The Sarbanes-Oxley Act (SOX) is primarily associated with business transparency and the use of accounting and financial controls to protect investors from fraudulent financial reporting. However, it is always important to remember the ever-increasing pivotal role cybersecurity plays in SOX as digitization continues to accelerate and cybersecurity threats, financial reporting, and auditors intersect.
After all, financial data is sensitive and the financial industry has seen increasing attacks from threat actors in 2020, increasing by 238% in 2020 alone.
Additionally, the 2021 Gartner Hot Spots report names cyber vulnerabilities as a primary area of risk that auditors need to address, stating that the threat has been further amplified by “large-scale remote work.”
With regulators taking these new and emerging threats to investors into consideration, companies and auditors need to be aware of evolving requirements to keep up with SOX compliance and cybersecurity practices to protect themselves from risks like these.
Even companies that do not operate in the US or engage with US clients should take note as SOX is becoming increasingly global, with the UK Financial Reporting Council (FRC) working on a UK equivalent.
Read on to find out what you need to do to achieve Sarbanes-Oxley compliance using cybersecurity controls.
What is SOX Compliance?
The Sarbanes-Oxley Act was introduced in the US in 2002. Congressmen Paul Sarbanes and Michael Oxley merged compliance law to improve corporate governance and accountability. This was done as a response to some of the big financial scandals that took place in previous years.
The details of SOX compliance are complex. SOX compliance refers to annual audits that take place at publicly traded companies, within which they are required by law to show evidence of accurate and secure financial reporting.
These companies are required to comply with SOX both financially and IT. IT departments were affected by SOX as the Act changed the way corporate electronic records were stored and handled.
SOX’s internal security controls require data security practices and processes and complete visibility into interactions with financial records over time. Failure to comply with SOX is a serious matter, often resulting in large fines or potentially imprisonment for those responsible for the organization.
Who must comply with SOX compliance?
All publicly traded companies in the US must comply with the SOX, as well as any wholly-owned subsidiaries and foreign companies that are publicly traded and do business with the US.
Any accounting firms that are auditing firms bound by SOX compliance are also, by proxy, required to comply. Other companies, including private and non-profits, are generally not required to comply with SOX, although adhering to it is good corporate governance practice.
There are reasons other than good business sense to comply with SOX even if your company is not listed on a stock exchange. SOX has some articles that state that if any company knowingly destroys or falsified financial data, it can be punished according to the law.
Companies planning to go public, perhaps through an IPO (Initial Public Offering), should prepare to commit to SOX.
What are the benefits of SOX compliance?
SOX provides the framework companies need to follow to better manage their financial records, which in turn improves many other aspects of the company.
Companies that comply with SOX report that their finances are more predictable, which makes shareholders happy. Companies also report that they have easier access to capital markets due to improved financial reporting.
By implementing SOX, companies are safer from cyberattacks and the costly consequences of a data breach. Data breaches are difficult to manage and remediate, and companies may never recover from the damage to their brands.
SOX compliance builds a cohesive internal team and improves communication between teams involved in audits. The benefits of a company-wide program like SOX can have other tangible effects on the company – such as better communication and cross-functional cooperation.
In short, the benefits of SOX compliance are:
- A reinforced control environment
- Improved documentation
- Greater involvement of the Audit Committee
- Convergence opportunities
- Standardized processes
- Reduced complexity
- Minimization of human error
What is the role of cyber security in SOX?
Companies need to remember that the scope of SOX only includes financial controls and therefore testing is limited to financial applications, servers, operating systems and databases within the scope of production.
There are many other servers and devices not reviewed for SOX compliance that could be compromised and in turn affect financial reporting. Thus, it is critical to take a holistic approach to security and internal audit that includes prevention, detection, and corrective controls to address cybersecurity risks.
Initially, internal auditors should incorporate cyber risks into their annual audit risk assessments and should interview key cybersecurity officials during the process. Now that boards are asking more questions about cyber risk and mitigation efforts, there is value in scheduling these meetings even more frequently.
Once cyber risks are identified and controls are designed, it is important to base your organization’s cyber and SOX controls with a cybersecurity framework such as those provided in the NIST Cybersecurity Framework to test and monitor the effectiveness of mitigation efforts.
The IT controls that companies review in SOX can be used across other applications and IT environments to strengthen their cybersecurity posture, including:
- Using least privilege for access control.
- Change network, application, firewall, database, and operating system administrator passwords regularly.
- Password controls.
- Restrict service accounts to only those with necessary privileges.
- Segregation of Duties in Change Management and Access Modification.
- App access review and certification.
- Change management procedures.
- Backup Procedures.
For direct evidence of SOX, companies must complete a SOX cybersecurity memorandum annually and consider additional controls. A cybersecurity memo should be completed by both internal and external IT auditors to assess how prepared the company is for a cyberattack.
These discussions often lead to how a company’s IT security and internal audit groups can benefit from each other. Based on the cyber discussions, obvious design gaps should be addressed, including issues such as limited cyber resources, lack of cyber risk assessment, lack of cyber maturity framework, poor cyber policies and procedures, inadequate cyber training, and understanding of the current state of the world. cyber program.
Disaster recovery is also starting to appear as a key SOX control, despite being historically seen as a corrective control and later outside the scope of SOX. The addition of this control includes additional focus on whether companies can recover their in-scope financial applications in the event of a cyberattack.
How to conduct a cybersecurity controls audit on SOX?
Auditing a company’s internal security controls is often the largest, most complex, and time-consuming part of a SOX compliance audit. This is because internal controls include all of the company’s IT assets such as workstations, hardware, software, and all other electronic devices that can access financial data.
SOX IT audits are focused on the following key areas:
Risk assessment and materiality analysis
Your organization needs to do a rigorous risk assessment that takes into account cybersecurity risks that fall under SOX. This approach will require cybersecurity expertise on audit teams and should also include executive and board-level information to help determine your organization’s definition of “material” cybersecurity risk.
To ensure you are covering a large number of bases, cybersecurity best practices recommend that you perform cybersecurity risk management using common frameworks like NIST and COSO to help you through the process.
When carrying out risk assessments, auditors should always examine how comprehensive and well-documented they are, as risk assessments are one of the key spheres that regulators and supervisory bodies will examine.
Fraud risk assessment
Make sure your organization has performed a thorough risk assessment for potential fraud activity to help with early detection and fraud prevention. The internal controls you are implementing should help prevent fraud and mitigate material impacts if they occur.
Implementing cybersecurity controls
After performing a risk assessment in which you have identified the cybersecurity risks, policies, and control solutions needed to comply with SOX, your company must implement these controls following industry standards.
Again, cybersecurity best practices recommend using a trusted framework such as the NIST Cybersecurity Framework (NIST CSF) as a foundation for designing Cyber SOX controls when starting to build a control environment.
Part of the implementation process will be training control owners on the purposes and reasons for controls and how they should communicate if a control fails or requires adjustment due to changes in the environment.
Monitoring and testing controls
Organizations should monitor and test the security controls they have implemented, performing periodic self-assessments, attestations, and other self-certifications. Audit teams can be a valuable resource in assessing the effectiveness of management programs and even provide practical, actionable areas to improve resilience if trained with this in mind.
It is important that you are regularly testing controls and continually monitoring the security of your own infrastructure and that of your vendors to prevent and prevent data breaches, data leaks and cyber threats. Having an understanding of log management is important in this process.
It is important that staff and auditors are familiar with the SOX disclosure requirements, knowing the correct forms of communication and the steps needed to make timely and appropriate disclosure in the event of something like a data breach.
Defining communication guidelines and who needs to be informed is a key part of incident response preparation.
What are the penalties for non-compliance with the SOX?
Being deemed non-SOX compliant can include penalties such as:
- Removal of public stock exchanges.
- Invalidation of civil liability insurance policies for directors and executives (D&O).
There are a number of sections that outline the penalties for being found to be non-compliant with SOX, such as:
- Section 906, where filing and certifying a misleading or fraudulent financial report can incur fines of up to $5 million and result in a criminal penalty of 20 years in prison.
- Section 802, where altering, falsifying, destroying or concealing financial records, documents or tangible objects to obstruct, impede or influence legal investigations can incur penalties of up to 20 years in prison. It also carries a penalty of up to 10 years in prison for accountants, auditors or others who deliberately violate the requirements of maintaining all audit or review papers for a period of 5 years.
- Section 806, where whistleblower complaints are protected from retaliation, further authorizes the US Department of Justice to criminally prosecute employers who retaliate against the respective individuals.
For IT departments and executives, SOX compliance is an important ongoing concern. However, SOX compliance is more than just passing an audit. This aspect involves defining data governance processes and procedures and a series of tangible benefits for your business.
According to a 2019 survey:
- 57% of organizations benefit from improved internal controls over the financial reporting framework.
- 51% have an improved understanding of control design and the operational effectiveness of the control.
- 47% saw continuous improvement of business processes.
What are the key SOX compliance challenges for cybersecurity?
One of the biggest challenges is privileged users, who are often important and trusted company employees – the kind that don’t like to be questioned for potential fraudulent activity. To lessen the likelihood of this kind of necessary and uncomfortable questioning, IT departments often manage privileges by restricting and segregating them. Unfortunately, by restricting admin permissions, organizations are indirectly limiting productivity.
Monitoring privileged user database access is difficult, as the monitored users themselves often have the credentials needed to “beat the system” by deleting fraudulent logs they do not want to be seen. Again, however, restricting these credentials undermines efficiency, as administrators often use the database’s logging capabilities as a debug mechanism.
Another difficulty involves the need to audit access failures, whether they are invalid login attempts or unsuccessful attempts to retrieve privileged files. Either way, these types of activities are possible warning signs of fraudulent activity and must be tracked to satisfy SOX’s audit controls.
Additional challenges include monitoring schema modifications to ensure the veracity of the data structures being audited and monitoring privilege changes to maintain visibility into the user directory. It is also important to audit access to sensitive data tables and systems, such as SQL server events.
Other obstacles preventing SOX compliance for IT systems include insufficient database logs, ineffective data reporting, and poor event alerts.
The need to replay events by identifying key happenings in audit trails, archiving each event for future audits, ensuring the security of audit logs, producing scheduled reports for auditors, and being constantly aware of potential warnings of fraudulent activity (such as repeated login attempts failure) makes life more difficult for IT administrators.
Privileged Access Management as a solution to SOX Compliance
Muitos, senão todos os controles gerais de TI da SOX estão associados ao gerenciamento de acesso. Por exemplo, se a configuração de um aplicativo fizer parte de um controle de TI, saber quem fez a configuração (até o ponto de auditoria) é essencial para manter fortes controles.
A pessoa que configura os aplicativos e sistemas é um usuário privilegiado e possui acesso administrativo ao sistema. A partir dessa posição privilegiada, ela pode adicionar, editar ou excluir contas ou alterar configurações que afetam as transações financeiras.
Por exemplo, pode haver controle sobre quem pode lançar ativos no balanço patrimonial. Se esse controle puder ser manipulado sem o conhecimento de ninguém, os dados financeiros poderão ser corrompidos, e isso pode ser não intencional ou deliberado. Esta é uma receita para fraudes graves.
Many if not all of SOX’s general IT controls are associated with access management. For example, if the configuration of an application is part of an IT control, knowing who did the configuration (up to the point of auditing) is critical to maintaining strong controls.
The person who configures the applications and systems is a privileged user and has administrative access to the system. From this privileged position, the employee can add, edit or delete accounts or change settings that affect financial transactions.
For example, there may be control over who can post assets on the balance sheet. If this control can be manipulated without anyone’s knowledge, financial data could be corrupted, and this could be unintentional or deliberate. This is a recipe for serious fraud.
Companies that do not manage access well face some problems. In addition to an increased risk of cybersecurity breaches, there is also the likelihood that the SOX auditor will deem IT controls inappropriate.
A PAM (Privileged Access Management) solution provides a secure and simplified way to authorize and monitor all privileged users for sensitive systems, including systems involved in financial reporting.
PAM grants and revokes privileges to users for systems on which they are authorized. In addition, the solution centrally and quickly manages access to the type of heterogeneous systems that handle financial transactions and reports (e.g. General Ledger, ERP, Billing, banking APIs and others.)
The PAM solution creates an unalterable audit trail for any privileged operation. This feature facilitates the SOX evidence and audit process.
Benefits of the senhasegura solution for SOX compliance
We offer a PAM solution to achieve SOX compliance in the IT department and beyond.
The senhasegura solution combines robust PAM features with unique ease of installation and use. An agentless architecture simplifies deployment and ongoing changes, while other PAM solutions require the installation of a dedicated software agent on each system where privileged access is being managed.
Ease of use and installation provide major benefits for SOX compliance. The Act has the potential to constrain agility if controls are too tight and IT needs to be able to modify systems to keep up with business changes.
The senhasegura solution reinforces the internal controls and reporting requirements necessary for SOX compliance, going far beyond simply meeting the rules to implement an “inside-out” security approach to become part of your organization’s DNA.
For more information on how the senhasegura solution can help your company achieve SOX compliance, request a demo!