Journal Online

Managing Sarbanes-Oxley Section 404 Compliance in ERP Systems Using Information Security Control Reports
Abhik Chaudhuri, MCA, PMP, is an IBM-accredited senior IT specialist with work exposure as an IT security administrator. He has executed IT consulting projects in diverse environments. Chaudhuri can be reached at abhik. Dipanwita Chaudhuri, ACA (ICAI), MIIA, is a consultant auditor working as manager of management consultancy services with a reputed Chartered Accountants’ firm in Kolkata, India. She is a registered consultant with the Asian Development Bank. She can be reached at banerjee. Robert E. Davis, CISA, CICA, is an independent auditor and management consultant, a Pleier Corp. author, and a Boson Software Inc. author and instructor. He has provided information systems (IS) auditing and data security consulting services to the US Securities and Exchange Commission, the United States Enrichment Corp., Raytheon Company, the US Interstate Commerce Commission, Dow Jones & Company, and Fidelity/First Fidelity (Wachovia) corporations. He can be reached at

Globally, laws and regulations have been enacted and reinforced to ensure that entities comply with a particular society’s expectations for ethical behavior when conducting business.1, 2 Reflecting this premise, the US Sarbanes-Oxley Act of 2002 is a statutory compliance requirement that was enacted to improve corporate accountability by requiring publicly held companies to assess and report on the effectiveness of their internal control structure and procedures for financial reporting.3 Sarbanes-Oxley mandates consist of several sections that have been designed to improve the quality and integrity of financial reporting. However, the Sarbanes-Oxley section generally considered to be directly impacting IT control practices is section 404, Management Assessment of Internal Controls. Sarbanes-Oxley section 404 suggests organizations registered as US Securities and Exchange Commission (SEC) filers annually report: • Management’s responsibility to establish and maintain adequate internal control over financial reporting • The framework used as criteria for evaluating the effectiveness of internal control over financial reporting • Management’s assessment of the effectiveness of internal control over financial reporting and disclosure of any material weaknesses As part of Sarbanes-Oxley section 404 legal compliance assurance, an organization’s independent auditors need to attest management’s assessment of internal control over financial reporting. Consequently, organizations must ensure that appropriate controls, including IT controls, are operational. Furthermore, these organizations should provide their independent auditors with documented evidence of functioning controls and results of testing procedures.

Sarbanes-Oxley edicts have placed additional demands on US corporations and businesses worldwide that have initiated Sarbanes-Oxleyrelated compliance measures. Directly related to enabling management’s responsibility to maintain adequate internal control over financial reporting is the Committee of Sponsoring Organizations (COSO) of the Treadway Commission’s Internal Control—Integrated Framework. Appropriate governance deployment that protects assets affecting investment and expenditure decisions is critical to achieving sustainable compliance. Sarbanes-Oxley has circumstantially required spending significant time and/or money on security technology, tools and resources to ensure Sarbanes-Oxley section 404 compliance.4 Thus, within this context, information security governance is playing an important role in meeting the new demands placed on businesses by Sarbanes-Oxley. COSO indicates internal control is a process, directed by an entity’s board of directors, management and other personnel. Where applied, this process is designed to provide reasonable assurance regarding the achievement of objectives through subscribing to:5 • Reliable financial reporting • Effective and efficient operations • Compliance with applicable laws and regulations This paper addresses information security measures necessary for Sarbanes-Oxley section 404 compliance in enterprise resource planning (ERP) environments, the importance of information security control reports, and the procedures to be followed for creation and utilization of information security control reports for ERP systems.



2009 establish adequate IT controls within their internal control structure. senior management should make a commitment to IT service management and drive managerial direction by designing and deploying an IT policy. regulatory and operating conditions are in constant flux. specific application controls and other related security issues. deploying and monitoring ERP systems requires an integrated approach to meet the requirements of various functional areas. this feature of ERP software brings to the forefront the necessities of segregation of duties. It is the foundation for all other components of internal control. considering the organizational risks or challenges related to:8 • Data integrity • User behavior • Data conversion • Application security • Business continuity • Business processes • System functionality • Business procedures • Industry environment • Business environment • Ongoing maintenance • Management behavior • Underlying infrastructure IntERnAl COntROl StRuCtuRE IMPlICAtIOnS IT is commonly an integrated service requiring consideration during an audit of financial statements. industry.GEnERAl OvERvIEw Of ERP SyStEMS Enterprise resource planning refers to the integration and extension of a business’s operational IT systems. 11 • Control environment—The control environment sets the tone of an organization. To prevent any laxity in information assets protection. They also must understand their own role in the internal control system and how individual activities relate to the work of others. They assist in ensuring necessary actions . integrity. providing discipline and structure. as defined by COSO’s Internal Control—Integrated Framework.9 Components of the organization’s internal control structure. Specifically. mechanisms are needed to identify and deal with entity-centric risks associated with perceived impact of such changes. In tandem. flowing down. and making information system components more flexible. • Control activities—Control activities are the policies and procedures helping to ensure that management’s directives are carried out. Information systems produce reports containing operational. • Risk assessment—Risk assessments enable identification and analysis of relevant risk factors associated with the achievement of objectives. with the end goals of making information flow within (and beyond) a company more immediate and dynamic. risks are more pervasive in the IT function than in other areas of a company. accessibility of data is increased for partner companies and customers. All personnel should receive a clear message from top management that control responsibilities must be taken seriously. operating style and direction provided by the board of directors. operational managers need to collaborate with IT managers to define processes for implementing a robust and secure ERP system. increasing the usefulness and shelf life of information. developing. organizations need to 2 ISACA JOURNAL VOLUME 6. When establishing the control environment for an ERP system. active security monitoring. and their applicability to the IT infrastructure include the:10. availability. financial and compliance-related information that make it possible to run and control the business. Designing. compliance and reliability. effective communication must occur in a broader sense. thus forming a basis for determining how risks should be managed. Departmental boundaries generally become softer. eliminating redundancy and automating routine processes. • Information and communication—Pertinent information must be identified.6 ERP software is typically used by organizations for seamless integration of various functional modules to ease the execution of business activities. influencing the control consciousness of its people. captured and communicated in a form and time frame that enable people to carry out their responsibilities.7 Where deployed. activity-based rules.12 Because economic. Control environment factors include management’s philosophy. As for internal control. across and up the organization’s hierarchy. Therefore. senior management and IT personnel should gain a comprehensive understanding of ERP interdependencies to ensure service confidentiality. and the company’s ability to respond to the marketplace is generally enhanced.

appropriate employee and specific control-related ISACA JOURNAL VOLUME 6. • It makes the audit scalable (so it can change to fit the size and complexity of any company) by allowing the auditor to balance the amount of internal control testing required for audits of small and less-complex organizations. as well as other factors. it will eliminate auditors requiring companies to do work that is not necessary. To prevent such disparity. Standards establish expectations and provide direction when an auditor is engaged to perform an audit of management’s assessment of the effectiveness of internal control over financial reporting. as there is a significant fixed cost involved in completing the assessment. Control activities for an ERP system normally include. verifications. so that section 404 audits and management evaluations are more risk-based and scalable to company size and complexity.13 However. They embrace a diverse range of activities such as approvals. To enable section 404 compliance. 15 The PCAOB approved Auditing Standard No. Control activities occur throughout the organization at all levels and in all functions. The standard also allows the auditor to consider alternative controls when there is limited segregation of duties.19 • It includes a principles-based approach to determine when and to what extent the auditor can use the work of others. By most definitions. sufficient monitoring of internal controls requires continuous vigilance. reconciliations. auditor adherence to defined standards is overseen by the Public Company Accounting Oversight Board (PCAOB)—a private-sector nonprofit corporation that oversees. to provide supporting evidence of adequate controls.16 As per the SEC. evaluated and tested—first by management and then by the external auditors.are taken to address risks associated with the organization’s objectives.20 To this end. rather. in-depth assessments. the SEC and PCAOB issued specific guidance to ease the burden of expense. An organization’s control environment should exist as the pervasive foundational substructure affecting business processes. With an IT system. the following four features of Auditing Standard No. The new standard clarifies that management’s process is not the focus of the audit. protection of assets and segregation of duties. The standard. reviews of operating performance.18 • It directs auditors to focus on what matters most and eliminates unnecessary procedures from the audit. It also allows auditors to use knowledge accumulated in previous years’ audits to reduce testing. when there is limited or no documentation trails. the control environment must be understood. and internal and external audits. DEfInInG thE COntROl EnvIROnMEnt The control environment construct is generally considered the most important component in the COSO-based audit framework. As discussed previously in this article. the cost of complying with Sarbanes-Oxley section 404 impacts smaller companies disproportionately. It emphasizes that the auditor is not required to scope the audit to find deficiencies that do not constitute material weaknesses. operating philosophy and commitment to organizational competence.14. such as the financial statement closing process and controls designed to prevent fraud by management. but are not limited to: – Change management – Incident management – Availability management – Service-level management – Configuration management – Information security management • Monitoring—Internal control structures need to be monitored as a process that assesses the quality of operational systems’ performance over time. such as observation or reperformance. 5 for public accounting firms on 25 July 2007. 5 provide the greatest impact:17 • It is less prescriptive. regulates. the auditor can decide to use inquiry along with other procedures. inspects and disciplines accounting firms in their roles as auditors of public companies. the audit focuses on the effectiveness of a company’s internal control over financial reporting. Moreover. As a result. Under Sarbanes-Oxley. section 404 requires that management assess and report on the effectiveness of a company’s internal control structure. authorizations. …Directs auditors to the areas that present the highest risk. 2009 3 . this foundational substructure is based on management’s integrity and ethical values.

Simultaneously. auditing and reporting of all user profiles and access privileges granted to the users across the organization. while assigned passwords should be strong enough to prevent compromise by random guessing or bruteforce attacks. 4 ISACA JOURNAL VOLUME 6. to augment other internal controls for Sarbanes-Oxley section 404 compliance. there is also a need to provide sensitive data protection through effectively managing user identities. understand. Preventive controls are established to avoid undesirable circumstances and to maintain compliance with approved policies and procedures in financial and operational arenas. To dispatch information reliability requirements. functions would be noncompliant. processing and output (see figure 1). fIgure 1—Control Measure. an information security manager should ensure that designated application owners identify. The security team should perform a daily review of logs to discover irregular activities that may jeopardize data integrity.. an organization’s systems should remain secure. For instance. Additionally. proper authorization) and security (e.g. edit and validation routines ensuring that information integrity is assessed through deployed protection evaluations. 2009 • Identity provisioning—Senior management should make provisions for quick and secure viewing. while the IT service supplies high-quality information. application and device drivers should be checked on a regular basis to identify vulnerabilities and threats that can compromise effective database protection. and could ultimately fail. restricted access) for transactions. This usually requires regular journaling of changes to database tables with periodic reviews of infrastructure audit trails and reviews of the database transactions. activities of users who have unrestricted access to the database should be tracked to detect unauthorized modifications. standards and rules should be provided by management and reviewed periodically. Reviewing the before and after images of the database records and verifying authorized approvals of those changes helps in tracking processing discrepancies. Adequate controls to mitigate risks need to exist in critical daily business procedures. validity (e. customers and partners—in real time..g.policies. inefficient and costly to operate. application safeguarding controls should be present during input. Controls should be in place to check such items as accuracy. procedures. .23 • Data protection and integrity—If an ERP database contains sensitive customer information.24 Without the deployment of adequate internal controls. • Policy-based access control—Policy-based access control should be exercised for programs and data security. completeness. Audits of access authorities at public. test and document internal accounting security controls for relevant information assets.22 Furthermore. Only approved and tested database patches should be applied. users who have access to the production database should be required to change their password at least every 90 days. Consequently. group. user and object levels should be performed at regular intervals. changing. enabling strong authentication in client-server environments aids in ensuring the safety of sensitive business and process-related information. Sarbanes-Oxley Key Control Matrix Sarbanes-Oxley Key Control Control Measure Completeness Accuracy validity Security Quality Personnel Documenting Transactions Segregation of Duties Authorization Access Control Reconcilement X X X X X X X X X X X X SECuRIty MEASuRES fOR SECtIOn 404 COMPlIAnCE Of ERP SyStEMS The following detailed security measures can be applied to an ERP system for preventing a number of common gaps identified on the path to Sarbanes-Oxley section 404 compliance:21 • Secure identity management—Generally. information-security-related application accuracy controls should include input. For operating system (OS) level security. organizations understand the need to accommodate access to their data— as per the accepted requirements of employees. ERP IntERnAl COntROl ACtIOnS SuPPORtInG SECtIOn 404 COMPlIAnCE Administrative processes should rely on internal controls to remain in compliance with internal and external requirements. utilizing appropriate change management procedures. Technically.

Control reports can be run and printed midquarter and presented to the IT operations manager for review.For example. user’s address book number. management can take proper corrective actions to remove material weaknesses. all control reports should be reviewed and signed for accuracy and completeness by the IT operations manager every quarter of each year. These reports can be generated quarterly by querying the ERP system’s security files and journals. Business intelligence tools can be used as a report writing vehicle. Any security flaw already existing on the ERP system. and those that were not tracked as preventive actions. the authorized requestor should be permitted to submit a modified form or ask the IT support team to close the ticket. department. PROCEDuRES fOR CREAtIOn AnD REvIEw Of COntROl REPORtS Information security control reports for ERP systems are a detective control that can be utilized quarterly to verify appropriate safeguarding deployment. • Upon notification of request denial. • As a collateral responsibility. If request fulfillment is not feasible. • The IT support team should check the feasibility of the request before execution. Detective controls are designed to identify irregular transactions or improper procedural events after they have occurred. requests should be documented on a form that mentions relevant details. should be identified and mitigated by corrective actions. such as the complete name of the user. an organization can undertake the following preventive actions for Sarbanes-Oxley compliance: • Every department/functional head should be an authorized requestor for: – User profile creation – User profile activation – Menu access – User authority – Profile deletion – Report disablement The functional heads should be able to request access only for certain privilege levels/roles within their respective area/ access level. figure 2—Sample ERP Security Control Report ERP Security Report list of Interactive users in Production Environment Executed On: user Group *CS001 *CS002 *CS003 *CS004 *CS005 *FI001 *FI002 *IT001 *IT002 *IT003 user name Scot G Kallis D John S Waugh C Peterson L Wilfred T Dujon Q Rhodes M Hodge L Sen H Environment Production Production Production Production Production Production Production Production Production Production Address Book number 98301 73452 71296 83527 72463 96532 98724 68187 17942 65784 last Sign-on Date 3/12/2006 3/12/2006 3/12/2006 7/30/2006 7/30/2006 12/2/2007 12/2/2007 1/7/2007 1/7/2007 1/7/2007 12-Dec-2008 Status *Disabled *Disabled *Disabled *Disabled *Disabled *Disabled *Disabled *Disabled *Disabled *Disabled ISACA JOURNAL VOLUME 6. 2009 5 . This can be enabled by generating information security control reports (see figure 2). authorized requestor details (with signature of authorized requestor) and a clear mention of the request. Subsequently. Based on the deployment of detective controls. the authorized requestor should be informed about the policies and procedures prohibiting the execution of the request.

Sarbanes-Oxley section 404 is applicable to IT services. along with the IT operations manager and the functional heads. Nevertheless. without ERP control reports should be designed to cover all aspects of system security that are necessary to run a compliant Sarbanes-Oxley section 404 enterprise. • The IT operations manager should complete a risk assessment of the ERP system and define new reporting needs..whitepapers. www. Information Security Governance: Guidance for Boards of Directors and Executive Management. 2009 • Reviewing object authorization lists and identification of obsolete objects • Ensuring that user profiles have the appropriate password change frequency • Reviewing users who have not logged on to the system in the previous quarter • For an “all doors closed” security gwbush/sarbanesoxley072302.htm . The combined affect of preventive controls and detective actions. the IT operations manager should dispense directives to mitigate security weaknesses. EnDnOtES 1 Brotby. In relation to IT services. January 2002.” March 2005. Krag W.theiia. qualifying organizations using ERP systems for their business are mandated to develop and document information security controls as well as process supporting financial reporting. COnCluSIOn Sarbanes-Oxley has established additional standards for US corporate accountability by mandating that publicly held companies assess and report the overall effectiveness of internal control processes affecting financial reporting. IT Governance Institute. in consultation with the functional heads. verifying that sensitive objects are inaccessible through public profiles. • The IT support team should create the security reports by querying the security files and required tables every quarter and save them in electronic form. “Common Misconceptions. should develop standard procedures for normal business operations and review them on a quarterly basis for modifications and periodicals/newsletters/tone-at-the-top/archives-by-topic/ index.00.” www. As a result. • The IT support team should identify the security gaps and report them to the IT operations manager. HR 3763.2600847 22p. Utilizing suitable report generation software is a simple. on the feedback from the functional heads. Various kinds of security reports can be developed and deployed based on the ERP system design. “HP ITSM and HP OpenView: An Approach to Attaining Sarbanes-Oxley Compliance. take action to reduce. tool for extracting pertinent data from an ERP database and for uncovering security breaches. The following steps show how security control reports can be used to manage Sarbanes-Oxley section 404 compliance in ERP systems: • Senior management.cfm?c=580 3 US Congress.pdf 4 Hewlett-Packard.1000000651. based on superior information security control reports. • The system administrator and the IT support team should take necessary corrective action to cover the security gaps and archive the printed reports.findlaw. 2nd Edition. enables a secured Sarbanes-Oxley section 404 compliant ERP system.zdnet. should identify the actions to be taken to cover the security gaps and authorize the system administrator to take appropriate actions to remove the security gaps. • The IT operations manager. Sarbanes-Oxley Act of 2002. 7 2 The Institute of Internal Auditors. depending on their assigned responsibilities. bridge or close security gaps. Some examples of associated control procedures for entity-centric designed information security reports are: • Reviewing logical security of existing user profiles • Identifying inappropriate and obsolete user profiles • Reviewing environment setup and user profiles that have access 6 ISACA JOURNAL VOLUME 6. • The IT operations manager should review and sign the security reports for conformity. yet powerful. The primary purpose of these reports is to identify possible gaps in security settings and to verify whether ERP system security is operating as directed per the organization’s policies. it is mandatory for security administration personnel to identify security gaps and. p. http://news.

Committee of Sponsoring Organizations of the Treadway Commission IT Governance Institute. IT Control Objectives for Sarbanes-Oxley. http://ethisphere. www. “Sarbanes-Oxley 404 top-down risk assessment.” European Journal of Operational Research.” 2007. www.” News Release. reprint or republication. date. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. “SEC Approves PCAOB Auditing Standard No.htm Check Point Software Technologies. and from opinions endorsed by authors’ the_Board/Auditing_Standard_No. US Congress Public Company Accounting Oversight Board. “Applying COSO’s Enterprise Risk Management—Integrated Framework. “A Comprehensive Framework for Classifying the Benefits of ERP Systems. p.” whitepaper.pcaobus. The ISACA Journal is published by ISACA.pdf 15 16 17 18 19 20 21 22 23 24 Public Company Accounting Oversight Board.iasplus.soxlaw. www. 146.” Developer.” www. 5. Peter B. 2006. MA 01970. and Procedures for Auditing and Control Professionals.” 27 July Op cit.pdf Karl Nagel & Company LLC.pcaob.wikipedia. Angappa Gunasekaran. Shari. ISACA Journal does not attest to the originality of authors’ Op cit.50 per article plus 25¢ per page. 27 Congress St.” www. US Securities and Exchange Commission.wikipedia. “Sarbanes-Oxley Act. permission must be obtained in writing from the Wikipedia. a voluntary organization serving IT governance professionals. php/3446551 Mandal. www. Auditing Standard No.wikipedia. www.5 6 7 8 9 10 11 12 13 14 Wikipedia.” “Enterprise Resource Planning (ERP) Systems Ibid. 2007-005A. Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. www. Wikipedia. 2nd Edition. All rights reserved. entitles one to receive an annual subscription to the ISACA Soxlaw. 274-283 ISACA. “Sarbanes-Oxley Section 404. 25 July 2007.” University of Melbourne. “Issues in Implementing ERP: A Case Study.. vol. to photocopy articles owned by ISACA.” PCAOB Release No. 5 to Reduce Cost of SOX 404 Compliance.isaca. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees. 88–94. or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.sarbanes-oxley. “Sarbanes-Oxley: Financial and Accounting Disclosure Robinson. Membership in the association. “Achieving Sarbanes-Oxley Act Section 404 Compliance With Check Point Solutions. for a flat fee of US $2. and first and last page number of each article. © 2009 ISACA.” Release_No_2007-005A. “An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements and Related Independence Rule and Conforming Amendments. Adopts Definition of ‘Significant Deficiency’. For other copying. Guidelines. “SEC Approves PCAOB Auditing Standard No. 2003. Scott.” www.pdf Ibid.unimelb. 5 Regarding Audits of Internal Control Over Financial Reporting. “Committee of Sponsoring Organizations of the Treadway Commission. p. Purnendu.pdf permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC). Seddon.” Information Systems The Institute of Internal Where necessary.” www. 2009 7 .isaca. or the editors of this Journal.theiia. “A Developer’s Overview of ERP. Copying for other than personal use or internal reference. “An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial ISACA JOURNAL VOLUME 6. Send payment to the CCC stating the ISSN (1526-7407).ventech.

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer: Get 4 months of Scribd and The New York Times for just $1.87 per week!

Master Your Semester with a Special Offer from Scribd & The New York Times