Compliance with Sarbanes-Oxley is notoriously difficult, resource-intensive, and expensive. In one survey, 58% of enterprise organizations reported spending over $1 million per anum on compliance, including internal controls and audits. While the costs can be significantly lower for many other companies, SOX is rarely cheap or simple.
Compliance managers and IT security professionals need tools to simplify meeting SOX requirements, particularly with data integrity and monitoring. If you're curious whether file integrity monitoring is specifically required by SOX, the answer is a bit complex. Join us as we review exactly where file integrity monitoring fits into the SOX guidelines. We'll also examine the relationship between Control Objectives for Information and Related Technologies (COBIT) framework and file monitoring, for organization's considering the use of ISACA's best practices framework for governance and compliance.
What is SOX?
The Sarbanes-Oxley Act of 2002, also known as SOX or the Public Company Accounting Reform and Investor Protection Act, is federal law. It establishes accountability around financial and accounting operations. Organizations required to comply include U.S.-based companies with a public board and public accounting firms.
Major sections of the SOX act specifically address:
302: Corporate Responsibility for Financial Reports
This section is focused on designating responsibility within the corporate structure. Based on the language of Section 302, the CEO and CFO are both responsible for:
- Reviewing of financial reports,
- Avoiding misrepresentation in financial reports,
- Fairly presenting information in reporting,
- Internal accounting controls,
- Reporting of accounting control deficiency or fraud, and
- Reporting of changes in accounting controls.
404: Management Assessment of Internal Controls
All financial reports must include an internal control report, which includes a control structure assessment by senior management. Registered external auditors must also evaluate the accuracy of internal controls.
409: Real-Time Issuer Disclosures
This section designates the requirement for regular disclosure of changes in financial condition or operations.
902 & 906: Attempts & Conspiracies to Commit Fraud Offenses
Based on the language of these requirements, it is a criminal offense to alter information in reporting. It is also criminal to interfere with information availability requirements. Criminal penalties for certifying fraudulent reports can include up to $5 million in fines and 20 years in prison.
What Does SOX Say About File Integrity Monitoring?
While SOX Section 404 dictates several forms of "internal control" over reporting, there is a lack of specific detail on what organizations should implement. Guidelines language specifies "performing fraud risk assessment" and preventing "management override of controls," but does not designate the tools or means organizations should use to achieve these ends.
As a result, SOX guidelines have shaped the COBIT framework, a set of guidelines for organizations who need to "comply with increasing regulatory compliance demands and [reap] the benefits of managing risk effectively". This complementary framework provides more insight into the types of controls against management intervention and fraud to support organizations' compliance efforts.
What Does COBIT Say About File Integrity Monitoring?
The modern-day COBIT framework is designed to provide a "robust and systematic approach" for IT organizations with compliance requirements. The most recent versions of COBIT address "enablers" to a comprehensive framework, which include:
- Principles policies and frameworks;
- Organizational structures;
- Culture, ethics, and behavior;
- Services, infrastructure, and applications; and
- People, skills, and competencies.
In addition, the COBIT framework also specifically speaks to a "life cycle dimension" which includes the following aspects:
- Evaluation and monitoring; and
- Update and disposal.
Neither COBIT or SOX specifically address file integrity monitoring in exact language. However, SOX places the specific responsibility on the shoulders of leadership to ensure total data accuracy in reporting. This is an incredibly complex requirement, especially given the volume of data that organizations are responsible for and the complexity of modern IT networks.
Simply put, neither COBIT or SOX specifically demand that organizations acquire file integrity monitoring. However, they point to a fair amount of requirements that are closely tied to sophisticated FIM, including:
- Reporting on internal control structures (SOX 404),
- Internal controls (SOX 302),
- Supporting applications (COBIT enablers), and
- Evaluation and monitoring (COBIT lifecycle).
For modern finance and organizational leaders, file integrity monitoring software can support initiatives to ensure data quality, protect against management intervention and fraud, and actively maintain compliance 24/7/365.
How File Integrity Monitoring Supports SOX Compliance
SOX demands near real-time acknowledgement of "changes," which requires applications and tools that support situational knowledge of your data and processes. CimTrak provides real-time insight into your organization's network, user roles, and data to provide a constant situational understanding that your data is protected from fraud or theft.
With alerts that inform whether changes are positive, negative, or neutral, organizations can verify that their assets are not subject to unauthorized access or modification. In addition, with the assistance of built-in integrity with unalterable audit trails, CEOs and CFOs can engage in reporting without the threat of insider abuse or information modification.
The right file integrity monitoring software can enable organizations to understand the status of their critical files and databases 24/7/365. Software administrators and reporting managers can quickly assess and remediate real-time access to ensure that data integrity is protected in accordance with SOX requirements.
To learn more about how CimTrak supports SOX compliance, click here.
July 5, 2016