Skip the navigation

Sarbanes-Oxley: Technical enforcement of IT controls

By Duc Pham, Vormetric
July 20, 2004 12:00 PM ET

Computerworld - Nov. 15 looms large for corporate executives who will soon have to certify compliance with Section 404 of the Sarbanes-Oxley Act.

Their assertions on the effectiveness of internal controls over financial reporting within public financial statements and the requirement of independent attestation by the company's auditors significantly raises the level of personal risk to those executives signing quarterly and annual corporate reports.


Without question, a key component allowing management to assert the strength of its controls over the financial reporting process focuses on system controls in the organization's IT environment. Critical elements of the IT environment include the controls that ensure the overall performance and integrity of IT systems affecting financial systems, business process application controls and specific controls of applications.


Strong technical safeguards that prevent violations of policies and procedures will strengthen the effectiveness of the overall IT control environment, significantly reduce initial compliance and subsequent testing costs, mitigate risk within the IT environment and enhance the overall quality of business operations.


Annual compliance with Sarbanes-Oxley Section 404 requires more than just updating processes and documentation to ensure the integrity of financial data. Management must continue to evaluate and test their internal controls over financial reporting across all business units and functional areas as risk factors evolve over time. While Sarbanes-Oxley doesn't specify which measures to take to mitigate risks introduced by control weakness, the use of strong technical safeguards to enhance the control environment is critical.


Moreover, sole reliance on human or "soft" controls such as written, but unenforced procedures, and detective procedures, such as manual audit reviews, will result in significant recurring costs associated with periodic retesting of the environment, especially where the risk of a significant IT vulnerability is present. In this scenario, achieving annual compliance will require compensating measures that rely on unenforced policies and manual processes, the costs of which can easily exceed the cost of implementing technical safeguards.


This chart shows some examples of specific costs associated with the risks introduced by weak internal controls over enterprise data integrity:





























IT Control Process (CobiT Framework) Risk Compliance Costs
Acquire and Maintain Application Software • Introduction of unauthorized applications or unauthorized modification of applications may result in incorrect financial reporting



• Unauthorized changes can threaten reliability of separation of duty controls

Compensating controls that may include:


• Frequent and regular audits of system and application integrity


• Testing to determine vulnerabilities to data arising from modified applications


• Increased documentation and planning of manual controls


• Increased supervision of systems administration activities

Ensure Systems Security • Inappropriate use or viewing of sensitive data by unauthorized data users Compensating controls that may include:


• Extensive risk analysis


• Increased documentation and planning of supervisory controls


• Review of application-level audit reports

Manage the Configuration • Inappropriate use or viewing of sensitive data by unauthorized administrators Compensating controls that may include:


• Extensive risk analysis


• Increased documentation and planning of supervisory and activities management controls

Manage Data • Introduction of tampered data through an unauthorized data restoration


• Vulnerability of stored backup data to inappropriate use


• Exposure of data to unauthorized users during data management operations

Compensating controls that may include:


• Extensive risk analysis


• Improved documentation and planning of backup and restoration process


• Notification to data users of data restoration and review of data management audit records




Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!