SOX ITGC –
Everything you need to know and 5 tips to help you get started
Technology and applications are part of almost every business process in the enterprise today. From the finance department to marketing, businesses depend on technology solutions to help them run. But technology doesn't come without some risks, and that's where your IT General Controls (ITGC) come into play.
What are SOX ITGCs?
ITGCs are required by the Sarbanes Oxley Act of 2002 (SOX) to ensure the integrity of financial reports. While SOX is focused on the propriety of your financial and accounting practices, SOX ITGC controls focus on IT systems such as applications, operating systems, databases, and the supporting IT infrastructure. Your SOX ITGCs ensure IT and security activities are managed and governed according to your policies and procedures and support the effective functioning of application controls by helping to ensure the proper operation of information systems. Together ITGCs and application controls ensure the integrity of your data and processes across the IT environment to manage and mitigate risk.
An ITGC framework is typically adopted from public standards such as COSO, COBIT, or NIST. An ITGC framework is implemented to meet the requirements of an ITGC audit conducted by an external audit firm which measures the effectiveness of your IT general controls. Monitoring your controls through internal and external ITGC audits ensures that your policies are functioning properly and that any necessary adjustments are made to match the organization's evolving business environment.
What do ITGCs do?
ITGCs ensure that the systems and applications used by various departments within your organization are being used effectively and are not vulnerable to risk. Many of your business processes are supported by your ERP, such as Oracle or SAP. For example, finance, HR, purchasing, and sales all enter data used in your financial statements.
SOX governs your ITGCs because they relate to the use and management of your ERP. SOX requirements include business controls, and IT controls. SOX business controls relate to the accuracy of the data that feeds into your ERP for financial reporting. SOX IT controls cover IT general controls (ITGCs) and application controls. SOX IT controls seek to ensure your systems are accurate, complete, and free from errors that impact your financial reporting.
IT Application Controls (ITAC) and ITGCs are different but equally essential to the organization's security. ITACs are more specific than ITGCs and concentrate on a limited piece of the organization's IT systems. ITGCs consist of many types of controls, while ITACs consist of only three:
- Input - authenticates information entered into the system
- Processing - verifies transmitted data, and
- Output - validates information sent out of the system
The ITGCs oversee how your ERP functions related to tasks such as:
- Creating administrator accounts with elevated privileges for the purpose creating of accounts for other IT applications
- Software lifecycle management establishes controls to ensure the planning, design, building, testing, implementation, and maintenance are properly recorded and authorized. These controls ensure systems are implemented as intended and proper approval of changes is obtained.
- Patch management is the identification, acquisition, deployment, and verification of software updates for network devices. These include updates for operating systems, application code, and embedded systems, including servers
- Access control ensures each application has proper Password management and identity authentication
- Audit logs to ensure all transactions and changes to IT systems are recorded and available for audit
ITGCs are crucial to cybersecurity and regulatory compliance. For example, with the ability to create new user accounts, anyone could create an account with the privilege to view confidential data or change banking information and set themselves up for future payments. With negligent patch management, systems may connect to the internet with outdated security, leaving their environment vulnerable to attackers. Bad actors can exploit this weakness to infiltrate your ERP system to steal data or intellectual property.
Another area that ITGCs seek to address is external audits. During your annual SOX audit your ITCGs are examined to ensure the accuracy of your financial reporting. If your ITGCs are insufficient it can lead to disclosures to investors if your ITGCs are cited in your financial audit. You also risk losing business if poor ITGCs scare potential customers are concerned about security risks. Disclosures and poor security will also lead to costly remediation.
How to strengthen your ITGCs
Adopting a robust compliance framework, such as COBIT or COSO to address your IT risks will allow your CISO and internal audit team to conduct a risk assessment and identify weaknesses. Common weaknesses are:
- Inadequate user provisioning and de-provisioning that does not adequately control the creation of user accounts with excessive permissions and the deactivation of accounts associated with departures
- Inadequate patch management and IT change management leaves your ERP susceptible to cyber attacks and fraud
- Insufficient audit logs that don't allow for a proper incident investigation, like look-back analysis
- Deficient software development controls allow users to alter the ERP configuration or transaction records
- Insufficient configuration monitoring creates changes in the execution of your controls that can open the door to fraud and data breaches
These kinds of weaknesses are common in data breaches and other security incidents. For example, SAP and Oracle customers with poor patch management controls fail to correct vulnerabilities that allow hackers to breach ERP systems. These vulnerabilities allow bad actors to evade access controls, manipulate data and steal or alter financial records creating fraud, theft, and bribery risks.
A stress-free audit is impossible, but there are ways to limit the time, effort, cost, and impact on your team by preparing. The following tips are designed to help you get through your SOX IT audit with less pain.
- Identify responsibilities and supporting processes
Understanding the business objectives and processes your IT systems support is the most critical step you can take to manage risk under your responsibility.
Identifying the critical business processes that rely on the IT systems and data you support will help you determine the nature and scope of the controls needed for your unique environment. Identifying these elements will help you to manage your risks.
However, the risks you identify should be considered reasonable and authorized by management. This process is the key to prioritizing the risks you need to manage and serves as the basis for negotiating with auditors about what is and is not "material" in an audit. If you carry out these steps, you can easily justify your scope for risk-based audits like SOX.
- Identify and manage sensitive data
All technology-related compliance mandates dictate companies place controls around sensitive data (PII, cardholder data, sensitive financial data).
A reactive one-off approach to placing controls around data may meet these requirements, but they are stop-gap measures. A holistic approach to data security is recommended to meet compliance requirements. Even if the limits of your responsibility include only a few servers with sensitive data, it's beneficial to know the following:
- What data kinds do you have
- Where is that data stored
- What paths does that data travel on, and
- What are your data retention requirements
Start by becoming aware of the data types your company considers sensitive. Your internal audit department can identify your organization's relevant sensitive data categories and any particular data requirements or restrictions, like data encryption, life span, and removal.
The goal of a proactive data management program is to safeguard sensitive data by:
- Applying specific policies around data management
- Protecting data from unauthorized access
- Monitoring data access (including temporary access)
- Monitoring data changes (including emergency changes), and
- Deleting data when no longer required
3. Protect critical infrastructure
Business processes are essential to making your company successful. And the business applications that support those processes are equally as critical because, without them, your process breaks down. In addition to ensuring that adequate controls exist to manage protected data, it's essential to know which infrastructure components support the applications critical to executing your business processes. That means ensuring that the crucial infrastructure elements, like databases, servers, and network devices, are identified and appropriately managed. In particular, ensure they adhere to minimum security configuration baselines and are patched regularly for the latest security vulnerabilities.
- Perform a risk assessment
IT risk assessment will help you prepare for your audit by revealing security risks in your IT systems and assessing the threats they pose and barriers to SOX compliance. The risk assessment ensures that your IT infrastructure is secure, identifies potential risks, and implements controls to mitigate the identified threats.
An IT risk assessment comprises four key parts. The following are brief definitions of each component of the IT risk assessment:
- Threat: any event that could damage the company's assets. For example, a natural disaster, cyber-attacks, or website failure
- Vulnerability: any potential weakness that could allow a threat to materialize. For example, outdated antivirus software is a vulnerability that can allow a malware attack to succeed. For a complete list of specific weaknesses, visit NIST National Vulnerability Database
- Impact: the total damage incurred from a threat exploiting a vulnerability. For example, a ransomware attack might result in the disclosure of sensitive data resulting in lost business and compliance penalties
- Likelihood: the probability that a threat will occur, usually expressed in a range
- Automate where possible
Controls secure business process integrity, and control automation ensures the proper functioning of your business processes and ITGCs. Controls can be automated or partially automated with workflow solutions.
For example, applications with workflow notifications enable approvals manual approval processes, like access requests.
Control automation makes business processes more efficient and less vulnerable to human error. But automating all IT controls is not practical: effective control automation requires prioritizing your manual processes. Good candidates for automation include the following:
- Error-prone manual controls
- Processes that will save significant time, cost, and effort, for example user access approvals
- Continuous monitoring
- Intelligent audit trails, specifically continuous monitoring, will significantly benefit internal auditors
Control automation can significantly reduce the costs of maintaining compliance over time because the initial effort is a one-time cost. Automating internal controls tends to demystify the external auditor's control testing process and shorten the audit cycles. The efficiency of control automation delivers businesses three significant avenues of cost savings:
- Reduced cost associated with maintaining internal controls
- Fewer billable hours incurred by external auditors
- Fewer hours allocated by internal resources supporting compliance requirements
How SafePaaS can automate your SOX ITGCs
ITGC SOX Audit reporting is a manual, arduous process. SafePaaS delivers continuous compliance by monitoring your ITGCs in real time and with on-demand compliance reporting.
With SafePaaS, you'll pass your audit without surprises, with all potential risks secured before they materialize. And SafePaaS has integrations to all your critical financial applications that affect your SOX ITGC audit - Oracle, SAP, JD Edwards, PeopleSoft, NetSuite, Workday, and more.
With SafePaaS, you can use our seamless API integrations to your ERP application and choose from our comprehensive repository of predefined, industry-best-practice rules. SafePaaS locks down all your SOX ITGC controls so you can concentrate on your business.
Best-practice industry-focused rule catalog
SafePaaS has thousands of rules that provide immediate coverage of your compliance requirements, including SOX, GDPR, and HIPAA.
Risk-impact on finances
With the use of automation, you can prioritize your most important policy violations by measuring access risk-to-cost.
Real-time access risk mitigation
SafePaaS enables quick analysis and response to potential risk by reviewing identity access in real-time with fine-grained capabilities.
All entitlements and roles are analyzed across all applications in one single platform.
Continuous Controls Monitoring
SafePaaS monitors and identifies risks in financial transactions from applications like Oracle ERP Cloud, Oracle E-Business Suite, SAP, Microsoft Dynamics, Workday and many others and remediates them with built-in capabilities.