The responsibility of maintaining the security of your financial systems from prying eyes has taken on increasing importance with the requirements for SOX compliance. Auditors want to know: Who has access to your financial applications? What are they doing with that access? And how confident are you in your financial statements?
SOX compliance is required for all publicly traded companies and companies ready to go IPO. In addition, the principles of SOX are sound business practices for any company. In this article, we cover:
The Sarbanes-Oxley Act of 2002, also known as the "Public Company Accounting Reform and Investor Protection Act," the "Corporate and Auditing Accountability, Responsibility, and Transparency Act," or simply "SOX," is a US law designed to "protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws."
From 2000 to 2002, the investment community was shaken by a series of public company failures; among the most notable were WorldCom, Enron, and Tyco International. These failures stemmed from company management falsifying financial statements that misled the public investing community, resulting in billions of dollars of losses and causing a lack of trust in US securities markets.
SOX established new requirements for public companies and accounting firms to implement internal controls to ensure transparency in their financial reporting. The law also imposes criminal penalties and fines to corporate officers that engage in fraudulent practices.
The law, named after the bill sponsors US Senator Paul Sarbanes (D-MD) and US Representative Michael G. Oxley (R-OH), gives the Securities and Exchange Commission (SEC) the responsibility of enforcement. In turn, the SEC established the Public Company Accounting and Oversight Board (PCAOB), responsible for regulating and overseeing accounting firms that act as independent auditors for public companies.
Generally, public companies, wholly owned subsidiaries, and publicly traded foreign companies that do business in the US must comply with SOX.
In addition, the law prevents accounting firms that provide auditing services for public companies from performing bookkeeping, internal audits, information system implementations, or other services for these clients.
Private companies considering an Initial Public Offering (IPO) are required to comply with SOX before going public.
The goal of SOX is to provide transparency and accuracy into the company's financial position for the benefit of investors, employees, and the general public. The law requires businesses to establish controls over their internal security and business systems and verify these controls by independent external auditors. The law also provides oversight over the actions of a company's CEO, CFO, and board of directors.
Companies that adhere to SOX compliance requirements, whether legally bound to do so or not, have better control over the security of their premises, backup and recovery efforts, and access to critical financial and information systems.
These benefits translate into tangible benefits to the organization, including:
Probably the most significant challenge to SOX compliance is the cost.
Establishing and maintaining the infrastructure to ensure compliance with SOX requirements for security and accuracy can be challenging. Startup companies going IPO often have to completely rethink their business processes to meet SOX compliance restrictions regarding security and user access controls.
SOX requires annual external audits of equipment and processes to establish compliance including IT hardware, software, access procedures, and the security of anything within the scope of the law. These audits are costly and time-consuming.
Many companies conduct internal audits first to identify and correct compliance issues before bringing in the external auditor, adding to the cost of compliance.
CEOs and CFOs who knowingly submit fraudulent financial statements can be charged fines up to $5 million and up to 20 years in jail. In addition, non-compliance can result in the company being delisted from public stock exchanges.
Two sections of the Sarbanes-Oxley Act are of particular interest here.
While SOX does not offer a list of specific controls, it does expect organizations to show proof of security controls for areas such as change management, backup systems, and access to the company premises and business systems. In short, SOX is concerned with "establishing and maintaining an adequate internal control structure and procedures for financial reporting."
Since SOX focuses on the accuracy of the data feeding the financial reporting, it requires that businesses have controls to ensure the financial systems and the IT applications supporting them are accurate. Any system involved with the capture of financial data that affects your financial reporting is within the scope of SOX.
Examples of SOX controls include segregation of duties mitigations, account reconciliations, using the principle of least privilege to minimize user access to business-critical applications, and removing the ability for developers to move their code into production without oversight.
Although these controls are critical to auditors, it is not the auditors who own the controls – it is the individual business process owners that are responsible for establishing the roles and maintaining the controls for a company.
SOX controls testing involves making sure the controls help the system remain free from fraud, errors, and risk. These tests should provide an auditable record of how these controls prevented or detected reporting erroneous transactions.
SOX requires that publicly traded companies certify that they have instituted controls over their financial reporting, among other stipulations. SOX compliance programs include Segregation of Duties controls in critical areas of financial responsibility. Effective management of segregation of duties conflicts and user access to business-critical applications can significantly improve a company's ability to meet SOX audit requirements.
While all public companies must adhere to Section 404a, SOX provides some latitude for small companies and companies that have recently gone public by offering them an exemption period before requiring full compliance with Section 404b of SOX. In addition, the Jumpstart Our Business Startups Act (JOBS Act) further extended the Section 404b exemption period up to five years for certain companies covered by the act.
Regardless of the length of the exemption, all public companies must eventually demonstrate full SOX compliance. Therefore, it is in their best interest to put the necessary controls in place sooner than later.
Some questions that an auditor might ask include:
Going public is complex. Unfortunately, many growing companies do not have the proper controls processes in place. If you are considering taking the leap with an IPO, now is the time to invest in building your internal processes to support SOX reporting, governance, and compliance.
Ernst and Young recently stated, "Companies that exceeded overall market returns following an IPO have typically implemented critical organizational changes to begin acting like a public company a full 12 to 24 months prior to going public."
Whether the goal is expansion, retiring debt, increasing R&D, or buying out investors, the primary reason most companies go public is to raise capital.
Most public companies run their financials on Enterprise Resource Planning (ERP) systems, like Microsoft Dynamics, NetSuite, SAP, and Oracle Cloud, to name a few. The best time to institute secure access controls is when implementing a new ERP. Once the system is in place, changing the security profiles and processes becomes much harder to configure and implement.
Too often, the compliance team is left out during the implementation phase. Companies incur higher long-term costs if they must go back and redesign or retrofit their solution with compliant controls or security architecture.
If your company has already implemented an ERP, take the time to make sure you have SOX-compliant controls in place before moving ahead with your IPO. Configuring SOX controls should be treated with the same process used during the ERP implementation: a companywide project with executive-level commitment, budget, timeline, personnel, and project management.
Many companies wait to address these processes and tasks until after they go public. They think they can always go back and address these issues later as a short-term project. However, as the Hall of Fame basketball player and coach John Wooden once said, "If you don't have time to do it right, when will you have time to do it over?" Preparing for SOX compliance should occur concurrently with your other preparations for IPO rather than trying to fit it in after the fact.
Once you file your IPO, your company will be scrutinized by regulators, auditors, and investors, and any anomalies will be identified. The consequences of failing a SOX audit at this point will adversely affect investor confidence in your company, which, in turn, will affect your company's stock price.
Your access to capital can also be affected by fraud or misappropriation of company funds. It doesn't matter if your company is going public, is public, wants to remain private, or is seeking private equity funds, there are adverse consequences if, during the due diligence phase, it is discovered that someone has been embezzling funds. Undetected fraud can scare off potential investors and private equity firms, seriously derailing your chances of accessing new capital.
Auditors and regulators are looking closely at how companies of all sizes address internal security and access risk management. Fastpath enables organizations to streamline and automate key processes by delivering a variety of preventative, detective, and reactive control capabilities.
Fastpath Assure is a cloud-based risk and compliance management platform that helps companies achieve process efficiency, reduced costs, and enhanced control over their fraud, auditing, and compliance efforts.
With Fastpath, you can:
Other security tools available from Fastpath include:
Audit Trail – Track user activity, noting changes to critical data and configuration settings, including before and after values, when, and by whom.
Identity Manager – Streamline user setup and provisioning while adding approvals and audit trails into the process.
Security Designer – Create new roles or edit existing ones and identify where conflicts exist vs. where they would exist if the proposed changes were implemented. Decide which model best fits your needs with the lowest possible risk level before provisioning.
Risk Quantification – Quantify the financial exposure of Segregation of Duties conflicts in your ERP environment and assign a value to those risks. Delivering this critical information to auditors allows them to focus on the areas with the most significant monetary impact on the organization.
SAP Custom Code Checker – Interrogate the target SAP environment line by line to determine if indirect, unintended access is granted to users.
Transaction Control Monitor (TCM) for Oracle EBS – Identify transactions with a potential risk or that exceed acceptable thresholds, allowing management to focus on the areas with the greatest monetary impact on the organization.
Universal Product Integration (UPI) – Fastpath has pre-built integrations to many ERP, CRM, and HCM applications. UPI allows users to extend Fastpath's cross-platform capacity and customize their own integrations to all in-scope applications, giving users the ability to see all their access risks from a single dashboard.
For a customized product demonstration based on your specific needs, please contact us here.
If you're looking for a step-by-step plan to help you get started on an overall risk assessment, and a plan for correction, this paper is for you. Inside you will learn how to begin, and then execute on, developing your own risk assessment plan.
Building A Strong Security Architecture for Oracle ERP Cloud - Protect your company with this Step-by-Step approach. For companies looking to move to Oracle ERP Cloud, it is critical to include a strong application security design aimed to deter fraud, and ensure that transactions performed in the cloud are appropriate and authorized. Whether you're implementing or redesigning your Oracle project, follow this guide to achieve a secure Oracle ERP Cloud system and avoid the common pitfalls in the process.
Building roles and implementing strong security in D365FO can be a daunting task, so we created a tool to assist in designing security roles for Dynamics 365 for Finance and Operations.
Whether you know the importance of access controls or not, implementing and maintaining them can still be a difficult part of your SAP security plan. This eBook reviews what access controls are, how SAP handles them, how you should implement and maintain them, and even suggests some tools to make the process easier on you.