- Managementís responsibility to establish and maintain adequate internal control over financial reporting.
- The framework used as criteria for evaluating the effectiveness of the companyís internal control over financial reporting.
- Managementís assessment of the effectiveness of internal company control over financial reporting, and disclosure of any material weaknesses.
How to comply
While IT security systems play a vital part in establishing many of these internal controls to meet requirements, SOX doesnít provide any insight into how a company should go about it, or what types of solutions help deliver those controls. What methods and frameworks can help with this? The Control Objectives for IT (COBIT) is an IT governance model that provides both company and activity-level objectives along with associated controls. And using COBIT, an organization can design a system of security applications and controls to comply with SOX. Hereís a guide to how companies can interpret SOX demands and ensure they meet regulatory compliance using COBIT Objectives, by deploying the right security solutions in the right areas.
COBIT suggests that all users should be uniquely identifiable. User identities and access rights should be maintained in a central repository and cost-effective technical and procedural measures should be deployed and kept current to establish user identification, to implement authentication and to enforce access rights. Itís important that an IT solution includes access control. It should also allow for the creation of granular access and authorization rules, and enforce access policies at the perimeter and on the internal network. This also ensures that companies make their systems resistant to tampering.
User account management
A set of user account management procedures are advised to address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges, as well as perform regular management reviews of all accounts and related privileges. Certain management tools allow administrators to create policies, including the mapping and assignment of groups (of users and endpoints) to resources. Solutions can also be configured to provide inline, real-time password policy validations for password length or alphanumeric requirements.
Security testing, surveillance and monitoring
Proactively testing and monitoring the IT security implementation is considered very important by COBIT. A logging and monitoring function will enable early prevention or detection, and subsequent timely reporting, of unusual or abnormal activities that may need to be addressed. Any solution should update, monitor and report of system events and activity, enabling enterprises to gain a holistic view of their security and network activity trends. The consistent presentation of data across the enterprise enables more effective data collection, analysis and response.