The Joy of SOX

"It is impossible for ideas to compete in the marketplace if no forum for
their presentation is provided or available." Thomas Mann, 1896

The Joy of SOX

Contributed by: Cybertrust, Inc.

Introduction

OVERVIEW — THE ORIGINS OF SARBANES-OXLEY

In 2002, the US Congress passed into law the Public Company Accounting Reform and Investor Protection Act (PL 170-204), also known as the Sarbanes-Oxley Act (SOX). Its purpose was to stabilize the US markets in the wake of the enormous corporate scandals — Enron, WorldCom, HealthSouth, and the like — that cost investors millions of dollars and had a devastating impact on the US economy. Congress designed the Act to revise corporate governance procedures for publicly-traded companies, particularly the verification of the accuracy of earnings information and the disclosure of financial reporting. It also established the personal responsibility of CEOs, CFOs and other senior directors and officers of these organizations for the accuracy of this information. This will raise consumer confidence and allow them to make reasoned decisions when investing.

Sarbanes-Oxley affects all publicly-traded companies in the US, and foreign filers in US markets. It is a fairly broad and far reaching regulation, containing a variety of fraud protection provisions, including requirements for auditor independence, the rotation of public accountant partners every five years, appropriate uses of non-GAAP financial measures, and protection for corporate whistleblowers, but the provisions that most companies are concerned with are under sections 302 and 404.

DISCLOSURE AND INTERNAL CONTROLS

Sections 302 and 404 represent the lionâ€™s share of the work that a public company must perform when preparing for SOX compliance, and the manner in which the company and its public accounting firm must report to the SEC.

Section 302 governs the preparation of financial reports. It reads:

Section 302
Corporate Responsibility For Financial Reports

(a) REGULATIONS REQUIRED — The Commission shall, by rule, require, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 USC. 78m, 78o(d)), that the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act that —

(1) the signing officer has reviewed the report;

(2) based on the officerâ€™s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading;

(3) based on such officerâ€™s knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report;

(4) the signing officers —

(A) are responsible for establishing and maintaining internal controls;

(B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;

(C) have evaluated the effectiveness of the issuerâ€™s internal controls as of a date within 90 days prior to the report; and

(D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;

(5) the signing officers have disclosed to the issuerâ€™s auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function) —

(A) all significant deficiencies in the design or operation of internal controls which could adversely affect the issuerâ€™s ability to record, process, summarize, and report financial data and have identified for the issuerâ€™s auditors any material weaknesses in internal controls; and

(B) any fraud, whether or not material, that involves management or other employees who have a significant role in the issuerâ€™s internal controls; and

(6) the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.

(b) FOREIGN REINCORPORATION HAS NO EFFECT — Nothing in this section 302 shall be interpreted or applied in any way to allow any issuer to lessen the legal force of the statement required under this section 302, by an issuer having reincorporated or having engaged in any other transaction that resulted in the transfer of the corporate domicile or offices of the issuer from inside the United States to outside of the United States.

(c) DEADLINE — The rules required by subsection (a) shall be effective not later than 30 days after the date of enactment of this Act.

Section 302 requires the public company to make its assertion that controls in place are appropriate and that there are no errors, omissions, or misstatements in its disclosure. Both the public companyâ€™s officers and the public accounting firm must attest to the accuracy of the reporting. Should significant deficiencies or material weakness exist in the companyâ€™s internal controls, that information must be included in the disclosure. The signing officer for the public company asserts that the financial reporting is a fair and accurate representation of fact and in no way misleading.

In support of Section 302, Section 404 governs the management of the internal controls around the companyâ€™s financial data and reporting. It reads:

Section 404
Management Assessment Of Internal Controls

(a) RULES REQUIRED — The Commission shall prescribe rules requiring each annual report required by section 13 of the Securities Exchange Act of 1934 (15 USC. 78m) to contain an internal control report, which shall —

(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

(b) INTERNAL CONTROL EVALUATION AND REPORTING — With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

Section 404 requires the public companyâ€™s management to take an active role in creating and maintaining the internal control structure that governs financial reporting, and to report on the status of internal controls in its annual report. Once again, the public accounting firm must attest to the fairness and accuracy of managementâ€™s assessment. Section 404 is the most labor-intensive section of the Sarbanes-Oxley regulation. Public companies will most likely spend as much time and effort in preparing for 404 compliance as they do on the annual financial audit.

Clearly, heavy interpretation is required to map out a compliance strategy. SOX mandates the use of a publicly-vetted internal control framework to establish a control structure appropriate for compliance, and specifically references the COSO 1 framework, but does not mandate it as the only allowable framework. Public companies are free to use any framework that is publicly available, generally recognized, and thoroughly vetted by recognized organizations. Options include the COCO framework from Canada, and other in-country standards such as KonTrag from Germany, the Turnbull report from the UK, and the King report from South Africa.

US-based organizations, however, should be wary of using a framework other than COSO, for two reasons. First, the public company must be prepared justify the choice of another framework, because COSO is specifically referenced by SOX. Using another framework will automatically beg the question, not only from the public accounting firm, but perhaps the SEC as well. Secondly, it is likely a US auditor will not be as familiar with a foreign standard as they are with the COSO framework.

Use of the COSO framework is the simplest and most logical choice for the vast majority of US public companies.

COSO refers to the Committee of Sponsoring Organizations, and they sponsored the Treadway commission which dates back to the 1980s and the aftermath of junk bonds. The Treadway commission was formed to evaluate and correct fraud in US business, fostering ethical financial management and reporting. Its members include accounting and auditing organizations such as American Institute of Certified Public Accountants (AICPA), Institute of Internal Auditors (IIA), and the American Accounting Association (AAA). Together they created and managed the internal control framework for decades.

The five components of the COSO framework which govern the management of internal controls relevant to SOX are:

Control Environment - COSO refers to this as “the tone at the top” of the organization, including concepts such as integrity, ethical values, management style, and operating style, as well as the practicalities of board and audit committee oversight. This encompasses corporate philosophies about the management of internal control, and associated risk assessments. How the organization manages and identifies the risks as they relate to business objectives and how the organization can develop a strategy to mitigate those risks are key ideas included in this element.

Risk Assessment - the company must identify the relevant risks to organization, and determine control measures appropriate to mitigate those risks. Risk assessment will be performed in two stages by most companies, first at the enterprise level and then for the IT environment. Risks identified within the IT organization may or may not directly impact the companyâ€™s financials; those identified as having a direct impact must be documented and presented to management as possible sources of deficiency.

Control Activities - these are the policies and standard operating procedures that are created as a direct result of the risk assessment to drive the companyâ€™s mitigation strategy. Control activities should include general controls over information systems as well as specific application controls that ensure the accurate and timely processing of transactions.

Information and Communication - when performing its risk assessment, management must consider the flow of information within the company and the appropriate communication channels that facilitate that flow. The internal control structure must support a flow of information that allows employees to carry out their duties in a timely manner. The IT department supports communication, and in most companies fully supports the preparation and production of financial reporting.

1 The current COSO framework for internal control management was published in 1992. It is still considered current. In early 2004, a draft of the new COSO Enterprise Risk Assessment Model (ERAM) was made publicly available. COSO ERAM is an enterprise-level risk management framework. It does not supersede the 1992 document, and when final, will most likely absorb it. The majority of public companies currently preparing for SOX compliance will use the 1992 document, as it is more germane to SOX compliance.

Monitoring - the IT organization is also responsible for monitoring the effectiveness of controls in place in the live production environment. Security incidents and events that may impact the companyâ€™s financial position must be evaluated to determine whether or not they represent a potential deficiency in the internal control structure. Monitoring activity within the corporate computing environment may be performed on a continuous basis, through a series of independent assessments, or a combination of the two, at the discretion of management.

The COSO framework provides guidance for management to establish an internal control structure for the public company, but it does not contain any criteria specific to information security. COSO is not intuitive; most public companies will require additional interpretation when applying the framework to their control environments.

Two information security standards have emerged as the leaders in the US for the interpretation of the COSO framework — Control Objectives for Information Technology (COBIT) and the BS ISO/IEC 17799 (ISO 17799). COBIT is a product of the audit community; it is managed by ISACA and therefore a very popular standard with the public accounting firms. Most of the lead auditors performing SOX compliance consulting and auditing will be familiar with COBIT. In practice, however, only the largest and most disciplined organizations manage to COBIT on a day-to-day basis. For many publicly-traded companies, COBIT will not be an appropriate standard to work with; for some it may even be overkill. ISO 17799, on the other hand, has been steadily gaining popularity in the US in the past few years and is widely regarded as a practical and achievable information security standard. For some publicly-traded companies, ISO 17799 will be a much easier and more practical tool to assist them in meeting compliance objectives and their auditors and consultants will certainly view it as an acceptable standard to work with. SOX itself does not mandate the use of any particular security standard to interpret COSO; that decision is made entirely at the discretion of management.

MATERIAL WEAKNESS AND IT

The key to section 404 is material weakness. The public company must fully disclose any material weakness that affects the internal controls over the financial data and/or the production of financial reporting. SOX uses the formal accounting definition of material weakness; generally accepted accounting principles (GAAP) and generally accepted auditing standards (GAAS) apply. In formal terms, material weakness is defined 2 as

a significant deficiency in one or more of the internal control components that alone or in the aggregate precludes the entityâ€™s internal control from reducing to an appropriately low level the risk that material misstatements in the financial statements will not be prevented or detected on a timely basis.

Significant deficiency is defined as

an internal control deficiency that could adversely affect the entityâ€™s ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. A significant deficiency could arise from a single deficiency or an aggregation of deficiencies.

2 Source: BDO Seidman “Financial Reporting Newsletter” May 2004

Essentially, the financial auditor examines its public company client, looking for deficiencies in the target environment. When such deficiencies are found, the auditor will determine the degree to which the deficiency affects the public company, and generally treat it according to the following:

Deficiency - a finding to be brought to the attention of the public company, with minimal corrective effort required, and no further action on the part of the auditor

Significant Deficiency - a finding to be brought to the attention of the public company, with immediate corrective action required; disclosure and follow-up required by the auditor

Material Weakness - a reportable condition, representing imminent loss or damage to the public company; immediate corrective action required; disclosure and follow-up required by the auditor

A deficiency, even if minimal at first, can become significant or material depending upon circumstances within the environment. Severity of the deficiency is determined solely at the discretion of the financial auditor. The public company can appeal an auditorâ€™s decision to classify a deficiency as significant or material, but the auditor is still required to report the finding.

In general, deficiencies are associated with an organizationâ€™s business processes and procedures.

Failure by the organization to appropriately segregate duties is often considered a deficiency. If, for example, accounts payable and accounts receivable functions are performed by a single employee, or wire transfers are generated and approved by a single employee, a financial auditor would find the organization deficient. Another common deficiency in many organizations is the failure to classify and “tag” property and equipment. If:

Employees are not required to sign out portable equipment such as laptops, projectors, and miscellaneous periphery
Portable equipment is not formally assigned to individual personnel
Employees are not required to sign out documents such as contracts and other organizational records
Standard sales contracts are not routinely reviewed, leading to an untimely recognition of revenue the auditor would most likely find the organization deficient.

Based upon the auditorâ€™s findings, management of the public company must determine the impact of any deficiencies on the companyâ€™s ability to produce accurate financial statements. Should a control fail, is a misstatement possible? Is it probable? Bear in mind that SOX does not make a distinction between deliberate or accidental action in this regard — whether an employee makes an honest error or a hacker attacks, for example, a failure of the controls that leads to the exposure of the financial data to alteration or harm will be viewed as equal by the companyâ€™s financial auditors and by Federal examiners.

Until recently, IT has not been considered a source of accounting or financial reporting material weakness in publicly-traded companies; most auditors and examiners were focused on accounting practices. The realities of todayâ€™s inter-connected eBusiness world however have made IT a new focal point for Federal legislators and regulators. There are real risks associated with creating, processing, transmitting, and storing data electronically. Vulnerabilities exist even in the most well-managed organizations, and they can literally number in the thousands. New threats and exploits emerge daily. Because of budget concerns, many organizations have limited resources to devote to information security. Given the vague language in both SOX and the COSO framework regarding IT, many public companies are now struggling to define specific information security measures that will appropriately support their internal control structure and meet with the approval of their financial auditors.

PREPARING FOR 404 COMPLIANCE

While it is generally understood by both public companies and financial auditors that IT security plays a role in the internal control structure, that role has yet to be clearly defined. Neither SOX nor the COSO framework contain specific information security requirements or criteria. To date, neither the SEC nor the PCAOB have issued specific guidance related to information security controls.

Interpretation is therefore left to the public company and its auditor, although the independence requirements under SOXâ€™s Title II (Sections 201-209) prevent the financial auditor from acting in an advisory capacity relative to information security consulting. Most public companies have found SOX compliance a complex exercise, and are obtaining assistance from consulting firms, infosec boutiques, or other sources.

Whether or not advisory services are engaged, organization is critical to successful compliance preparation. In order to define ITâ€™s role in the internal control structure, and identify existing vulnerabilities that may constitute deficiencies, the public company must take the following steps:

Define the scope of the target environment. Section 404 mandates that the organization maintain an appropriate internal control structure over financial reporting. The scope should include the systems, services, devices, data, and personnel involved in the creation, processing, transmission, storage, and destruction of financial data, as well as those IT personnel that maintain associated hardware, software, and periphery. In most cases, the scope will extend beyond physical facilities to follow the flow of the financial data.

Classify assets within the scope. This admittedly tedious exercise is critical to successful evaluation of the target environment. Identification of critical assets allows the organizations to assign value and ownership to components, assess risk, and work with the financial auditor to examine and correct deficiencies.

Perform a risk assessment on the target. Once critical assets have been identified, the public company must consider the vulnerabilities that exist in the target environment, and establish a level of risk tolerance — risk acceptable given the business model and cost/benefit analysis of mitigation. Understanding risk tolerance is critical to the public company, as it will dictate the development of the mitigation strategy and selection of appropriate information security controls for the target.

The results of the risk assessment will be different for each public company — it will reveal those vulnerabilities that are idiosyncratic within the target environment. There are essential mitigations and controls, however, that should be implemented at some level by most SOX-affected organizations.

These include Network segmentation. The systems, services, and devices involved in the processing and storage of financial data and associated organizational records should be appropriately isolated within the corporate computing environment. The public company should consider logical barriers between the target environment and other parts of the network, and carefully examine and secure connection to public networks.

Access restriction. Physical and logical access to financial data and associated organizational records must be restricted. The public company should apply the principle of least privilege, based upon job function, when granting access. User rights and privileges to isolated segments of the network should be reviewed on a regular basis and updated as employeesâ€™ responsibilities change. Physical access to filing rooms and data centers should be similarly restricted.

Background checks. The public company should perform a background check on all employees working with sensitive data. Background check should be included in the hiring or promotion process. Sensitive data is often vulnerable to theft, damage or destruction by trusted insiders, so the organization must be exercise care when granting access.

Document, document, document! The public company should document the security controls implemented based on its most current risk assessment of the target, and be prepared to discuss those control measures with the financial auditor. Complete, organized documentation of control measures, policies, and standard operating procedures will facilitate the audit process.

These are controls that should be a part of any organizationâ€™s security program, and when implemented on an enterprise-wide scale will contribute to the overall health of its information security posture.

WHERE PUBLIC COMPANIES STRUGGLE

At its highest level the “object” of SOX is the financial data; the public company is responsible for ensuring the integrity and availability of that data. From an IT perspective, CIA is a standard requirement, and may apply to all data generated by the organization. SOX is not concerned with consumer data or any other organizational records not related to the financials - its sole focus is financial reporting, and integrity is key. The public companyâ€™s officers must be able to swear that the numbers are accurate, free from defect, and that no misstatements exist.

The prospect is daunting for many public companies. In order to make a reasonable attestation, management must have the utmost confidence in the computing environment that produces the financials — including the systems, services, devices, personnel, policies and standard operating procedures. In establishing the internal control structure, this subset of the corporate computing environment becomes the compliance target. One of the components of the COSO framework is risk assessment, but neither COSO nor Section 404 itself specifies the extent to which the assessment is to be performed on information security control measures as they function in the target environment, nor do they clearly define their role as a part of the internal control structure.

Section 404 does specifically require that testing be performed on the internal controls, and that such testing is able to adequately evaluate both the design of controls and their operating effectiveness. As management prepares its report to the SEC, the following four statements must be included:

(1) Acknowledgement of its responsibility for establishing and maintaining the controls

(2) Identification of the framework by which it created the internal control structure for its environment

(3) Attestation as to the effectiveness of the controls (and disclosure of material weakness)

(4) Acknowledgement of the auditorâ€™s attestation

In the report, the auditor also acknowledges managementâ€™s attestation and therefore shares responsibility when reporting to the SEC on the state of internal controls in the environment. Liability is also shared between the public company and the public accounting firm partner. If any material weakness is discovered, it must be accurately reported; management cannot then assert that its internal controls are effective.

The IT departmentâ€™s role in SOX compliance is largely a supportive one. IT certainly plays a part in the discovery, mitigation, and reporting of deficiencies relative to the target environment, but this is secondary to the public companyâ€™s overall compliance objective. Without specific information security criteria delineated in Section 404, and lacking guidance from the SEC and PCAOB, many public companies struggle when assigning compliance activities to IT. There are three critical compliance tasks, however, in which IT should take the lead.

THE RISK ASSESSMENT

Section 404 does not specifically mandate that a risk assessment be performed on the target environment, but the need is implicit. The organization must determine the risks associated with the target in order to identify and mitigate deficiencies.

Many organizations struggle with risk assessment. Should it be a qualitative or quantitative exercise? Should it be performed in-house or by a third party? Should the assessment be tools or audit-based? There is no single answer, no “best” way to approach risk assessment; issues will vary between organizations. One common problem, however, lies in the extent of the assessment. The first step is the appropriate identification of all assets that in the target environment. SOX provides general direction here, but the organization must make certain that it identifies and includes all relevant assets, clearly documenting the target environment.

Assessments of the target may be determined through a variety of means, including process audits, vulnerability scans, war dialing, penetration testing, etc., each of which will yield its own flavor of vulnerability report. Many organizations fall into a common trap at this point — treating the vulnerabilities as risks. Too often, organizations begin remediation activity based upon the raw results of these reports. In order to effectively protect the target, those reports need to be analyzed, first removing false positives, and then quantifying the vulnerabilities, to determine which represent real risk. Determining vulnerabilities is important, but it is only the first step in a risk assessment.

The organization must also identify the relevant threats to the critical assets within the target, and determine the outcomes and costs associated with successful exploits. Event cost is measured by the total damage created by a successfully-executed threat, e.g., downtime, lost data, damaged reputation, remediation expenses, and lost revenue from a successful attack; for SOX-affected organizations, noncompliance penalties should also be factored into cost.

Ultimately, risk is the product of a simple equation:

Risk = Threat * Vulnerability * Event Cost

Event costs will vary in terms of dollars, but threat and vulnerability vary according to a number of factors. Malicious code and hacking represent significant threats to all organizations, since the rate at which they occur is increasing monthly 3. This is particularly true for malicious code, some of which can affect entire populations of computer users worldwide. Other threats such as physical theft of laptops, affect individual organizations, and may have a lower rate but a greater impact. In such a case, the event cost represents the loss of the laptops, as well as the data resident on the hard drives, the employeesâ€™ “downtime”, and ITâ€™s time and effort to replace the hardware, install the software, and replace lost data.

Vulnerabilities, which exist in every organization, may never represent real risk in terms of a quantifiable value in the threat and event cost variables. Organizations can waste significant time and resources addressing unquantified vulnerabilities without tangible results. It is absolutely critical to the success of the security posture and compliance efforts that the organization focus on real risk to the target environment and pursue its mitigation strategy accordingly.

3 Source: ICSA Labs

EXTRAPOLATED THINKING

Although it may seem a somewhat fanciful exercise, considering a few “worst case scenarios” will prove valuable to many SOX-affected organizations, particularly for the risk assessment and in contingency planning. The scenarios need not be far-fetched; IT should consider a few common “what ifs”.

What if, for example:

The organization has purchased a new application or a new version of an operating system (OS), and subsequently discovers a significant flaw in the code.

Issues for IT to consider:

Until (or in the absence of) vendor resolution, what steps must the organization take to protect itself?
What vulnerabilities does this create in the target environment?
Are those vulnerabilities real risks?
How does this flaw affect the integrity of the organizational records, in particular financial data and reporting?
Is this a significant deficiency? Is there potential for material weakness?
What must IT report to management?
What must management report to the auditor?
What is the organizationâ€™s liability?

What if, for example:

There is a new virus or worm in the wild which bears a malicious payload that searches for and destroys *.dbf files. The organization then becomes infected.

Issues for IT to consider:

Is the network appropriately segmented to prevent random spread throughout the entire organization?
Are organization records and financial data appropriately isolated?
Are backups available?
Are they current?
Can IT be certain of data integrity?
If the financial data or other organizational records have been affected, can they be restored to the point that management can accurately attest to being made whole?
Can I demonstrate restoration processes and validate data integrity for an auditor? For a Federal examiner?

Both of these examples represent simple and common occurrences. Though not specifically mandated by Section 404, working through a few security incident scenarios will aid the organization in developing response and emergency mode operation plans. IT should review documentation from any security incident or breach that occurred within the target environment in the past 24 months, determine whether the appropriate repairs were made, retest as appropriate, and consider how a similar incident would impact the organization today.

COST/BENEFIT ANALYSIS

Examining the cost and benefit of information security control measures goes hand-in-hand with the organizationâ€™s risk assessment activities. Once real risk has been determined, the organization must take appropriate steps to mitigate that risk. Selecting and implementing appropriate information security controls in a live production environment is not always an easy task, and can quickly turn from an appropriate compliance exercise to a spending spree.

This was never the intent of Section 404 — to encourage organizations to spend beyond their means to prove compliance. But unlike current information security regulations, such as HIPAA and GLB, there is no specific directive in Section 404 that the organization establish a level of risk tolerance based on business model, nor do a formal cost/benefit analysis.

In the real world, however, the organization must follow a rational decision-making process in order to avoid the overspending trap. It is possible to spend a fortune on technical security controls for the sake of compliance yet remain as vulnerable to exploit as if those controls had never been implemented. Often a smaller set of cost-effective, layered synergistic controls working together provide far more reliable protection than more expensive individual controls, which can represent a single point of failure. For example, if the organization needs to control and monitor access to its data center, using key cards to control and log ingress and egress coupled with security cameras aimed at the doors is a reliable solution that may be far less costly than implementing biometric palm print or iris readers. The organization would gain no additional security benefit by implementing the more costly solution with respect to meeting SOX requirements.

To prove compliance to the auditor, the organization should document its control selection process, tying it to the results of the risk assessment. The organization should be prepared to attest or demonstrate how synergistic controls work together to mitigate risk in the target environment. The auditor is unlikely to find fault with an organization that can demonstrate the rationale behind critical compliance decisions.

WHAT TO EXPECT FROM THE REGULATORS

The Securities and Exchange Commission (SEC) is the supervisory authority for the Sarbanes-Oxley regulation. The SEC is responsible for the management and enforcement of the regulation. Public companies will submit compliance reporting to the SEC as they submit their quarterly reporting. The Public Company Accounting Oversight Board (PCAOB) is responsible for the establishment and maintenance of the auditing standards and for the publication of compliance guidance. AICPA has no official role in compliance. ISACA and the Information Technology Governance Institute (ITGI) however have taken an active role in creating compliance guidance.

The public accounting firms will play a critical role in SOX compliance. Their auditors will use the PCAOB Auditing Standards to evaluate each public companyâ€™s compliance efforts. Auditing Standard No. 2 (4) states the following with regard to information security:

4 PCAOB - Bylaws and Rules - Standards - AS2 [Under Item 126 (Page 176)]

Information technology general controls. Information technology general controls are part of the control activities component of internal control; therefore, the nature of the controls might permit the auditor to use the work of others. For example, program change controls over routine maintenance changes may have a highly pervasive effect, yet involve a low degree of judgment in evaluating their operating effectiveness, can be subjected to objective testing, and have a low potential for management override. Therefore, the auditor could determine that, based on the nature of these program change controls, the auditor could use the work of others to a moderate extent so long as the degree of competence and objectivity of the individuals performing the test is at an appropriate level. On the other hand, controls to detect attempts to override controls that prevent unauthorized journal entries from being posted may have a highly pervasive effect, may involve a high degree of judgment in evaluating their operating effectiveness, may involve a subjective evaluation, and may have a reasonable possibility for management override. Therefore, the auditor could determine that, based on the nature of these controls over systems access, he or she would need to perform more of the tests of those controls himself or herself. Further, because of the nature of the controls, the auditor should use the work of others only if the degree of competence and objectivity of the individuals performing the tests is high.

PCAOB identifies IT general controls as:

(a) Program development

(b) Program changes

(c) Computer operations

(d) Access to programs and data

The organization should document and be prepared to demonstrate the following at minimum:

(a) Access to financial data - this should include physical and logical access to the data center, as well as logical access for all end-users, and administrative access by IT staff. The organization should have documented all current user IDs, and user rights and permissions. The organization should be prepared to show how user rights and permissions are granted, and how they are reviewed.

(b) Contents of the software library - the organization should have documented all the software currently in use in the target environment, both commercial and proprietary. The organization should be prepared to show how the software is maintained, including the upgrade and change management process. The organization should also be able to demonstrate that clean copies of the software are maintained, and that backup and restoration procedures exist for the purposes of incident response and business continuity.

(c) Standard operating procedures - the organization should have documented standard operating procedures for the IT department, and be prepared to demonstrate that those procedures are followed. The organization should be prepared to show how it supports end users that access the systems and services containing financial data and reporting, and that it has granted access to those systems and services based upon job function by applying the principle of least privilege.

In practice, the auditor will begin by reviewing managementâ€™s assertions, including the documentation of the internal control structure and the results of testing of the effectiveness of internal controls. The auditor will then establish the scope of testing with management, test the limits of that scope for coverage, and evaluate a random sampling of individual control measures. In most cases, the public company should expect the process to be similar to that of the annual financial audit, and the workload for both staff and audit team should be equivalent. The focus of SOX 404 auditing will be focused almost entirely on transactions and processes rather than on the balance sheet. Of particular interest to the auditors will be any significant transactions for the company, any merger and acquisition activity, and the development of any new lines of business. These areas would be the most likely sources of deficiency and material weakness.

The SEC will not directly examine each public company for compliance. Instead, they will review reporting as it is submitted and most likely examine those companies that disclose serious material weakness. Whether this will be all such companies is impossible to determine at this point; it will depend upon the number of companies that make such disclosures. If the majority of companies filing disclose material weakness the SEC may examine only a random sampling. Enforcement actions for Section 404 will be determined by each companyâ€™s ability to complete corrective action in a timely and demonstrable way.

There will be fallout. The language of the regulation and the COSO framework is sufficiently vague that interpretation will vary widely. This is new territory for both the public companies and public accounting firms, and most are admittedly making their best guess when it comes to measuring IT for Section 404 compliance. There is a consensus in the public accounting community that the nuances of compliance, particularly where IT is concerned, will be worked out in the courts. Information security, after all, is an inexact science; even the most vigilant public companies can suffer security breaches, and they and their auditors may not realize that a vulnerability or deficiency existed in the target environment until a breach brings it to their attention.

Will the fallout be harsh and punitive? Given the current regulatory environment and the fact that the SOX regulation was born out of the corporate scandals of 2000, public companies should be prepared for harsh treatment by the SEC. Individuals and companies already facing charges under SOX have so far found little tolerance, either for deliberate actions or for legitimate error.

There is currently no private right of action under Sarbanes-Oxley — no consumers or individual investors will be able to sue a public company for failure to comply with SOX. Civil litigation, however, can never be ruled out entirely. Should a civil suit be brought against a company for the loss of funds invested for example, clever plaintiffâ€™s attorneys will no doubt examine SOX disclosures in an effort to cast doubt on the companyâ€™s demonstration of a professional level of due care. It is unlikely, however, that this will be normative.

THE CYBERTRUST APPROACH

As an information security company, Cybertrust recognizes the importance of Sarbanes-Oxley to the publicly-traded community and is therefore working to provide effective information security management solutions supportive of SOX 404 compliance efforts. Interpretive work began with a thorough review of the PCAOBâ€™s Audit Standard #2. Cybertrust then chose the COSO framework to interpret Section 404, as it is the predominant framework for SOX interpretation in the United States, and will be used by the majority of public companies preparing for compliance. To interpret COSO, Cybertrust chose to base most of its work on the ISO 17799 information security standard, supplemented as necessary by control measures taken from the COBIT standard. These blended control measures provide both high level and practical security control objectives to Cybertrust clients.

Cybertrust is the leading provider of intelligent risk management products and services. As an organization, Cybertrust dramatically improves security and reduces risk by assisting client organizations to make better security decisions and maximizing the effectiveness of existing security personnel, processes and technology. Currently, Cybertrust has three offerings that can assist client organizations with security management issues specific to the SOX 404 requirements.

CYBERTRUSTâ€™S BUSINESS SECURITY ASSESSMENT

Business Security Assessments provide an independent evaluation of the effectiveness of security controls in place across a given organization. More flexible in scope than Risk Commander or the Risk Management Programs, the BSA enables Cybertrust consultants to examine the entire organization or those areas within the organization that are of particular importance to the client, measuring the compliance status against internal, regulatory and 3rd party security standards including Sarbanes-Oxley Section 404.

The BSA goes beyond measuring the effectiveness of technology assets, delivering an in-depth review of the personnel, processes and other organizational factors that influence the overall security posture.

Cybertrustâ€™s analysis results in an objective assessment of the state of the security posture and strategic recommendations on actions to improve problem areas and how to refocus resources to achieve optimal impact.

The BSA has the flexibility to incorporate specific assessment criteria required by the organizationâ€™s business needs, regulatory bodies, or 3rd party stakeholders, allowing client organizations to meet compliance obligations. Recommendations resulting from the assessment are presented in a format that is both actionable and prioritized in terms of cost and risk-reduction. These assessments can also be delivered in combination with traditional technology assessment methodologies (e.g. penetration testing, vulnerability assessment or application testing).

The BSA results in a “score” representing the quality of the client organizationâ€™s controls in place and security practices; the score takes into account current and planned security controls, business benefits, and whether they support the firmâ€™s strategic imperatives. Cybertrust consultants collect and analyze data according to security criteria that is specific to the client organizationâ€™s business, ensuring appropriate and constructive results. The BSA is a customized, tailored program that provides specific, actionable recommendations to strengthen the overall security posture.

CYBERTRUSTâ€™S RISK COMMANDER

Cybertrustâ€™s Risk Commander is a compliance management and risk analysis application that enables client organizations to effectively direct and track progress toward compliance with information security regulations, standards and practices, and to demonstrate overall risk reduction across the enterprise.

Risk Commander provides a single interface to monitor information security compliance. It allows the client organization to:

Manage the compliance program accurately and consistently
Produce quantitative risk analysis results
Increase the efficiency of the information security staff
Demonstrate comprehensive compliance effectiveness

Risk Commander offers flexible configuration options so that the client organization can properly manage compliance activities. It has automated the compliance process into three distinct phases:

DATA GATHERING

Using the Adaptive Survey Module, the organization collects data for specific regulations and standards, as well as its own corporate security policies. Risk Commander can also automatically import and integrate data from multiple commercial and proprietary asset management, vulnerability scanning, and compliance testing tools. Risk Commander consolidates this data in a controlled, repeatable and efficient manner to ensure consistent data quality.

ANALYSIS

Risk Commanderâ€™s proprietary automated analysis engine applies rules developed by subject matter experts and compares collected data to standards and regulations to quickly identify compliance issues.

Automated analysis helps reduce overall compliance assessment efforts by identifying risks, and producing consistent, measurable results. This allows scarce resources to be directed to the most urgent remediation activities.

INTELLIGENCE

Risk Commanderâ€™s Dashboard and Scorecards deliver quantitative graphical and trend charts that offer at-a-glance insight into organizational performance. User-defined filters help pinpoint compliance issues and vulnerabilities of particular interest. Narrative reports support the overview charts and graphs for in-depth review. Risk Commanderâ€™s workflow can automatically generate a remediation task for every vulnerability and compliance issue it detects, enabling comprehensive remediation management and oversight.

Risk Commander facilitates access to critical information, by providing:

Immediate Access to Key Reports - The Dashboard offers immediate access to key tactical and strategic reports for compliance, vulnerability and remediation. Users can customize their Dashboard so it delivers the right information in the right format.

Flexible Asset Management - The Resource Manager lets you configure the application to fit the organization, allowing the management of technical assets like servers and applications as well as non-technical assets like individuals and physical locations.

Efficient Data Collection - Risk Commander helps you gather and consolidate information across your entire enterprise. You collect data once and it is automatically applied to multiple standards, saving time and eliminating redundant data capture. You can even assign policies to different business units and divisions as your business needs dictate.

Integrated Compliance Expertise - By integrating compliance standards, requirements, and controls directly into the application, Risk Commander interprets and clarifies compliance issues, reducing the need for consulting engagements. Based on the client organizationâ€™s compliance priorities, rating thresholds can be established that fit specific needs.

Quantitative, Measurable Results - Risk Commander eliminates reliance on qualitative assessments by providing Compliance Scorecards with quantitative results that can directly improve oversight and control. With the intelligent use of automation, analysis can be performed as needed, producing quarterly, monthly, and ad hoc results, with a view of performance trends over time.

Robust Reporting - Risk Commanderâ€™s robust reporting capabilities allow easy production of customized reports from the business, technical, or regulatory perspective. Immediate access to such information reduces demands on information security staff.

High-Level Overviews and Supporting Details - Risk Commander effectively communicates “the big picture” for corporate-level executives through its Compliance Overview, which identifies issues and pinpoints violations. It also provides easy access to supporting details for frontline personnel, including a summary of key compliance elements and remediation details for each issue.

Enterprise Vulnerability Management - With Risk Commander, multiple sources of vulnerability data can be integrate to provide a comprehensive view of performance. The client organization can also use metrics to compare business units and determine which have the highest level of risk.

Automated Issue Tracking - The Remediation Scorecard quickly highlights tasks by priority and status so that pending issues are identified and factored into the organizationâ€™s level of risk tolerance. Risk Commanderâ€™s automated analysis engine adheres to a closed-loop checking process that compares all remediation tasks against the latest vulnerability and compliance results to confirm that tasks are completed and identify any outstanding issues.

Risk Commander delivers the tools, knowledge, and automation necessary to the client organization to effectively manage enterprise-wide compliance efforts, by:

Bringing information security metrics in line with other disciplines in the organization
Delivering comprehensive, current, and relevant information to all stakeholders
Establishing consistent collection, analysis, scoring, and reporting processes across the organization
Demonstrating the value of information security to the organization

CYBERTRUSTâ€™S RISK MANAGEMENT PROGRAM

With Cybertrustâ€™s Risk Management Program (RMP), client organizations gain perspective on real information security risks that require action. The process assists with the prioritization and allocation of resources to mitigate those risks and establish a heightened level of confidence conduct to strategic business operations.

INTELLIGENCE

Effective risk management begins with comprehensive data gathering. Cybertrustâ€™s Intelligence Security Knowledge Network actively collects and integrates data from multiple sources on a regular basis, both daily and quarterly. With a customer base of more than 700 organizations and locations spread across 30 countries as well as pre-positioned sensors and monitoring sources around the world, the Knowledge Network gathers data and actively tracks the most damaging threats and exploits.

ACTIONABLE INTELLIGENCE

The key to successful information security management is the ability to transform raw data into “actionable intelligence.” Cybertrust employs several proprietary models for the analysis of aggregate data, distilling it into real risk information applicable to client organizations. These include a proprietary risk equation, ballistic threat model, and Cybertrustâ€™s Risk Index, which delivers an assessment of risk on a global basis as well information particular to a single industry or market segment and custom per client organization. Security control strategies and concepts such as early warning and threat analysis systems, policy compliance programs, and essential practices and controls now take actionable form—client organizations actually experience the end result of global information gathering.

SECURITY MANAGEMENT METHODOLOGY

Based on its ability to gather data and translate that into actionable intelligence, Cybertrust has developed a comprehensive risk management methodology that integrates a number of critical-security activities and disciplines into a formal program that reduces risk and results in a high security posture for the client organizationâ€™s corporate computing environment. The program incorporates multiple activities including vulnerability assessments of both the externally-facing and internal network environments, physical and human or administrative areas, and the latest and most popular technical threat vector — wireless. When integrated these service activities paint a comprehensive picture of an organizationâ€™s current risk posture, creating a foundation upon which a comprehensive program can be put in place to address the deficiencies.

The framework for the programâ€™s assessment and remediation process is a proprietary set of standards and control measures known as the Essential Practices, which differ in philosophical concept from what is commonly known as “best practices.” Cybertrustâ€™s essential practices focus on real risk - risks most likely to be successfully exploited and those risks will have the greatest impact on the organization — meeting them at an essential level. This establishes a baseline for the organization — practices and controls that must be in place in order for the client organization to function securely. Best practices on the other hand are often too academic, too aggressive to achieve, too expensive, and too impractical; in order to implement and maintain them, the organization would have to devote an inordinate amount of time and money relative to the return on investment, nor would there be an associated increase in the level of the security posture.

Cybertrustâ€™s program follows a pragmatic approach that enables customers to achieve significant risk reduction at a fraction of the cost typically associated with enterprise-level security management and delivers demonstrable results in the form of reporting and certification that client organizationâ€™s can share with senior management and third parties, such as customers, business partners, and auditors.

The Cybertrust Risk Management Program is a comprehensive and cost-effective approach for reducing risk and addressing compliance pressures. It is delivered to client organizations on a subscription basis, allowing them to keep their security postures current and providing them the reliability of continuous and dynamic testing and evaluation. Cybertrust stays with its client organizations, facilitation maintenance, advising on new and emerging threats, and assisting in the ongoing management of information security over time.

CONCLUSION

Many organizations face the challenge of navigating complex information security compliance requirements in an increasingly risky technological landscape. Cybertrust provides tools and advisory services that allow its client organizations to establish a level of risk tolerance appropriate to the business model that is fully supportive of the internal control management required by Section 404 of Sarbanes-Oxley. Cybertrust clients benefit from an independent third-party validation of controls in place in the corporate computing environment, demonstrable evidence of a good faith effort to comply, and a fully-documented and defensible compliance position.

Cybertrust, Betrusted, TruSecure, and ICSA Labs are trademarks and registered trademarks of Cybertrust, Inc. Ubizen is a registered trademark of Ubizen NV. Cybertrust is a global provider of information security, providing a unique mix of products, processes, and people to enable enterprises and government agencies to secure and manage their IT infrastructure. With over 15 years of proven experience, Cybertrust is the first company to comprehensively address the entire security lifecycle by providing offerings for each of the four critical security domains: identity, threat, vulnerability, and compliance management. These offerings leverage Cybertrustâ€™s unmatched security knowledge and intelligence-gathering resources, which includes ICSA Labs®, the global leader in information security product certification. Headquartered in Herndon, Virginia, USA with more than 30 offices around the globe, Cybertrust is the trusted advisor for information security to over 4,000 customers worldwide.

Search Our Site

Search the ENTIRE Business Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.

Home    Calendar   The Business Forum Journal    Features
Concept   History     Library    Formats    Guest Testimonials
Client Testimonials      Search      News Wire   Why Sponsor
Tell-A-Friend   Join    Experts   Contact The Business Forum

The Business Forum
Beverly Hills, California United States of America

Email: [email protected]
Graphics by DawsonDesign
Webmaster: bruceclay.com

© Copyright The Business Forum Institute - 1982 - 2013 All rights reserved.
The Business Forum Institute is not responsible for the content of external sites.
Read more

Search the ENTIRE Business Forum site. Search includes the Business Forum Library, The Business Forum Journal and the Calendar Pages.

Search the ENTIRE Business Forum site. Search includes the Business
Forum Library, The Business Forum Journal and the Calendar Pages.