Sarbanes-Oxley Act (SOX) Audit Requirements

Sarbanes-Oxley Act (SOX), passed in 2002, spells out requirements for internal controls.  Some organizations have turned to the standards published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). These do not, however, provide specific guidelines for organizations that deal with databases, a key area of concern for SOX compliance, but instead provide an excellent conceptual architecture for organizations to build a compliant IT Control framework for the enterprise.  Others are relying upon the best practices set forth by COBIT (Control Objectives for Information and related Technology) and ITIL (Information Technology Infrastructure Library). However, these frameworks are incomplete with regards to the concerns set forth under SOX relating to databases. Databases are at the center of SOX control issue. Ensuring effective controls over database activity—writes, deletes, changes, and administration—is absolutely crucial to maintaining data integrity.  Control must also extend to server and mainframe applications and unstructured data. Meeting SOX compliance centers on four areas:  audit trails, segregation of duties, change control, and patch management.  

Audit Trails

Companies need to answer who changed a record, who deleted a record, changes to a schema, with particular detailed attention to privileged users.  These audit logs are usually a normal by-product of most database and application tools.  There needs to be a process to regularly review patterns and to store the logs for at least 5 years. 

Segregation of Duties

The Information Systems Audit and Control Association (ISACA) has issued guidelines calling for IT organizations to assign clear job roles and functions, and to assign database and system permissions according to those roles and functions. Please refer to www.isaca.org and the publication titled Control Objectives for Sarbanes-Oxley 2^nd Edition for additional detail.   

Change Control

Organizations need to document changes to their technical environment and adoption of ITIL’s Change and Release Management play a crucial role in satisfying this area.

Patch Management

Applications and associated databases should be patched on a predefined schedule that takes into account the peak usage periods for these systems, while providing substantial review of the patches with adequate testing. There are some other internal controls over financial reporting (ICoFR) that relate to database auditing and include:

• Network access should be limited only to certain defined systems (via strong firewall and IP restrictions).

• Unnecessary service access should be blocked at the network access device.  This would be satisfied by “hardened” proxy servers.

• Frequent review of user accounts and passwords should regularly verify that all permissions reflect actual user roles and responsibilities.  This has given rise to a number of products associated with Identity Management (IM) and Network Access Control (NAC).

These should be performed several times a year, in alignment with HR systems and general identity management solutions.

• Financial transactions are properly recorded by authorized users
• Data has not been compromised by unauthorized or authorized means
• All changes to the financial data are monitored

Achieving these controls presents IT managers with the challenge of auditing (and maintaining an audit history) for a variety of SOX-related activity, including all:

• privileged user activity
• changes to user privileges
• failed login attempts
• logical access failures
• database schema changes
• direct data access events

Technorati

ISO 20000 Background, Audit, and Assessment (Plan-Do-Check-Act)

ISO 20000 is based upon an original pair of documents, BS15000-1/2, which were published in 2002 and 2003 respectively.  ISO 20000 is the international standard for IT Service management and is comprises two parts: ISO/IEC 20000-1 and ISO/IEC 20000-2. ISO 20000-1 is the ‘Specification for Service Management, and it is this which is certifiable against. ISO 20000-2 is the ‘ Code of practice for Service Management’, and describes best practices, and the requirements of Part 1.

ITIL is the process defined framework for IT operations.  ISO 20000-2 is the code of practice built on top of ITIL tailored processes.   ISO 20000-1 is the specification for ITSM that would facilitate the audit.  The framework had been harmonized with other international standards, to embrace the familiar PDCA (Plan-Do-Check-Act).

plan-check-do-act.pdfManaged Services illustrated in the diagram could be internal IT services or externally supplied services.  Aligning processes and procedures is accomplished in the planning and implementation phase. The methodology, known as Plan-Do-Check-Act (PDCA), can be applied to all processes, as follows:

• Plan: Establish the objectives and processes necessary to deliver results in accordance with customer requirements and the organization’s policies.
• Do: Implement the processes.
• Check: Monitor and measure processes and services against policies’ objectives and requirements and report the results;.
• Act: Take actions on the differences and continually improve process performance.

Multiple service management plans may be used in place of one large plan or program. Where this is the case, the underlying service management processes should be consistent with each other. It should also be possible to demonstrate how each process and requirement is managed by linking it to the corresponding roles, responsibilities and procedures. ISO 20000 section 4.3 (monitoring, measuring and reviewing) states that in order to identify these process areas and improve upon them, a regular audit program must be planned. Users also need to take into consideration the status and importance of the processes and areas to be audited, as well as the results of previous audits. The audit criteria, scope, frequency and methods must be defined in a procedure. The selection of auditors and conduct of audits must ensure objectivity and impartiality of the audit process. Auditors must not audit their own work. Any significant areas of noncompliance or concern should be communicated to relevant parties and corrective action taken.

Scope creep

As organizations change and grow, the scope of the services provided under the ISO 20000 standard expands. However, the organization often times fails to expand their certification activities to cover any new services. This is known as an “extension to scope.” This can be addressed by following the rules set forth in section 7.2. ISO 20000 section 7.2 (business relationship) requires the service provider and customer to attend a review to discuss any changes to the scope, service-level agreement, contract (if present) or the business needs at least annually and shall hold interim meetings at agreed intervals to discuss performance, achievements, issues and action plans. These meetings shall be documented.

Not everything is recorded or measured

According to ISO 20000 section 4.3 (monitoring, measuring and reviewing), the organization must apply suitable methods for monitoring and, where applicable, measuring service management processes. These methods must demonstrate the suitability of the processes to achieve planned results. Management must then conduct reviews at planned intervals to determine whether the service management requirements:

• Conform with the service management plan and to the requirements of this standard;
• Are effectively implemented and maintained.

Additionally, under section 4.4.2 (management improvements), all suggested service improvements shall be assessed, recorded, prioritized and authorized. The service provider must have a process in place to identify, measure, report and manage improvement activities on an ongoing basis.

Technorati