You are on page 1of 7

Journal Online

Managing Sarbanes-Oxley Section 404 Compliance in ERP Systems Using Information Security Control Reports
Abhik Chaudhuri, MCA, PMP, is an IBM-accredited senior IT specialist with work exposure as an IT security administrator. He has executed IT consulting projects in diverse environments. Chaudhuri can be reached at abhik. chaudhuri@gmail.com. Dipanwita Chaudhuri, ACA (ICAI), MIIA, is a consultant auditor working as manager of management consultancy services with a reputed Chartered Accountants’ firm in Kolkata, India. She is a registered consultant with the Asian Development Bank. She can be reached at banerjee. dipanwita@gmail.com. Robert E. Davis, CISA, CICA, is an independent auditor and management consultant, a Pleier Corp. author, and a Boson Software Inc. author and instructor. He has provided information systems (IS) auditing and data security consulting services to the US Securities and Exchange Commission, the United States Enrichment Corp., Raytheon Company, the US Interstate Commerce Commission, Dow Jones & Company, and Fidelity/First Fidelity (Wachovia) corporations. He can be reached at bobdcisa@yahoo.com.

Globally, laws and regulations have been enacted and reinforced to ensure that entities comply with a particular society’s expectations for ethical behavior when conducting business.1, 2 Reflecting this premise, the US Sarbanes-Oxley Act of 2002 is a statutory compliance requirement that was enacted to improve corporate accountability by requiring publicly held companies to assess and report on the effectiveness of their internal control structure and procedures for financial reporting.3 Sarbanes-Oxley mandates consist of several sections that have been designed to improve the quality and integrity of financial reporting. However, the Sarbanes-Oxley section generally considered to be directly impacting IT control practices is section 404, Management Assessment of Internal Controls. Sarbanes-Oxley section 404 suggests organizations registered as US Securities and Exchange Commission (SEC) filers annually report: • Management’s responsibility to establish and maintain adequate internal control over financial reporting • The framework used as criteria for evaluating the effectiveness of internal control over financial reporting • Management’s assessment of the effectiveness of internal control over financial reporting and disclosure of any material weaknesses As part of Sarbanes-Oxley section 404 legal compliance assurance, an organization’s independent auditors need to attest management’s assessment of internal control over financial reporting. Consequently, organizations must ensure that appropriate controls, including IT controls, are operational. Furthermore, these organizations should provide their independent auditors with documented evidence of functioning controls and results of testing procedures.

Sarbanes-Oxley edicts have placed additional demands on US corporations and businesses worldwide that have initiated Sarbanes-Oxleyrelated compliance measures. Directly related to enabling management’s responsibility to maintain adequate internal control over financial reporting is the Committee of Sponsoring Organizations (COSO) of the Treadway Commission’s Internal Control—Integrated Framework. Appropriate governance deployment that protects assets affecting investment and expenditure decisions is critical to achieving sustainable compliance. Sarbanes-Oxley has circumstantially required spending significant time and/or money on security technology, tools and resources to ensure Sarbanes-Oxley section 404 compliance.4 Thus, within this context, information security governance is playing an important role in meeting the new demands placed on businesses by Sarbanes-Oxley. COSO indicates internal control is a process, directed by an entity’s board of directors, management and other personnel. Where applied, this process is designed to provide reasonable assurance regarding the achievement of objectives through subscribing to:5 • Reliable financial reporting • Effective and efficient operations • Compliance with applicable laws and regulations This paper addresses information security measures necessary for Sarbanes-Oxley section 404 compliance in enterprise resource planning (ERP) environments, the importance of information security control reports, and the procedures to be followed for creation and utilization of information security control reports for ERP systems.

ISACA JOURNAL VOLUME 6, 2009

1

mechanisms are needed to identify and deal with entity-centric risks associated with perceived impact of such changes. accessibility of data is increased for partner companies and customers. • Information and communication—Pertinent information must be identified. 11 • Control environment—The control environment sets the tone of an organization. activity-based rules. thus forming a basis for determining how risks should be managed. as defined by COSO’s Internal Control—Integrated Framework. eliminating redundancy and automating routine processes. availability. 2009 establish adequate IT controls within their internal control structure.12 Because economic. financial and compliance-related information that make it possible to run and control the business. As for internal control. influencing the control consciousness of its people.6 ERP software is typically used by organizations for seamless integration of various functional modules to ease the execution of business activities. risks are more pervasive in the IT function than in other areas of a company. Departmental boundaries generally become softer. integrity. It is the foundation for all other components of internal control. • Risk assessment—Risk assessments enable identification and analysis of relevant risk factors associated with the achievement of objectives.7 Where deployed. • Control activities—Control activities are the policies and procedures helping to ensure that management’s directives are carried out. regulatory and operating conditions are in constant flux. Control environment factors include management’s philosophy. increasing the usefulness and shelf life of information. They assist in ensuring necessary actions . and the company’s ability to respond to the marketplace is generally enhanced. developing. To prevent any laxity in information assets protection. with the end goals of making information flow within (and beyond) a company more immediate and dynamic.9 Components of the organization’s internal control structure.GEnERAl OvERvIEw Of ERP SyStEMS Enterprise resource planning refers to the integration and extension of a business’s operational IT systems. Therefore. industry. In tandem. operating style and direction provided by the board of directors. Information systems produce reports containing operational. They also must understand their own role in the internal control system and how individual activities relate to the work of others. flowing down. compliance and reliability. senior management should make a commitment to IT service management and drive managerial direction by designing and deploying an IT policy. organizations need to 2 ISACA JOURNAL VOLUME 6. effective communication must occur in a broader sense. senior management and IT personnel should gain a comprehensive understanding of ERP interdependencies to ensure service confidentiality. Designing. specific application controls and other related security issues. All personnel should receive a clear message from top management that control responsibilities must be taken seriously. Specifically. considering the organizational risks or challenges related to:8 • Data integrity • User behavior • Data conversion • Application security • Business continuity • Business processes • System functionality • Business procedures • Industry environment • Business environment • Ongoing maintenance • Management behavior • Underlying infrastructure IntERnAl COntROl StRuCtuRE IMPlICAtIOnS IT is commonly an integrated service requiring consideration during an audit of financial statements. and their applicability to the IT infrastructure include the:10. across and up the organization’s hierarchy. active security monitoring. deploying and monitoring ERP systems requires an integrated approach to meet the requirements of various functional areas. and making information system components more flexible. captured and communicated in a form and time frame that enable people to carry out their responsibilities. providing discipline and structure. operational managers need to collaborate with IT managers to define processes for implementing a robust and secure ERP system. When establishing the control environment for an ERP system. this feature of ERP software brings to the forefront the necessities of segregation of duties.

Control activities occur throughout the organization at all levels and in all functions.are taken to address risks associated with the organization’s objectives.16 As per the SEC. such as the financial statement closing process and controls designed to prevent fraud by management. sufficient monitoring of internal controls requires continuous vigilance. the audit focuses on the effectiveness of a company’s internal control over financial reporting. this foundational substructure is based on management’s integrity and ethical values. To enable section 404 compliance. 15 The PCAOB approved Auditing Standard No. It also allows auditors to use knowledge accumulated in previous years’ audits to reduce testing. protection of assets and segregation of duties. 2009 3 . reconciliations. as well as other factors.20 To this end. it will eliminate auditors requiring companies to do work that is not necessary. authorizations. reviews of operating performance. An organization’s control environment should exist as the pervasive foundational substructure affecting business processes. By most definitions. as there is a significant fixed cost involved in completing the assessment. The new standard clarifies that management’s process is not the focus of the audit. inspects and disciplines accounting firms in their roles as auditors of public companies. verifications. Control activities for an ERP system normally include. 5 for public accounting firms on 25 July 2007. …Directs auditors to the areas that present the highest risk. such as observation or reperformance. To prevent such disparity. in-depth assessments. regulates. evaluated and tested—first by management and then by the external auditors. They embrace a diverse range of activities such as approvals. rather. and internal and external audits. As discussed previously in this article. With an IT system. Under Sarbanes-Oxley. Moreover.14. the auditor can decide to use inquiry along with other procedures.19 • It includes a principles-based approach to determine when and to what extent the auditor can use the work of others. auditor adherence to defined standards is overseen by the Public Company Accounting Oversight Board (PCAOB)—a private-sector nonprofit corporation that oversees. but are not limited to: – Change management – Incident management – Availability management – Service-level management – Configuration management – Information security management • Monitoring—Internal control structures need to be monitored as a process that assesses the quality of operational systems’ performance over time. 5 provide the greatest impact:17 • It is less prescriptive. Standards establish expectations and provide direction when an auditor is engaged to perform an audit of management’s assessment of the effectiveness of internal control over financial reporting. the control environment must be understood. As a result. the following four features of Auditing Standard No. to provide supporting evidence of adequate controls. The standard also allows the auditor to consider alternative controls when there is limited segregation of duties.13 However. It emphasizes that the auditor is not required to scope the audit to find deficiencies that do not constitute material weaknesses. operating philosophy and commitment to organizational competence. appropriate employee and specific control-related ISACA JOURNAL VOLUME 6. • It makes the audit scalable (so it can change to fit the size and complexity of any company) by allowing the auditor to balance the amount of internal control testing required for audits of small and less-complex organizations. The standard.18 • It directs auditors to focus on what matters most and eliminates unnecessary procedures from the audit. the cost of complying with Sarbanes-Oxley section 404 impacts smaller companies disproportionately. DEfInInG thE COntROl EnvIROnMEnt The control environment construct is generally considered the most important component in the COSO-based audit framework. section 404 requires that management assess and report on the effectiveness of a company’s internal control structure. when there is limited or no documentation trails. so that section 404 audits and management evaluations are more risk-based and scalable to company size and complexity. the SEC and PCAOB issued specific guidance to ease the burden of expense.

activities of users who have unrestricted access to the database should be tracked to detect unauthorized modifications.. Only approved and tested database patches should be applied. To dispatch information reliability requirements. Simultaneously.24 Without the deployment of adequate internal controls.g.. For operating system (OS) level security. an information security manager should ensure that designated application owners identify. customers and partners—in real time. fIgure 1—Control Measure. Controls should be in place to check such items as accuracy. user and object levels should be performed at regular intervals. ERP IntERnAl COntROl ACtIOnS SuPPORtInG SECtIOn 404 COMPlIAnCE Administrative processes should rely on internal controls to remain in compliance with internal and external requirements. 4 ISACA JOURNAL VOLUME 6. users who have access to the production database should be required to change their password at least every 90 days. group. functions would be noncompliant. For instance. and could ultimately fail. This usually requires regular journaling of changes to database tables with periodic reviews of infrastructure audit trails and reviews of the database transactions. .policies.g. standards and rules should be provided by management and reviewed periodically. edit and validation routines ensuring that information integrity is assessed through deployed protection evaluations. auditing and reporting of all user profiles and access privileges granted to the users across the organization. to augment other internal controls for Sarbanes-Oxley section 404 compliance. Consequently. • Policy-based access control—Policy-based access control should be exercised for programs and data security.22 Furthermore. an organization’s systems should remain secure. procedures. Sarbanes-Oxley Key Control Matrix Sarbanes-Oxley Key Control Control Measure Completeness Accuracy validity Security Quality Personnel Documenting Transactions Segregation of Duties Authorization Access Control Reconcilement X X X X X X X X X X X X SECuRIty MEASuRES fOR SECtIOn 404 COMPlIAnCE Of ERP SyStEMS The following detailed security measures can be applied to an ERP system for preventing a number of common gaps identified on the path to Sarbanes-Oxley section 404 compliance:21 • Secure identity management—Generally. organizations understand the need to accommodate access to their data— as per the accepted requirements of employees. 2009 • Identity provisioning—Senior management should make provisions for quick and secure viewing. The security team should perform a daily review of logs to discover irregular activities that may jeopardize data integrity. proper authorization) and security (e. while assigned passwords should be strong enough to prevent compromise by random guessing or bruteforce attacks. inefficient and costly to operate. while the IT service supplies high-quality information.23 • Data protection and integrity—If an ERP database contains sensitive customer information. processing and output (see figure 1). there is also a need to provide sensitive data protection through effectively managing user identities. Technically. restricted access) for transactions. enabling strong authentication in client-server environments aids in ensuring the safety of sensitive business and process-related information. changing. Preventive controls are established to avoid undesirable circumstances and to maintain compliance with approved policies and procedures in financial and operational arenas. understand. Adequate controls to mitigate risks need to exist in critical daily business procedures. validity (e. application and device drivers should be checked on a regular basis to identify vulnerabilities and threats that can compromise effective database protection. Reviewing the before and after images of the database records and verifying authorized approvals of those changes helps in tracking processing discrepancies. utilizing appropriate change management procedures. completeness. application safeguarding controls should be present during input. information-security-related application accuracy controls should include input. test and document internal accounting security controls for relevant information assets. Audits of access authorities at public. Additionally.

and those that were not tracked as preventive actions. Business intelligence tools can be used as a report writing vehicle. Any security flaw already existing on the ERP system.For example. • Upon notification of request denial. figure 2—Sample ERP Security Control Report ERP Security Report list of Interactive users in Production Environment Executed On: user Group *CS001 *CS002 *CS003 *CS004 *CS005 *FI001 *FI002 *IT001 *IT002 *IT003 user name Scot G Kallis D John S Waugh C Peterson L Wilfred T Dujon Q Rhodes M Hodge L Sen H Environment Production Production Production Production Production Production Production Production Production Production Address Book number 98301 73452 71296 83527 72463 96532 98724 68187 17942 65784 last Sign-on Date 3/12/2006 3/12/2006 3/12/2006 7/30/2006 7/30/2006 12/2/2007 12/2/2007 1/7/2007 1/7/2007 1/7/2007 12-Dec-2008 Status *Disabled *Disabled *Disabled *Disabled *Disabled *Disabled *Disabled *Disabled *Disabled *Disabled ISACA JOURNAL VOLUME 6. all control reports should be reviewed and signed for accuracy and completeness by the IT operations manager every quarter of each year. user’s address book number. Subsequently. Detective controls are designed to identify irregular transactions or improper procedural events after they have occurred. Control reports can be run and printed midquarter and presented to the IT operations manager for review. Based on the deployment of detective controls. requests should be documented on a form that mentions relevant details. the authorized requestor should be informed about the policies and procedures prohibiting the execution of the request. should be identified and mitigated by corrective actions. • As a collateral responsibility. an organization can undertake the following preventive actions for Sarbanes-Oxley compliance: • Every department/functional head should be an authorized requestor for: – User profile creation – User profile activation – Menu access – User authority – Profile deletion – Report disablement The functional heads should be able to request access only for certain privilege levels/roles within their respective area/ access level. the authorized requestor should be permitted to submit a modified form or ask the IT support team to close the ticket. If request fulfillment is not feasible. This can be enabled by generating information security control reports (see figure 2). management can take proper corrective actions to remove material weaknesses. authorized requestor details (with signature of authorized requestor) and a clear mention of the request. such as the complete name of the user. • The IT support team should check the feasibility of the request before execution. department. PROCEDuRES fOR CREAtIOn AnD REvIEw Of COntROl REPORtS Information security control reports for ERP systems are a detective control that can be utilized quarterly to verify appropriate safeguarding deployment. 2009 5 . These reports can be generated quarterly by querying the ERP system’s security files and journals.

www. it is mandatory for security administration personnel to identify security gaps and. http://news. • The IT operations manager should complete a risk assessment of the ERP system and define new reporting needs. The primary purpose of these reports is to identify possible gaps in security settings and to verify whether ERP system security is operating as directed per the organization’s policies. In relation to IT services. As a result. • The IT support team should identify the security gaps and report them to the IT operations manager. 2nd Edition.pdf 4 Hewlett-Packard. Nevertheless. in consultation with the functional heads. Sarbanes-Oxley Act of 2002. Krag W. bridge or close security gaps. Sarbanes-Oxley section 404 is applicable to IT services.uk/0.” March 2005. ERP control reports should be designed to cover all aspects of system security that are necessary to run a compliant Sarbanes-Oxley section 404 enterprise. • The IT support team should create the security reports by querying the security files and required tables every quarter and save them in electronic form. verifying that sensitive objects are inaccessible through public profiles.findlaw.htm . enables a secured Sarbanes-Oxley section 404 compliant ERP system.2600847 22p.00. along with the IT operations manager and the functional heads. Various kinds of security reports can be developed and deployed based on the ERP system design. 2009 • Reviewing object authorization lists and identification of obsolete objects • Ensuring that user profiles have the appropriate password change frequency • Reviewing users who have not logged on to the system in the previous quarter • For an “all doors closed” security policy. depending on their assigned responsibilities. COnCluSIOn Sarbanes-Oxley has established additional standards for US corporate accountability by mandating that publicly held companies assess and report the overall effectiveness of internal control processes affecting financial reporting.co.org/ periodicals/newsletters/tone-at-the-top/archives-by-topic/ index. qualifying organizations using ERP systems for their business are mandated to develop and document information security controls as well as process supporting financial reporting.zdnet. January 2002.. tool for extracting pertinent data from an ERP database and for uncovering security breaches. Information Security Governance: Guidance for Boards of Directors and Executive Management. without exception. EnDnOtES 1 Brotby. • The system administrator and the IT support team should take necessary corrective action to cover the security gaps and archive the printed reports. p.whitepapers. HR 3763. • The IT operations manager. The combined affect of preventive controls and detective actions. “Common Misconceptions.cfm?c=580 3 US Congress.” www. IT Governance Institute. 2006. “HP ITSM and HP OpenView: An Approach to Attaining Sarbanes-Oxley Compliance. take action to reduce. should develop standard procedures for normal business operations and review them on a quarterly basis for modifications and addendums. The following steps show how security control reports can be used to manage Sarbanes-Oxley section 404 compliance in ERP systems: • Senior management.1000000651. should identify the actions to be taken to cover the security gaps and authorize the system administrator to take appropriate actions to remove the security gaps. based on superior information security control reports. yet powerful.Based on the feedback from the functional heads. Some examples of associated control procedures for entity-centric designed information security reports are: • Reviewing logical security of existing user profiles • Identifying inappropriate and obsolete user profiles • Reviewing environment setup and user profiles that have access 6 ISACA JOURNAL VOLUME 6.com/hdocs/docs/ gwbush/sarbanesoxley072302. Utilizing suitable report generation software is a simple. • The IT operations manager should review and sign the security reports for conformity. the IT operations manager should dispense directives to mitigate security weaknesses. 7 2 The Institute of Internal Auditors.theiia.

isaca. MA 01970.com.50 per article plus 25¢ per page.org/standards Shang. and from opinions endorsed by authors’ employers.developer. volume. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees.” www. Membership in the association. “An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements.” www.” European Journal of Operational Research.pcaob.org The Institute of Internal Auditors.5. Seddon.isaca.soxlaw. 2nd Edition.” News Release. www.wikipedia. http://ethisphere.com The ISACA Journal is published by ISACA. 2009 7 . Angappa Gunasekaran.org ISACA JOURNAL VOLUME 6.pdf Karl Nagel & Company LLC. 2003.isaca. US Securities and Exchange Commission.com/sec-approves-pcaob-auditingstandard-no-5-to-reduce-cost-of-sox-404-compliance/ Ibid. “Applying COSO’s Enterprise Risk Management—Integrated Framework. and first and last page number of each article.unimelb.com/usa/sec/0707as5secpr. vol. “Sarbanes-Oxley: Financial and Accounting Disclosure Information. IT Control Objectives for Sarbanes-Oxley. www.sarbanes-oxley.org Wikipedia.com/s404. Purnendu. Send payment to the CCC stating the ISSN (1526-7407). ISACA Journal does not attest to the originality of authors’ content. 2007-005A.org Robinson.com. Adopts Definition of ‘Significant Deficiency’.wikipedia.edu.” Information Systems Standards.5 6 7 8 9 10 11 12 13 14 Wikipedia.pdf Ethisphere. or the editors of this Journal. “SEC Approves PCAOB Auditing Standard No. www. “SEC Approves PCAOB Auditing Standard No. Salem. Wikipedia.” www. 27 Congress St. Auditing Standard No. “An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements and Related Independence Rule and Conforming Amendments. 274-283 ISACA.” www. 88–94.pdf 15 16 17 18 19 20 21 22 23 24 Public Company Accounting Oversight Board. “Sarbanes-Oxley 404 top-down risk assessment. www.” PCAOB Release No. “A Comprehensive Framework for Classifying the Benefits of ERP Systems.ventech.” University of Melbourne. or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. Shari. “Committee of Sponsoring Organizations of the Treadway Commission. Opinions expressed in the ISACA Journal represent the views of the authors and advertisers.pdf Ibid.. “Achieving Sarbanes-Oxley Act Section 404 Compliance With Check Point Solutions.” www.” 2007. entitles one to receive an annual subscription to the ISACA Journal. “Sarbanes-Oxley Section 404.org Op cit. Scott. p. for a flat fee of US $2. and Procedures for Auditing and Control Professionals. 2006. reprint or republication. 5 to Reduce Cost of SOX 404 Compliance. 25 July 2007. www. www.” 27 July 2007. Copying for other than personal use or internal reference.pcaobus. Peter B. www. For other copying. 146.” Developer.org/Rules/Rules_of_ the_Board/Auditing_Standard_No. All rights reserved.wikipedia.org/Rules/Docket_021/2007-06-12_ Release_No_2007-005A.com/PDF/SOX_ whitepaper. “Enterprise Resource Planning (ERP) Systems Review. Guidelines. permission must be obtained in writing from the association. “Issues in Implementing ERP: A Case Study. www. permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC). “A Developer’s Overview of ERP.” www.htm Check Point Software Technologies. “Sarbanes-Oxley Act. p.” www.au Op cit.com/design/article. 5. 5 Regarding Audits of Internal Control Over Financial Reporting. a voluntary organization serving IT governance professionals. © 2009 ISACA.org Soxlaw.iasplus. date.theiia. Where necessary. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. to photocopy articles owned by ISACA. php/3446551 Mandal. Committee of Sponsoring Organizations of the Treadway Commission IT Governance Institute. US Congress Public Company Accounting Oversight Board.