Here we are in the third week of NCSAM and its time for some Security education!!
The whole logic of educating someone is to dispel the myths. Talking to a lot of customers, we discovered that there are some invariably common myths and confusions around the SOX regulations, despite the varied spectrum of industries they represent. Some of the common factors include:
- Compliance with Section 404
- Responsibilities of the auditors
- Implications of Outsourcing, etc.
A very basic example is that many organizations look at SOX Compliance as a technology mandate, but in reality it is more of a financial reporting mandate. So this week, let us have a look at the top 3 myths and what exactly does SOX Compliance imply in each of these cases.
MYTH 1: SOX is all about defining Financial Business Practices and Data Security
To start with SOX Compliance doesn’t emphasize on financial practices or how to secure your financial records, it rather throws light on the records to be stored. Also when it discusses about in-house control or internal control, it predominantly points to the financial controls and not data security. Unlike other Compliance regulations such as HIPAA or PCI, SOX doesn’t discuss any specific data security requirements like password protection or encryption.
MYTH 2: Meeting the Section 404 Compliance once, means that you are compliant
Myths can’t get any bigger because compliance is very much a continuous process. More precisely, this means that 404 certification has to happen every year. With your organization growing continuously, you need to regularly monitor, evaluate and test your systems to comply with the policy requirements.
Secondly, if part of your process is outsourced, it doesn’t mean that the compliance is taken care of. If that process is likely to have an impact on your financial systems, you are very much responsible for the controls at your outsourced unit. Hence, you need to constantly monitor and test the systems at your outsourced unit as well.
MYTH 3: My auditor is solely responsible for SOX
SOX Compliance clearly states that it is the organization that is accountable for the financial reports and disclosures and not the auditor. Your auditor can only assist you by checking your reports but it is your organization that is responsible for the reports. In fact, SOX clearly prevents auditors from certain services to avoid conflict of interests. To keep things clear, it doesn’t mean that SOX Compliance will not allow you to approach your auditor for other services such as tax preparation, rather it would become your audit committee’s responsibility to determine who provides the tax services.
Also if you had missed out on your chance to have a glimpse of the SANS Analytics & Security Intelligence Webcast – watch here