal auditors must perform regular compliance audits to ensure controls are consistent with SOX requirements.
The objective of these controls is to guarantee the accuracy of financial statements, protect investors from fraud, and improve responsibility taken by corporate leadership.
In addition to SOX controls, the US government has created the Public Company Accounting Oversight Board (PCAOB), a non-profit organization that ensures the integrity of financial audits performed on behalf of public companies.
SOX Audits
SOX compliance audits are performed once a year, by independent auditors. Before an audit occurs, the company is responsible for finding and hiring auditors and arranging all necessary meetings.
To avoid conflicts of interest, SOX audits must be separated from other internal audits conducted by the company. Because the standard requires that audit results are easily available to shareholders, it is advisable to schedule the audit a sufficient time prior to the publishing of annual reports, so that results can be included in the reports.
A typical SOX audit involves:
- An initial meeting between management and auditors, to determine the scope and timeline of the audit.
- A review of the company’s financials, checking financial statements for any inaccuracies. A variance of more than 5% will require closer investigation.
- A review of personnel, with interviews to ensure that duties match job descriptions and that staff have the appropriate training to accurately and safely process financial data.
6 Steps to Automating SOX Controls and Preventing Unauthorized Changes
1. Evaluate SOX Internal Controls and Assess Risk
Internal controls evaluation and risk assessment should be the first steps in an IT SOX compliance project. Internal policies and secure configurations need to be defined either using custom policies or industry standards. The assessment should cover applications, databases and file systems to identify vulnerabilities and compliance gaps.
2. Audit Changes that Impact Regulated Data
All changes that impact financial transactions must be audited. This includes privileged changes to data (DML – Data Modification Language: Insert, Update, Delete), data containers (DDL – Data Definition Language: Create, Alter, Drop) as well as changes to user rights over regulated data (DCL – Data Control Language: Grant, Revoke). To effectively analyze incidents the audit trail must provide complete details about the ‘Who?’, ‘What?’, ‘When?’, ‘Where?’ and ‘How?’ of each regulated event.
3. Protect Financial Data from Unauthorized and Fraudulent Activities
Abnormal activities can be identified through deviations from observed ‘normal’ behavior. Suspicious activities that may indicate fraud should be alerted on or blocked. Unauthorized activities which violate access policies should be thoroughly reviewed using audit reports and analytical tools which support forensic investigations.
4. Access Management and Elimination of Excessive Rights
User access to source financial data needs to be tightly controlled to reduce the risk of security breaches. Centralized user rights management automates reporting on user access rights, supports review and approval processes, identifies users with excessive rights and reduces costs associated with access control management.
5. Implement an Automated Repeatable Audit Process
Effective implementation of SOX control processes requires making them repeatable. Centralized management of audit and assessment of heterogeneous systems streamlines the execution of these processes. Automation with SOX compliance tools reduces the amount of resources required to maintain on-going SOX compliance and can provide a positive return on investment.
6. Enforce Separation of Duties and Enable Auditor Independence
To verify separation of duties it is important to certify that individuals do not have privileges that allow them to complete and conceal fraudulent activities. It is also critical that privileged users do not have privileges over auditing solutions as they may abuse these privileges to tamper with the integrity of the audit trail.
SOX Compliance with Imperva
Imperva protects all cloud-based data stores to assist compliance with SOX and other standards, and preserve the agility and cost benefits you get from your cloud investments
Cloud Data Security – Simplify securing your cloud databases to catch up and keep up with DevOps. Imperva’s solution enables cloud-managed services users to rapidly gain visibility and control of cloud data.
Database Security – Imperva delivers analytics, protection and response across your data assets, on-premise and in the cloud – giving you the risk visibility to prevent data breaches and avoid compliance incidents. Integrate with any database to gain instant visibility, implement universal policies, and speed time to value.
Data Risk Analysis – Automate the detection of non-compliant, risky, or malicious data access behavior across all of your databases enterprise-wide to accelerate remediation.