Challenges of SOX Compliance For IT Systems

SOX compliance for IT systems has become an increasingly important issue for organizations of all kinds. Intended to assign a quantifiable level of accountability to organizations and the IT controls that impact financial reporting operations, the act includes two sections that affect IT departments—section 302 (Corporate Responsibility for Financial Reports) and section 404 (Management Assessment of Internal Controls). Of course, failure to meet these, or any other requirements levied by SOX standards, can result in serious penalties and loss of credibility.

Predictably, the problem here is that SOX compliance is not easy. There are many obstacles that stand in the way of ensuring proper adherence to the multitude of regulatory compliance expectations, which among other things, require monitoring of failed login and database activities, user privilege escalation, privileged user actions and sensitive data access. Section 404, in particular, demands that IT administrators assess the level of internal regulations as they relate to financial reporting, initiate new controls as needed, and evaluate such controls on a yearly basis. Moreover, organizations must be able to prove that they have put these controls into practice at all times.

One of the biggest challenges here lies within the very nature of privileged users, who are often important and trusted company employees—the type who don’t appreciate being questioned for possible fraudulent activity. To decrease the likelihood of this type of necessary and uncomfortable questioning, IT departments often manage privileges by restricting and segregating them (if an employee can do X, he cannot do Y; conversely, if an employee can do Y, he cannot do X). Unfortunately, by restricting administrator permissions, organizations are indirectly limiting productivity.

Monitoring privileged-user database access is difficult in that the very users being monitored often have the credentials necessary to “beat the system” by deleting fraudulent logs that they do not want to be seen. Again, however, restricting those credentials hinders efficiency, as administrators often use database log facilities as a debugging mechanism.

Another difficulty surrounds the necessity to audit access failures, whether they be invalid login attempts or failed efforts to retrieve privileged files. Either way, these types of activities are potential warning signs of fraudulent activities and must be tracked to appease SOX auditors.

Additional challenges include monitoring of schema modifications to ensure the veracity of the data structures being audited, and monitoring of privilege changes to maintain visibility into the user directory. It is also important to audit access to sensitive system and data tables, such as SQL server events.

Other obstacles that stand in the way of SOX compliance for IT systems include insufficient database logs, ineffective data reporting and poor event alerting.  The necessity to reproduce events by identifying major happenings within the audit trail, archive each event for future audits, ensure audit log security, produce scheduled reports for auditors, and be consistently aware of potential warnings of fraudulent activity (such as repeated failed login attempts) makes life more than difficult for IT administrators.

The need to monitor multiple databases for multiple auditors of multiple compliance regulations can make for a confused IT department. Unconsolidated and inconsistent reports generated by different programs can result in non-compliance. Furthermore, the segregation of credentials and duties amongst IT administrators managing the network of varying systems can cause additional problems. Auditors demand that privileged user monitoring information be maintained beyond the scope of the users being monitored, so the massive system of juggled rights and contradictory expectations can result in one giant nightmare for administrators tasked with managing SOX compliance endeavors.

Fortunately, Netwrix Auditor automates the process, simplifying an otherwise strenuous and mistake-prone task. For example, the NetWrix All-in-One Suite includes a cast of proven change management solutions, such as the Active Directory, SQL Server, Group Policy, File Server, Exchange and VMware change Reporters, as well as Inactive Users Tracker, Event Log Manager, password Expiration Notifer, Password Manager and Account Lockout Examiner. In short, products like the NetWrix All-in-One Suite help maintain established controls by tracking and reporting all changes in IT infrastructure for auditing purposes and implementing secure identity management practices to ensure system security.

All public companies in the U.S. are subject to Sarbanes Oxley (SOX) compliance without exceptions, and regardless of what measures they take, must find ways to adhere to regulation standards. SOX compliance requirements apply to overseas operations of U.S. public companies and international companies listed on U.S. exchanges. Failure to comply with SOX can result in fines of up to 5 million dollars and up to 20 years of imprisonment of C-level executives accountable for SOX implementation. Other countries have similar laws—for example, Canada enacted a regulation known as Bill 198, Japan established aptly named J-SOX, and both are very similar to the “American” SOX.

Stephen is a former Product Manager at Netwrix.