Sarbanes-Oxley: Ensuring Integrity for Financial Reporting
The Sarbanes-Oxley Act (SOX) is a U.S. federal law enacted in 2002 to help prevent corporate accounting scandals by requiring publicly-traded companies to meet a set of consistent accounting and auditing requirements. SOX was issued in response to accounting scandals such as those at Enron, Tyco International and WorldCom, and establishes an accounting oversight board that mandates the following for public companies and public accounting firms:
 New internal financial controls
Enhanced auditor independence to prevent conflicts of interest
Executive responsibility for financial accuracy and reporting integrity
SOX provides significant non-compliance penalties for publicly-traded companies and public accounting firms. Although privately-held companies are currently exempt from this regulation, many organizations are implementing SOX-compliant controls in anticipation of further, more universal legislation. In addition, many other countries such as Japan have either enacted laws similar to SOX, or are currently considering them at the federal level.
The SOX Compliance Business Challenge
Sections 302 and 404 of SOX - sometimes referred to as the "IT sections" - require an internal control framework and reporting procedure to ensure:
Accurate financial disclosure
Periodic evaluation of internal control effectiveness
An internal financial control report
Management affirmation of their responsibility for all of the above
Implementing, documenting and testing internal financial controls, especially those that tie directly to technology, require an enormous effort. To assess effectiveness of these controls, the actual flow of transactions through the financial reporting system must be captured and analyzed to identify points at which material financial misstatements could potentially arise. Data collection and analysis must consider access control, system configuration and many other aspects of financial reporting systems. When discovered, gaps must be addressed quickly, efficiently and effectively.
SecureVue: Comprehensive SOX Compliance Auditing
Control frameworks - formalized systems for implementing and measuring IT procedures - can provide organizations with specific standards for meeting the complex regulatory requirements of standards like SOX. One such framework, the
Control Objectives for Information and Related Technology (COBIT) framework, has been readily adopted by many corporations and auditors to help establish and maintain SOX Sections 302 and 304 controls.
While over three hundred control objectives comprise the entire COBIT framework, the Public Company Accounting Oversight Board (PCAOB) has identified a smaller subset of twelve IT control objectives that are within the scope of SOX compliance. To support each of these SOX-related control objectives, the SecureVue unified threat and compliance (UTC) automation platform seamlessly integrates security information and event management (SIEM)
and compliance automation to help organizations ensure SOX compliance. By collecting, archiving, correlating and analyzing all of the security data required to meet secure financial reporting - logs and events, known vulnerabilities, configuration and asset data, performance metrics, and network flow data -
SecureVue provides automated, end-to-end correlation of data to quickly assess SOX compliance, identify compliance gaps, and initiate remediation.
eIQ's SecureVue security, risk and audit management platform combines security information and event management (SIEM) and compliance automation to help organizations fully address SOX. SecureVue contains over 250 reports mapped to individual sections of the COBIT framework, and also contains a comprehensive compliance library - containing over 2,500 technical and functional controls - to enables organizations to define, monitor and measure COBIT and SOX system configuration compliance.
|
