Corporate Governance (Sarbanes-Oxley – SOx – Information-Technology – IT)
-
The Sarbanes-Oxley Act of 2002 (SOx) (a/k/a Public Company Accounting Reform and Investor Protection Act, and, Corporate and Auditing Accountability, Responsibility, and Transparency Act) was originally-enacted to regulate the financial industry, which is heavily-dependent upon the information technology (IT) industry to provide split-second support for the myriads of domestic financial transactions that occur at every moment of every day here in the United States, and for the international financial transactions that may also occur in every part of the globe.
-
It is no wonder then, that over time, SOx practitioners have developed specialized financial, IT-related audit practices, checklists, compliance protocols and internal controls to increase security and to strengthen the efficacy of SOx.
-
As regards IT-related security, the interpretation of SOx Sections 302 and 404 together has coalesced over time to reinforce the need for enterprises to concentrate on some key issues, such as for example (in no particular order of precedence): complete transparency when undergoing an external independent SOx audit (including: granting the auditors permission to access all internal controls; full disclosure of any security breaches to the auditors; reporting all identified design deficiencies and technical problems with internal controls to the auditors); constant monitoring of all enterprise key defensive internal controls; continuous analysis of all data regarding all enterprise security systems; documentation of all activity timelines within the enterprise infrastructure; implementing internal controls that monitor all access attempts to key areas of the enterprise IT infrastructure; monitoring for and tracking of data breaches; preventing data tampering; constant testing and verification of all internal controls.
-
Thus, when an external independent SOx auditor may be involved in performing or supporting an external SOx independent audit of any enterprise involving any domestic or international financial transactions of any type, such auditor may find itself mired in the myriad of minutiae of many exceptionally-complex acronyms, agencies, bulletins, derivatives rules, guidelines, laws, ordinances, policies, protocols, standards, statutes, trade organizations, treaties, and the like (collectively, governance burdens) that may relate in any way to such financial transactions – whether or not such governance burdens may be directly on-point or of tangential application – but regardless, such external independent SOx auditor will be responsible for verifying any enterprise internal controls that may relate in any way to those governance burdens, and reporting on them in the final SOx report, such as:
-
domestic consumer-protection – Alternative Mortgage Transaction Parity Act (AMTPA); Children’s Online Privacy Protection Act (COPPA); Community Reinvestment Act (CRA); Consumer Credit Protection Act (CCPA); Consumer Financial Protection Bureau (CFPB); Consumer Leasing Act (CLA); Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank); Employee Retirement Income Security Act (ERISA); Emergency Economic Stabilization Act (EESA); Fair Housing Act (FHA); Federal Home Loan Banks (FHLB); Federal Home Loan Mortgage Corporation (FHLMC); Federal Housing Administration (FHA); Federal National Mortgage Association (FNMA); Flood Disaster Prevention Act (FDPA); Home Mortgage Disclosure Act (HMDA); Homeowners Protection Act (HOPA); Housing and Economic Recovery Act (HERA); Housing and Urban Development (HUD); Protecting Tenants at Foreclosure Act (PTFA); Real Estate Settlement Procedures Act (RESPA); Riegle Community Development and Regulatory Improvement Act; Secure and Fair Enforcement Program for Mortgage Licensing Act (SAFE); Telephone Consumer Protection Act (TCPA); Uniform Electronic Transactions Act (UETA); Unlawful Internet Gambling Enforcement Act (UIGEA); unfair or deceptive acts and practices (originally “UDAP”, but expanded to add “abusive” under Dodd-Frank, so “UDAAP”).
-
domestic privacy-related – Bank Secrecy Act (BSA) (as amended by the USA PATRIOT Act); California Confidentiality of Medical Information Act (CMIA); California Consumer Privacy Act (CCPA); California Online Privacy Protection Act (CalOPPA); California Privacy Rights Act (CPRA); Children’s Online Privacy Protection Act (COPPA); Clarifying Lawful Overseas Use of Data Act (CLOUD Act); Committee of Sponsoring Organizations of the Treadway Commission (COSO); Communications Decency Act (CDA); Computer Fraud and Abuse Act (CFAA); Control Objectives for Information and Related Technology (CobIT); Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM); Cybersecurity Maturity Model Certification (CMMC); Data & Marketing Association (DMA) Guidelines; Digital Advertising Alliance (DAA); Digital Millennium Copyright Act (DMCA); Do-Not-Call Implementation Act (D-N-C); Electronic Communications Privacy Act (ECPA); Electronic Fund Transfer Act (EFTA); Electronic Signatures in Global and National Commerce Act (e-SIGN Act); Equal Credit Opportunity Act (ECOA); Equal Employment Opportunity Commission (EEOC); Family Educational Rights and Privacy Act (FERPA) Customer Information Protection (CIP) rules; Federal Information Security Management Act (FISMA); Federal Risk and Authorization Management Program (FedRAMP); Federal Trade Commission (FTC) Behavioral Advertising Principles; FTC Telemarketing Sales Rule; Foreign Intelligence Surveillance Act (FISA); Gramm-Leach-Bliley Act (GLBA) Financial Privacy Rule (FPR); Health Information Technology for Economic and Clinical Health Act (HITECH); Health Insurance Portability and Accountability Act (HIPAA); Illinois Biometric Information Privacy Act (BIPA); Information Technology General Controls (ITGC); Information Technology Governance Institute (ITGI); Maine Privacy Act (MPA); Massachusetts Data Protection Act (MDPA); Mobile Marketing Association (MMA) Best Practices; National Association of Insurance Commissioners (NAIC) Model Audit Rule; National Institute of Standards and Technology (NIST) 800-53 and 800-171; National Labor Relations Board (NLRB); Network Advertising Initiative (NAI) Guidelines; New York State Department of Financial Services (NYDFS) Cybersecurity Regulation 23 NYCRR 500; New York State SHIELD Act; Occupational Safety and Health Administration (OSHA); Payment Card Industry Data Security Standard (PCI DSS); Pen Registers and Trap and Trace Devices Statute (Pen-Trap Statute); Right to Financial Privacy Act (RFPA); Securities and Exchange Commission (SEC); Statement on Standards for Attestation Engagements (SSAE) 18 SOC 2; Privacy of Consumer Financial Information (Regulation S-P), SEC Office of Compliance Inspections and Examinations (OCIE); Statement on Auditing Standards (SAS) 70; Stored Communications Act (SCA); Student Online Personal Information Protection Act (SOPIPA); Systems and Organization Controls (SOC) 1-3 reports; Telephone Consumer Protection Act (TCPA); Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act); United States (U.S.) Consumer Product Safety Commission (CPSC); Vermont Data Broker Law (DBL); Video Privacy Protection Act (VPPA); W3C Web Content Accessibility Guidelines (WCAG); Wiretap Act (WA).
-
Federal finance-related – Acts (such as the 1933, 1934, 1939, 1940 Investment Advisers, 1940 Investment Company and 1970 Securities); anti-boycott laws (the 1977 amendments to the Export Administration Act and the Ribicoff Amendment to the 1976 Tax Reform Act); Bank Bribery Amendments Act of 1985; Bank Holding Company Act (BHCA); Bank Merger Act (BMA); Bank Protection Act (BPA); Bank Secrecy Act (BSA); Commodity Futures Trading Commission (CFTC); Equal Credit Opportunity Act (ECOA); Fair and Accurate Credit Transactions Act (FACTA); Fair Credit Reporting Act (FCRA) and Regulation V; Fair Debt Collection Practices Act (FDCPA); False Claims Act (FCA); Federal Deposit Insurance Act (FDIA); Federal Deposit Insurance Corporation (FDIC); Federal Deposit Insurance Corporation Improvement Act (FDICIA); Federal Financial Institution Examination Council (FFIEC); Federal Housing Administration (FHA); Federal Reserve Act (FRA); Federal Reserve Board (FRB); FRB Regulations B, C, D, E, F, G, M, O, P, V, W, X, Z, AA, DD and GG; Federal Reserve System; Federal Trade Commission (FTC); Financial Industry Regulatory Authority (FINRA); Financial Stability Oversight Council (FSOC); Foreign Corrupt Practices Act (FCPA); Gramm-Leach-Bliley Act (GLBA - a/k/a Financial Services Modernization Act - FSMA); Office of Management and Budget (OMB) Circular A-123 and Memoranda M-10-22 and M-10-23; Right to Financial Privacy Act (RFPA); “safe harbor” framework; Servicemembers Civil Relief Act (SCRA); Telemarketing and Consumer Fraud and Abuse Prevention Act (TCFAPA); Telemarketing Sales Rule (TSR); Truth in Lending Act (TILA); Truth in Savings Act (TISA); United States (U.S.) Department of Housing and Urban Development (HUD); USA Patriot Act (Patriot Act);
-
international privacy-related – Basel Committee on Banking Supervision (Basel); Brazil Law 13.709 Lei Geral de Protecao de Dados Pessoais (LGPD); Canadian Personal Information Protection and Electronic Documents Act (PIPEDA); China Cybersecurity Law (CSL); European Union (EU) Directive 2002/58/EC (Regulation on Privacy and Electronic Communications); EU General Data Protection Regulation 2016/679 (GDPR), Directive 95-46-EC; EU Market Abuse Regulations; EU Payment Services Directive Two (PSD2); French Decree No. 2006-6, dated January 4, 2006; French Law Act No. 2002-303, dated March 4, 2002; International Control over Financial Reporting (ICFR); International Organization for Standardization/International Electrotechnical Commission (ISO/IEC – known familiarly as just “ISO”) 27000 series; Swiss Federal Data Protection Act (DPA); United Kingdom (UK) Financial Conduct Authority (FCA); UK Financial Services Authority (FSA); UK Takeover Code;
-
miscellaneous – Consumer Product Safety Commission (CPSC); Equal Employment Opportunity Commission (EEOC); Food and Drug Administration (FDA); National Labor Relations Board (NLRB); Occupational Safety and Health Administration (OSHA); ; U.S. Department of Housing and Urban Development (HUD).
-
Special considerations that IT SMEs within the enterprise should address when preparing to an undergo an external independent audit may be whether (in no particular order of precedence): all internal controls comply with, in whole or in part, one or more of the industry-accepted frameworks – such as: Committee of Sponsoring Organizations of the Treadway Commission (COSO); Control Objectives for Information and Related Technology (CobIT); Information Technology Governance Institute (ITGI); all Statement on Standards for Attestation Engagements 18 (SSAE 18 SOC 2 – standard form of report from the American Institute of Certified Public Accountants – AICPA – intended for use in evaluating all entities providing outsourced services to an enterprise that may affect the financial statements of the enterprise) have been received and reviewed; existing corporate policies include detailed protocols for protecting sensitive data; the IT infrastructure is capable of creating an accurate and decipherable audit trail to document accessibility to sensitive enterprise data; the incident response plan specified in the enterprise corporate policy protocols is adequate enough to simultaneously react to any catastrophic incident (whether human-generated or natural) against the enterprise and to protect all enterprise sensitive data; the data classification framework makes it more-efficient to enforce and monitor data-handling corporate policies.
-
Further, because of the preponderance of IT apps, platforms and solutions related to all the above-mentioned finance-related acronyms, agencies, bulletins, derivatives rules, guidelines, laws, ordinances, policies, protocols, statutes, trade organizations, treaties, and the like, the external independent auditor must also verify that all the enterprise internal controls comply with all related technical frameworks and references.
-
Regarding IT-related operational issues, the general intent of SOx Sections 302, 404 and 409 was to encourage users through the years to continuously-incorporate currently-available technologies that actively monitor certain cyber behaviors (such as all activities involving – accounts; databases; logins; networks; and, users) to promote data security (to prevent access to data that could allow tampering, rather than technologies that only address confidentiality issues), such as for example: a verifiable audit chain (meaning that it would be possible to double-check the findings of the external independent SOx auditor, by reviewing all the decisions made by the external independent SOx auditor, perhaps through reference to all the computer logs generated by all the devices the external independent SOx auditor used); automation of repetitive tasks (to decrease the possibility of a human operator becoming bored and negligent through performing the same task over and over); compression (removing unused space in files, resulting in smaller files, to promote a faster flow of data); data integrity (meaning that it would be possible to verify that the data sent was exactly the same as the data received, such as through the use of blockchain and checksums); data masking (also referenced as data obfuscation, modifying sensitive data to in effect camouflage sensitive data in such a way as to mask any flags or patterns within such camouflaged data that might alert a cracker to the actual value of the camouflaged data, while still maintaining the components and integrity of such camouflaged data, so that it may be unmasked and restored to full integrity once it has been securely-received); encryption (hopefully military-grade, to prevent bad actors from accessing any data during transmission); non-repudiation (meaning the ability to prove that a document or message was received and opened by someone – presumably the intended recipient); permission-restrictions (on both individual computers as well as networks, to decrease the number of people who may be allowed to access certain sensitive data in various situations); and the like.
-
It is very important to ensure that every IT solution chosen for any participation in an external independent SOx audit must: comply with all applicable governance burdens; ensure that all internal actions to implement each IT solution are fully-documented, so that any subsequently-appearing design deficiencies may be quickly-identified and remediated; match as closely as possible whatever specifications have been established by any consultants and subject matter experts (SMEs) to the enterprise; be fully stress-tested prior to final implementation for use in the external independent SOx audit, including a full security analysis (by extremely-competent SMEs) of every facility, hardware device and software application that will have any connection to the final implementation.
-
From the perspective of an IT SME, SOx Sections 302, 401, 404, 409, 802, 902 and 906 when considered in concert together mandate special attention to several critical aspects of IT-related internal financial controls, and SOx requires that an internal controls report (attesting that adequate internal controls exist to protect the financial data of the enterprise) must be included in the final SOx report; IT SMEs therefore concentrate on the strengths and weaknesses of several types of internal controls, such as for example (in no particular order of precedence):
-
access internal controls – requiring first a detailed evaluation of how the enterprise may restrict access by certain users to certain critical functions (through permission audits, role-based access utilizing the principle of least privilege – POLP – through which only users actually required to perform certain tasks are granted access to certain devices and functions), and then the implementation of permission restrictions, thus ensuring that only the users with a relevant reason to access an application or device electronically, physically or virtually are the only users who can do so (including the use of relevant prevention measures, such as for example – physical devices (such as for example: biometric devices; mechanical locks; video surveillance systems) and digital preventative systems (such as for example; firewalls; and, identity and access management systems – IAMS).
-
change management internal controls – requiring an analysis of all occurrences that might have any impact on such internal controls, such as for example – changes to the general computing infrastructure (both hardware and software); use by untrained new employees; constant software updating (perhaps requiring a patch-management platform); system configuration changes(perhaps through the use of a configuration management platform – CMP);
-
data backup internal controls – comprehensive redundancy of secure backup solutions, both on premises, and in various remote global locations;
-
security internal controls – categorizing and distributing massive amounts of data generated within the enterprise on a daily basis, monitoring for access to such data and for external attacks, protecting the security of such data, perhaps requiring a specialized software platform, such as a security information and event management (SIEM) platform.
-
In order to generate an acceptable internal controls report for inclusion in the final SOx report, an enterprise must prove to the external independent SOx auditor that the enterprise has implemented an agile, coordinated, resilient and robust cybersecurity framework that is able to block a host of cyber dangers to the enterprise, through actions and technologies such as for example: assessing the external security posture (the collective security status of all information, hardware, networks, service providers, services, software and vendors) of the enterprise, perhaps through security posture management (SPM) platforms; automatically finding data leaks (an exposure of sensitive information to public, resulting from poor data security practices of an enterprise such as when a cloud service provider accidentally releases thousands of personal user records or from the negligence of a user); mitigating cyber threats (such as: data breaches; denial of service – DoS – and many other attack vectors – various nefarious attempts to gain unauthorized access to the IT infrastructure of an enterprise; infestations of viruses, and the like); monitoring security continuously, perhaps with continuous security monitoring (CSM) management platforms; preventing data breaches (cracks to the cyber defenses of the enterprise resulting from a concerted, planned attack by external crackers, for the purpose of stealing sensitive data or the disruption of some important infrastructure, such as the electrical grid); screening vendor risk to the enterprise, perhaps through vendor risk management (VRM) platforms; attack surface management (ASM) (the continuous classification, discovery, inventory, prioritization and security monitoring of external digital assets that contain, process or transmit sensitive data, perhaps through attack surface management – ASM – software platforms); and, reporting to the board, management and shareholders through detailed, periodic security presentations and reports.
-
IT-related external independent SOx audits focus on a slightly-modified set of key internal controls, which can be either preventative (meaning that their purpose is to stop all external risks from damaging an enterprise system) or detective (meaning that their purpose is merely to identify the possibility of an external risk to an enterprise system, and then alert certain personnel in the enterprise about such potential external risk, so that such personnel may take action if necessary); generally preventative internal controls will take precedence over detective internal controls; such slightly-modified set of key internal controls may be identified as follows (in no particular order of precedence):
-
application internal controls – also known as automated internal controls; used to detect or prevent issues; an example would be any adjustment to a configuration setting of a system or software controlling such system, made by a human for the purpose detecting or preventing harm to the system, such as enabling 2-factor authentication (2FA), or enabling automatic software updates; the internal controls implemented during the COVID pandemic to allow enterprise personnel to work remotely from home were of the application internal controls variety, such as, for example – automatic backups; end-point security protocols (such as: anti-virus; automatic updates; encryption); firewalls; remote desktop protocols (RDPs); teleconferencing; videoconferencing; virtual private networks (VPNs); Voice over IP (VoIP);
-
general IT internal controls – also known formally as information technology general controls (ITGCs); generally the focus of System and Organization Controls (SOC) audits, and categorized into four (4) basic “domains” (access to data and programs; computer operations; program changes; program development), as follows:
-
access to data and programs – consists of three (3) layers (applications; databases; operating systems – each of which must be tested against the following specific internal controls) with five (5) specific internal controls, as follows:
-
verify that access data is continuously-monitored and validated by an authorized manager, and then properly implemented by such authorized manager;
-
verify that access rights of users who have left or are no longer assigned have been rescinded within a certain time period;
-
verify that all access rights are reviewed regularly;
-
verify that all passwords are correctly configured; and,
-
verify that the activity of administrators, privileged accounts and sensitive generic accounts is regularly-monitored;
-
computer operations – consists of four (4) internal controls, as follows:
-
verify that all errors in production of any data have been fully-remediated;
-
verify that all onsite data is fully-backed up at a secure location (preferably offsite) and is fully-retrievable;
-
verify that robust physical security measures have been implemented (both offsite and onsite); and,
-
when operating batch scheduling, verify that any changes to scheduling have been fully-tested and approved in advance;
-
program changes – consists of four (4) layers (applications; databases; networks; operating systems – each of which must be tested against the following specific internal controls) with three (3) specific internal controls, as follows:
-
verify that all changes to any applications are fully-tested and approved in advance, before being released for production;
-
verify that all changes to any applications are reviewed on a consistent, periodic basis; and,
-
verify that the process environments (development, testing and production) are completely segregated from each other, and adhere to an approval protocol required by an enterprise corporate policy;
-
program development – consists of four (4) internal controls, as follows:
-
verify that all modifications to enterprise resource planning (ERP) software platforms have been fully-tested and approved in advance, before implementation;
-
verify that all design deficiencies identified during the development of an application have been fully-tested and approved in advance, before implementation;
-
verify that any data identified for migration into any new program has been migrated properly; and,
-
verify that any personnel assigned to any development project are fully-competent and trained.
-
IT-dependent manual internal controls – require some involvement directly between a human and a system; an example would be a human generating a report of users logging into a particular account, which is then reviewed by a manager;
-
manual internal controls – which generally require the interaction of multiple actors in multiple systems, such as for example – a bank reconciliation of an external account compared to an internal account; manual written acknowledgement of cash received in an external lockbox bank account, with reconciliation against an internal accounts receivable balance; privacy policy receipt and sign-off by an employee in department from another department; supervisor review and sign-off of a new corporate protocol from the C-Suite; manual internal controls should have assigned owners, who are key people in the enterprise.
-
-
Drafting and negotiating all SOx-related documents and legal support for all SOx-related issues.
Progress_Page_Last_Updated_221105_1205