Sustainable Sarbanes-Oxley Compliance

A Solidcore White Paper

The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. As corporations come to terms with the implications of SOX to their businesses, one thing is clear: a SOX compliance program is not a one-time project but a sustained effort to gain visibility and accountability into business processes that affect the accuracy of financial reporting. This white paper outlines the issues faced by IT managers in meeting their compliance requirements and explains how Solidcore can be a core component of a sustainable and cost-effective SOX compliance program.

Sustainable Sarbanes-Oxley Compliance

A Solidcore White Paper

Complying with Sarbanes-Oxley.

The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents the most fundamental shift in corporate governance norms for many decades. In particular, section 404 is often talked about as being the core provision of SOX as it deals with executive managements responsibility for establishing and maintaining adequate internal control over financial reporting for the company. It requires management to certify the adequacy and effectiveness of its internal controls and to disclose any material weaknesses found. The key to a successful compliance program is to recognize the fact that Sarbanes-Oxley (SOX) does not simply require that adequate controls be established it requires the annual review of the effectiveness of those controls. In other words, achieving compliance is not a one-time event; rather it must be part of an ongoing process that needs to be sustained over time. Corporations that view the compliance provisions of Section 404 as a burdensome legislative mandate may not be making the necessary investments for a sustained compliance program. On the other hand, corporations that view compliance as a means to establish and maintain good process through a well defined set of internal controls and the automation of those controls are the ones that will be more likely to have a successful long-term compliance program. The standard that most auditors use to determine adequacy of internal controls is the standard of due care. A company exercises due care if it follows current best practices for establishing accountability and measurability over its internal controls. If there is an incident in which an internal control is circumvented in spite of measures that meet the test of due care, then the company is not liable for regulatory penalties (fines and other sanctions). However, the precise definition of due care is amorphous and changes over time. It simply refers to a standard of feasibility (most people should be able to do it) and reasonableness (the benefit should justify the cost for most people) by enough other companies.

Note that SOX is the most visible of a number of regulatory standards that have emerged in recent years. While we focus on SOX in this white paper, information about other standards is available in Appendix B.

IT Controls are central to SOX Compliance

In todays corporate environments, control over IT systems is critical to a sustainable compliance program. The US Public Company Accounting Oversight Board (PCAOB), which provides guidelines for auditors, issued a statement (Auditing Statement No. 2) that made this very clear: The nature and characteristics of a companys use of information technology in its information system affect the companys internal control over financial reporting. In the same document, the PCAOB goes on to stress the centrality of IT controls in an audit of SOX compliance: To identify relevant assertions, the auditor should determine the source of likely potential misstatements in each significant account. In determining whether a particular assertion is relevant to a significant account balance or disclosure, the auditor should evaluate the nature and complexity of the systems, including the use of information technology by which the company processes and controls information supporting the assertion. The remainder of this white paper will focus on building and maintaining effective IT controls to meet Sarbanes-Oxley requirements. The conventional approach to establishing and maintaining IT controls is to exhaustively document IT processes and policies and increase the frequency of review. This approach, while it may meet the due care standard today, is costly, inefficient and error-prone. A sustainable compliance program will need to automate the verification and enforcement of IT controls in a

page one

Sustainable Sarbanes-Oxley Compliance

A Solidcore White Paper

manner that causes low operational overhead and decreases the documentation burden on systems administrators and audit personnel. That leads to the primary issue faced by IT departments in meeting their compliance requirements today: it is very difficult to control IT systems. Most companies have some form of change approval process, whether formally captured in a workflow system, or informally captured via email exchanges. However, many people have the ability to add to or modify the software that runs on a system, change configurations, directly access data, and generally perform actions on the system in ways that change its state. Regardless of whether the intentions behind the actions are benign or malicious, they have an impact on how confident you can be about who did what on your systems. Consider a situation in which an annual audit is coming up. People on the staff of the CIO know that because of SOX, they will need to convince the auditors with good answers to questions about who modified data when and for what purpose. How can they reconcile every change on a system with its purpose and authorization? How can they demonstrate that their change process was followed, and that every exception to the process is accounted for in a manner satisfactory to the audit team?

Requirements for sustainable compliance.

The key requirement for sustainable compliance is control over change. Demonstrating to auditors that adequate IT controls are in place require gaining visibility into the change process, establishing accountability for changes, and selectively enforcing limits on how systems may be changed. In other words, a companys IT controls should, at a minimum, address the following requirements: Visibility Provide extensive logging capabilities that track all relevant program and data changes, as well as categorize and report on them in a useful and actionable manner. Accountability Reconcile every change with its authorization and purpose to verify that policies have been followed. Report on exceptions to the change process. Selective Enforcement Provide a mechanism to enforce these policies selectively where appropriate to prevent breaches from occurring. Meeting the IT requirements for compliance is an onerous task.

The typical answer to questions of this sort is to talk about access and change control policies the company has put in place. However, this is not satisfactory without adequate mechanisms to verify that the process was followed. For example, it is not enough to say I know that only person X had access to the data, because thats our company policy. Can you verify that only approved changed were deployed on a given server? Can you reconcile the approved changes with the actually implemented changes? Can these questions be answered in an automated manner so that audit requirements can be fulfilled without a lot of manual effort? This is where IT should provide leadership: to enable companies to enforce policies and report on policy breaches.

The information required to verify IT controls is unavoidably very large, exists in many different forms and is scattered widely across a complex IT infrastructure. Reconciliation across these information sources is a largely manual, tedious, errorprone and expensive process. In general, it is very difficult for the IT personnel to use such scattered information to construct documentation demonstrating the capability to detect policy violations. For example, leaders in SOX compliance practices include large financial services companies in which every fiscal quarter, dozens of people suspend their usual job duties for several days in order to collect data and create documentation in the quarterly compliance fire drill.

page two

Sustainable Sarbanes-Oxley Compliance

A Solidcore White Paper

Sustainable compliance with Solidcore

Solidcores solutions offer enterprises a simple and efficient way to meet their IT compliance requirements in a sustainable manner. Solidcore provides visibility, accountability and selective enforcement of existing processes. These capabilities enable enterprises to automate and enforce internal IT controls and thereby build a sustainable compliance program. The remainder of this section focuses on each of these capabilities.

Selective Enforcement
Solidcore provides the means to selectively enforce change control windows and other custom change policies. Changes can be restricted to only occur within a specified time interval, or only to particular servers or files. Further restrictions on who (a person or a program) can make a change can also be enabled and enforced. The selective enforcement capability further automates the IT controls required by SOX. For example, if an IT control states that no changes are allowed on servers housing financial data during an audit period, this capability allows the enforcement of that control in an automated manner.

Visibility
Solidcore provides real time detection of change across the enterprise. Solidcore enables you to discover who makes what changes when, as it happens. A fully featured reporting engine as well a web-based search tool provides the ability to sift through large volumes of data quickly and focus only on the useful and actionable information. Change archives are stored in a tamper-proof independent system of record. These capabilities allow enterprises to validate adherence to IT controls on an ongoing basis with minimal overhead. For example, any change information requested by an audit team may be quickly satisfied using the reporting capabilities of the system.

Mapping SOX requirements to Solidcore capabilities

To map these capabilities to specific internal controls required by SOX we will use a widely used controls framework, one provided by COSO, a voluntary private sector organization dedicated to improving the quality of financial reporting. The SEC recommends that this framework be followed and in practice this is the controls framework that is used by most audit organizations. COSO identifies five essential areas of control, and every IT manager will need to demonstrate how their IT controls support the COSO framework. Note that at a finer level of granularity there is another framework, the COBIT framework, which identifies thirty-four specific IT controls that must be satisfied for SOX compliance. These detailed requirements and their mapping to COSO as well as to Solidcore capabilities, are included in Appendix A. COSO identifies 5 areas of effective internal controls (see table on next page). Solidcore provides the technical means to meet the internal controls guidelines laid out by COSO. Solidcores capabilities can form a core component of a cost-effective and sustainable SOX compliance program.

Accountability
Solidcore provides automated reconciliation with existing change approval systems to correlate each deployed change with its authorization and purpose. In cases where documentation for a change does not exist (for example, in the case of an emergency or ad-hoc change), Solidcore can automatically create the required documentation and link it with the deployed change. Together, these capabilities enable enterprises to close the documentation loop and demonstrate accountability for audits. For example, any IT control that requires verification that the change process was followed can be quickly satisfied with the reconciliation reports provided by Solidcore.

page three

Sustainable Sarbanes-Oxley Compliance

A Solidcore White Paper

COSO Requirement Control Environment

This is the foundation of effective internal control and deals mostly with organizational culture - the "tone at the top." The control environment includes issues such as aligning business and IT objectives and defining roles and responsibilities with respect to IT controls.

Solidcore Capability

Solidcore provides real-time visibility and accountability of changes occurring in the IT infrastructure. The capabilities of Solidcore's reports and search components provide the means to bring about the culture of openness and accountability that is advocated by COSO.

Risk Assesment
This portion of internal control deals with identifying the risks associated with a given control objective. The risks need to be measurable and the control activities need to be designed to provide visibility into how the risks are being addressed. This includes risk assessments built throughout the systems development process as well as the infrastructure operations and change process. Solidcore provides risk mitigation capabilities that are transparent and measurable, to address this COSO requirement. In particular, Solidcore provides real time notification of changes so that any breach of process can be tracked as soon as it happens. Solidcore also includes a tamper-proof Independent System of Record to mitigate the risk of unauthorized access to the audit trail.

Control Activities
Control activities are the policies, procedures and practices that are carried out to ensure that business objectives are reached and risks are mitigated. These controls include: Data controls - backup, recovery process. System software controls: controls over acquisition, implementation and maintenance of software systems. Access controls: rights management. Development controls - controls over systems development methodology. Solidcore provides the capabilities to selectively enforce how changes are applied on production systems. Enforcement is flexible and can be tailored for specific requirements such as restricting changes to a small set of administrators, or preventing changes during a fiscally sensitive time-window. As with all Solidcore capabilities, all change activity is tracked so that each control activity can be verified.

Information and Communication

In order to manage risk and ensure process integrity, COSO requires that a clear communication plan be established. It is important to identify what information is needed and to ensure that the information is communicated to the relevant people in a timely manner. Of particular importance is to ensure the quality of the information: it must be appropriate, timely, current, accurate and accessible. Solidcore provides a closed-loop documentation capability that (a) Reconciles documented changes with actually deployed changes, (b) Creates documentation for changes that did not go through the approval process (e.g. an emergency change). All changes are tracked in real-time and can be integrated with an alerting system to provide timely, current, accurate and accessible information on changes to production systems.

Monitoring
Monitoring refers to the oversight of internal controls by management through continuous and point-in-time assessment processes. Continuous monitoring requires that process failures and remediation be detected and corrected on an ongoing basis. Point-in time monitoring refers to internal audits, external audits and other scheduled regulatory examinations. Solidcore provides real-time alerts to meet the continuous monitoring requirement any change made outside of process can trigger an alert as soon as it happens. In addition, Solidcore comes with a fully-featured reporting module that can be customized to meet the requirements of all scheduled regulatory examinations.

Summary
The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. Achieving compliance is not a one-time project but must be part of an ongoing process that needs to be sustained over time. In todays corporate environments, control over IT systems is critical to any compliance program. A sustainable compliance program will need to automate the verification and enforcement of IT controls in a manner that causes low
page four

operational overhead and decreases the documentation burden on systems administrators and audit personnel. Solidcores solutions offer enterprises a simple and efficient way to meet their IT compliance requirements in a sustainable manner. Solidcore provides visibility, accountability and selective enforcement of existing processes. These capabilities enable enterprises to automate and enforce internal IT controls and thereby build a sustainable compliance program.

Sustainable Sarbanes-Oxley Compliance

A Solidcore White Paper

Appendix A: Cobit Framework

While COSO identifies five components of internal control that need to be in place and integrated to achieve financial reporting and disclosure objectives, COBIT provides a more detailed view of these controls as it relates to IT. Each of the 34 items in the COBIT framework map to one or more of the five COSO components as detailed in the table below. Solidcore capabilities are outlined where applicable Solidcore can help with 21 of the 34 COBIT guidelines. The remaining guidelines deal mostly with issues of corporate strategy.

Cobit Requirement
Control Environment

COSO Requirement
Risk Assessment Information Monitoring

Solidcore Capability

Plan and Organize (IT Environment)

IT strategic Planning Information architecture Determine technological direction IT organization and relationships Manage the IT investment Leverage existing IT investments with Solidcore, and connect disparate silos of change information. Gain visibility into change process and create action plan for process improvement.

Communication of management aims and direction Management of human resources Compliance with external requirements Assessment of risks Monitor policy breaches, produce audit trails and reports to verify compliance. Real-time alerts to gain up-to-the-second visibility into changes occurring on production systems. Maintain systems in a verified state for reduced unplanned downtime.

Manage projects Management of quality

Acquire and Implement (Program Development and Program Change)

Identify automated solutions Acquire or develop application software Acquire technology infrastructure Develop and maintain policies and procedures Reconcile deployed changes with actual changes thereby providing verification that policies were followed. Maintain policies by enabling selective enforcement mechanisms. Quicken test cycles by maintaining staging servers and production servers in a consistent state. Complete trail of all changes across the enterprise, categorized and reconciled with authorization and purpose.

Install and test application software and technology infrastructure Manage changes

Control

(table continued on next page)

page five

Enabling Effective Change Control

A Solidcore White Paper

(table continued from previous page)

Cobit Requirement

COSO Requirement

Solidcore Capability

Control Environment

Risk Assessment

Information

Deliver and Support (Computer Operations and Access to Programs and Data) Define and manage service levels Lower unplanned downtime by maintaining systems in a known and validated state. Meet or exceed SLA's through improved visibility. Reconcile third party changes with work orders to ensure consistency and completeness of service. Maintain throughput and computing capacity with a solution that incurs a low CPU and network overhead. Ensure that production and disaster recovery or backup systems are kept in a consistent state and alert on any deviation. Selectively enforce process and ensure that no changes made outside of approved process may be implemented.

Manage third-party services

Manage performance and capacity

Ensure continuous service

Ensure systems security

Identify and allocate costs Educate and train users Assist and advise customers Manage the configuration Manage problems and incidents Manage data View reports on deviations from a "gold" image and get alerts for changes to configuration. Utilize Web-based ad-hoc search tool for forensics and quick remediation. Protect critical data by preventing unauthorized change to it; report on all changes to a given set of data. Enforce process for a proactive change control stance. Monitor and Evaluate (IT Environment) Monitoring Adequacy of internal controls Independent assurance Get real-time alerts on any change in the environment. Demonstrate adherence to published processes and controls through validation reports. Record changes in a tamper-proof, comprehensive Independent System of Record. Automate reconciliation and verification of approved changes with deployed changes.

Manage facilities Manage operations

Internal audit

page six

Monitoring

Control

Sustainable Sarbanes-Oxley Compliance

A Solidcore White Paper

Appendix B: Other regulatory standards

Although we focus on the provisions of the Sarbanes-Oxley Act in this white paper, there are other regulatory measures that seek to impose better governance and oversight as well. The table below summarizes a few of these compliance regimes.

HIPAA (Health Insurance Portability and Accountability Act, 1996)

HIPAA established privacy requirements and security standards for protecting the confidentiality and integrity of individually identifiable health information. It governs healthcare information of many kinds, ranging from clinical information to billing.

GLBA (Gramm-Leach-Bliley Act, 1999)

The Gramm-Leach-Bliley Act Safeguards Rule requires financial institutions to prevent unauthorized access to non-public personal information. Financial institutions must take steps to ensure the security and confidentiality of non-public personal information, which includes name, address, social security number and credit history.

CA 1386 (California Senate Bill 1386, 2003)

California enacted legislation that regulates personal financial information over and above the requirements of GLBA. Specifically, this bill requires any firm to disclose to California residents any case of their unencrypted customer data being compromised, regardless or where or how the breach occurred. Because many companies do business in California, CA 1386 is effectively a national regulation, at least within the financial services industry.

Basel II (Basel Capital Accord, 2004)

The Basel Capital Accord (Basel II) updates the international bank capital accord (Basel I) to improve consistency of capital regulations, make regulatory capital more risk sensitive, and to promote risk-management practices among large international banking organizations. Compliance requires all banking institutions to have sufficient assets to offset any risks they may face.

Payment Card Industry (PCI) Data Security Standard

Introduced by Visa, MasterCard, American Express, Discover and other credit card issuers. All processors of credit card information are required to adhere to its twelve requirements which are geared towards protected cardholder information (please refer to the Solidcore white paper on PCI compliance for further details).

The Federal Information Security Management Act (FISMA), 2002

FISMA is intended to bolster computer and network security within the Federal Government and affiliated parties by mandating yearly audits. FISMA requires each federal agency to develop, document, and implement an agency-wide information security program for the information and information systems that support the operations and assets of the agency.

page seven

Sustainable Sarbanes-Oxley Compliance

A Solidcore White Paper

Contact
Email: sales@solidcore.com Web: http://www.solidcore.com Tel: 888.210.6530

2005 Solidcore Systems. Solidcore Systems, Solidcore, S3 Change Control, and Solidification are trademarks of Solidcore Systems, Inc. All rights reserved in the United States and internationally.