The Sarbanes Oxley (SOX) law, is a legislative act that was born in the United States in 2002 as a result of financial scandals that occurred in large publicly traded corporations. Therefore, its main purpose is to monitor and control the companies listed on the U.S.stock market and that are registered in a number of committees and associations related (NYSE, NASDAQ and SEC). The law also applies to foreign companies listed on these exchanges.
This control validates that the financial statements and corporate actions are not altered or manipulated to appear accidental or premeditated from a different situation than the real.
The law includes several sections, including section 404 (Management Assessment of Internal Controls), which usually affects IT, and it is a standard that must be taken into account in such organizations.
SOX 404 focuses on evaluating internal controls involved in the generation of financial reporting and handling of financial data. Thus systems, staff and technology infrastructure that support many of the financial and accounting processes of the business are audited.
When speaking of SOX in the IT field, we should not confuse the terms. A company does not certify its IT in SOX, they must meet a number of requirements that permits the business to certify its financial processes to SOX.
Since many companies listed on the U.S. stock market outsource some of its critical services (such as IT) to third parties, these service providers become an essential component for the purposes of financial reporting of the organization, and are involved in the various transactions related to the financial status of the company.
For this reason, these suppliers must conduct a due diligence process that allows to have controlled and certified internal controls. To carry out this assessment of internal controls over financial reporting of the organization, service providers pass an audit process known as SAS 70, which will generate the SAS 70 Type II, which guarantees the supplier’s internal controls towards meeting the SOX requirements for his Client.
Many organizations have relied on frameworks of best practices in IT management, as COBIT® or ITIL®, to ensure compliance with SOX.
On one hand, COBIT® gives enough importance to risk management, security, data consistency and cost control, with its 34 control objectives associated with a set of specific activities.
Among the different areas in COBIT®, one could cite some that are more useful to support SOX compliance:
- Acquire and maintain software applications.
- Acquire and maintain technology infrastructure.
- Develop and maintain policies and procedures.
- Install and accredit software technology infrastructure.
- Manage changes.
- Define and manage service levels.
- Manage third-party services.
- Ensure systems security.
- Manage the configuration.
- Manage problems and incidents.
- Manage data.
- Manage operations.
The combination of COBIT®, with another framework such as ITIL best practices, formalizes the relationship between various aspects of IT and the financial management structure of a company.
ITIL® also has various processes that are more tied to collaborate on SOX compliance:
- Change Management in enterprise applications falling within the scope of SOX.
- Incident and Problem Management in enterprise applications that fall within the scope of SOX.
- Release and Deployment Management of enterprise applications that fall within the scope of SOX.
- Configuration Management for control of licenses, permissions, patches and other CI of the CMDB related to applications and infrastructure from the scope of SOX.
- Information Security Management to control the information security of the organization.
- Access Management in addition to the security management.
- Service Level Management covers aspects that include audits required by SOX.
Another closely related standard that helps to achieve the requirements of SOX is ISO 27001. In this ISO certification is an demonstration of compliance with SOX levels required in terms of IT security. It completes and complements the Information Security Management processes of ITIL® and COBIT®.
In summary, although SOX does not require the adoption of best practice frameworks in IT service management such as COBIT® or ITIL® or ISO 27001 certifications, they can facilitate bringing an IT organization to meet the requirements for certifying business compliance in SOX.
What is your advice about the best way to meet SOX requirements?