Enterprise Provisioning
Reducing the Costs of Sarbanes-Oxley Compliance
Submitted by RSA Security
In the wake of a number of high-profile accounting scandals, the U.S. Congress passed the Sarbanes-Oxley Act of 2002 (SOX) to reform the accounting practices, financial disclosures and corporate governance of public companies. It not only mandated that companies strengthen and document controls to prevent the commission of fraud, but it holds CEOs and CFOs legally and financially liable for complying with the act.
For many companies, the greatest challenge is not only how to comply with SOX, but specifically to be able to implement and enforce proper control and then validate the effectiveness of those controls in a cost-effective manner. One of the first and most critical controls needed to promote compliance is the ability to track who in the organization has access to what information and why. The more these user access privilege control and monitoring processes can be automated, the less money and time it will take to achieve compliance in a sustainable manner. To support compliance initiatives, organizations must be able to effectively:
• Ensure that only authorized users gain access to data, • Protect data confidentiality, integrity and accuracy, and • Control and monitor user activity.
Enterprise provisioning systems automate many of the key internal controls needed to help ensure compliance with Sarbanes-Oxley, as well as other regulatory requirements. These systems automatically apply policies and rules governing who can access what systems and what privileges users have within these systems to detect users who are not properly authorized, automatically manage and update user rights and privileges across the enterprise, and track changes for auditing purposes.
RSA SECURITY IS YOUR COMPLIANCE PARTNER
RSA Security offers a range of solutions for helping to comply with the many regulations related to the protection of information. With more than 17,000 customers worldwide, RSA Security is an industry leader in information security. RSA Security solutions—which include solutions for identity & access management, secure mobile & remote access, secure enterprise access, secure transactions and consumer identity protection—help organizations address the requirements of SOX. This white paper explains how the Xellerate® Identity Manager provisioning and user life cycle management solution by Thor Technologies, an RSA Security strategic partner, is ideally suited to help enterprises cost-effectively support their Sarbanes-Oxley compliance initiatives.
Xellerate Identity Manager software is engineered to strictly enforce user information access policies, detect unauthorized system access privileges and ensure that such rights are immediately and accurately revoked for terminated employees, contractors or customers. Xellerate Identity Manager software can implement and track compliance with the most complex security policy requirements, as well as work with the access control mechanisms resident within leading mission-critical enterprise ERP, HR and CRM applications. Through its robust reporting and auditing capabilities, Xellerate Identity Manager is built to enable companies to demonstrate to regulators that access rights to key corporate systems are properly managed, without the need for labor-intensive testing.
The Xellerate Identity Manager solution provides a comprehensive enterprise provisioning solution optimized for identity management and is an important tool in helping companies cost-effectively enforce SOX compliance. Xellerate Identity Manager is designed to quickly and easily help firms implement, test and deploy even the most complex forms of internal controls. Its powerful reporting capabilities give management and auditors confidence in these controls. All proof of activity and control history is properly evidenced, helping to ensure that auditors have the information that they need in order to attest to the firm’s assessment of its internal controls. Finally, due to its powerful process automation capabilities, Xellerate Identity Manager software is designed to enable firms to significantly reduce the initial and ongoing cost of audit and SOX compliance.
I. AUDIT AND COMPLIANCE DRIVERS
Several sets of business drivers are forcing companies down the road to compliance. Although this paper focuses on Sarbanes-Oxley, several other legislative requirements exist for companies of varying size and in specific vertical markets (see Appendix for additional detail). In addition to these legislative requirements, most corporations’ board of directors and executive management mandate additional internal corporate governance guidelines.
The Sarbanes-Oxley Act
The U.S. Public Company Accounting Reform and Investor Protection Act of 2002 was passed to address major corporate accounting scandals that severely damaged investor confidence in the securities markets in 2001 - 2002. In addition to mandating major changes in accounting, auditing and financial reporting practices, Section 404 of the Act requires companies to strengthen and document their internal controls in order to prevent individuals from committing fraudulent acts that may compromise a firm’s financial position or the accuracy of the company’s financial statements.
Because SOX focuses on accounting practices, corporate governance and accountability, it has significant impact on the underlying IT systems that support corporate accounting and financial reporting. Specifically, the Act has defined a deadline for establishing, documenting and auditing adequate internal controls to prevent fraud. Internal controls are a set of formally defined business processes, corporate guidelines and other mechanisms that can materially influence a firm’s financial statements. Because much of the information and processing that generate these financial statements take the form of digital assets, corporate IT systems play a key role in enforcing such internal controls. Unauthorized access to financial systems and the data they contain may allow dishonest individuals to alter that information or commit fraud that may damage the company financially and cause it to violate regulatory standards.
Of all the legislative drivers, Sarbanes-Oxley is the most far-reaching in terms of its compliance requirements and the number of firms that it affects. This is due to several factors, including:
• Company executives can personally be held legally and financially liable for acts of wrongdoing;
• It applies to any domestic and foreign companies that publicly list securities in United States markets. These companies span almost the entirety of the Global 2000, including firms that are headquartered outside of the United States;
• Such firms are increasingly concerned about potentially losing ground to competitors that are not required to comply with the Act; and
• The cost of ensuring compliance with all provisions of the act is incredibly high in terms of hard cash and the sheer amount of effort and manpower required.
The fact that key corporate executives carry personal financial and legal liability in the event of noncompliance ensures that SOX compliance is a key initiative in most large organizations today. In addition, many companies that are not yet public, and therefore are not obligated to comply with the Act, are voluntarily embarking on compliance efforts to demonstrate their readiness to comply with public market requirements. Finally, most corporations agree that compliance with the Act ensures that they are following generally accepted best practices for corporate governance and management.
|
