Journal Online

Managing Sarbanes-Oxley Section 404 Compliance in ERP Systems Using Information Security Control Reports
Abhik Chaudhuri, MCA, PMP, is an IBM-accredited senior IT specialist with work exposure as an IT security administrator. He has executed IT consulting projects in diverse environments. Chaudhuri can be reached at abhik. chaudhuri@gmail.com. Dipanwita Chaudhuri, ACA (ICAI), MIIA, is a consultant auditor working as manager of management consultancy services with a reputed Chartered Accountants firm in Kolkata, India. She is a registered consultant with the Asian Development Bank. She can be reached at banerjee. dipanwita@gmail.com. Robert E. Davis, CISA, CICA, is an independent auditor and management consultant, a Pleier Corp. author, and a Boson Software Inc. author and instructor. He has provided information systems (IS) auditing and data security consulting services to the US Securities and Exchange Commission, the United States Enrichment Corp., Raytheon Company, the US Interstate Commerce Commission, Dow Jones & Company, and Fidelity/First Fidelity (Wachovia) corporations. He can be reached at bobdcisa@yahoo.com.

Globally, laws and regulations have been enacted and reinforced to ensure that entities comply with a particular societys expectations for ethical behavior when conducting business.1, 2 Reflecting this premise, the US Sarbanes-Oxley Act of 2002 is a statutory compliance requirement that was enacted to improve corporate accountability by requiring publicly held companies to assess and report on the effectiveness of their internal control structure and procedures for financial reporting.3 Sarbanes-Oxley mandates consist of several sections that have been designed to improve the quality and integrity of financial reporting. However, the Sarbanes-Oxley section generally considered to be directly impacting IT control practices is section 404, Management Assessment of Internal Controls. Sarbanes-Oxley section 404 suggests organizations registered as US Securities and Exchange Commission (SEC) filers annually report: Managements responsibility to establish and maintain adequate internal control over financial reporting The framework used as criteria for evaluating the effectiveness of internal control over financial reporting Managements assessment of the effectiveness of internal control over financial reporting and disclosure of any material weaknesses As part of Sarbanes-Oxley section 404 legal compliance assurance, an organizations independent auditors need to attest managements assessment of internal control over financial reporting. Consequently, organizations must ensure that appropriate controls, including IT controls, are operational. Furthermore, these organizations should provide their independent auditors with documented evidence of functioning controls and results of testing procedures.

Sarbanes-Oxley edicts have placed additional demands on US corporations and businesses worldwide that have initiated Sarbanes-Oxleyrelated compliance measures. Directly related to enabling managements responsibility to maintain adequate internal control over financial reporting is the Committee of Sponsoring Organizations (COSO) of the Treadway Commissions Internal ControlIntegrated Framework. Appropriate governance deployment that protects assets affecting investment and expenditure decisions is critical to achieving sustainable compliance. Sarbanes-Oxley has circumstantially required spending significant time and/or money on security technology, tools and resources to ensure Sarbanes-Oxley section 404 compliance.4 Thus, within this context, information security governance is playing an important role in meeting the new demands placed on businesses by Sarbanes-Oxley. COSO indicates internal control is a process, directed by an entitys board of directors, management and other personnel. Where applied, this process is designed to provide reasonable assurance regarding the achievement of objectives through subscribing to:5 Reliable financial reporting Effective and efficient operations Compliance with applicable laws and regulations This paper addresses information security measures necessary for Sarbanes-Oxley section 404 compliance in enterprise resource planning (ERP) environments, the importance of information security control reports, and the procedures to be followed for creation and utilization of information security control reports for ERP systems.

ISACA JOURNAL VOLUME 6, 2009

GEnERAl OvERvIEw Of ERP SyStEMS Enterprise resource planning refers to the integration and extension of a businesss operational IT systems, with the end goals of making information flow within (and beyond) a company more immediate and dynamic; increasing the usefulness and shelf life of information; eliminating redundancy and automating routine processes; and making information system components more flexible. Departmental boundaries generally become softer, accessibility of data is increased for partner companies and customers, and the companys ability to respond to the marketplace is generally enhanced.6 ERP software is typically used by organizations for seamless integration of various functional modules to ease the execution of business activities.7 Where deployed, this feature of ERP software brings to the forefront the necessities of segregation of duties, activity-based rules, active security monitoring, specific application controls and other related security issues. Designing, developing, deploying and monitoring ERP systems requires an integrated approach to meet the requirements of various functional areas. Specifically, operational managers need to collaborate with IT managers to define processes for implementing a robust and secure ERP system, considering the organizational risks or challenges related to:8 Data integrity User behavior Data conversion Application security Business continuity Business processes System functionality Business procedures Industry environment Business environment Ongoing maintenance Management behavior Underlying infrastructure IntERnAl COntROl StRuCtuRE IMPlICAtIOnS IT is commonly an integrated service requiring consideration during an audit of financial statements. To prevent any laxity in information assets protection, organizations need to 2
ISACA JOURNAL VOLUME 6, 2009

establish adequate IT controls within their internal control structure.9 Components of the organizations internal control structure, as defined by COSOs Internal ControlIntegrated Framework, and their applicability to the IT infrastructure include the:10, 11 Control environmentThe control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include managements philosophy, operating style and direction provided by the board of directors. When establishing the control environment for an ERP system, senior management should make a commitment to IT service management and drive managerial direction by designing and deploying an IT policy. Risk assessmentRisk assessments enable identification and analysis of relevant risk factors associated with the achievement of objectives, thus forming a basis for determining how risks should be managed.12 Because economic, industry, regulatory and operating conditions are in constant flux, mechanisms are needed to identify and deal with entity-centric risks associated with perceived impact of such changes. As for internal control, risks are more pervasive in the IT function than in other areas of a company. Therefore, senior management and IT personnel should gain a comprehensive understanding of ERP interdependencies to ensure service confidentiality, integrity, availability, compliance and reliability. Information and communicationPertinent information must be identified, captured and communicated in a form and time frame that enable people to carry out their responsibilities. Information systems produce reports containing operational, financial and compliance-related information that make it possible to run and control the business. In tandem, effective communication must occur in a broader sense, flowing down, across and up the organizations hierarchy. All personnel should receive a clear message from top management that control responsibilities must be taken seriously. They also must understand their own role in the internal control system and how individual activities relate to the work of others. Control activitiesControl activities are the policies and procedures helping to ensure that managements directives are carried out. They assist in ensuring necessary actions

are taken to address risks associated with the organizations objectives. Control activities occur throughout the organization at all levels and in all functions. They embrace a diverse range of activities such as approvals, authorizations, verifications, reconciliations, reviews of operating performance, protection of assets and segregation of duties. Control activities for an ERP system normally include, but are not limited to: Change management Incident management Availability management Service-level management Configuration management Information security management MonitoringInternal control structures need to be monitored as a process that assesses the quality of operational systems performance over time. With an IT system, sufficient monitoring of internal controls requires continuous vigilance, in-depth assessments, and internal and external audits. Standards establish expectations and provide direction when an auditor is engaged to perform an audit of managements assessment of the effectiveness of internal control over financial reporting. Under Sarbanes-Oxley, auditor adherence to defined standards is overseen by the Public Company Accounting Oversight Board (PCAOB)a private-sector nonprofit corporation that oversees, regulates, inspects and disciplines accounting firms in their roles as auditors of public companies.13 However, the cost of complying with Sarbanes-Oxley section 404 impacts smaller companies disproportionately, as there is a significant fixed cost involved in completing the assessment. To prevent such disparity, the SEC and PCAOB issued specific guidance to ease the burden of expense.14, 15 The PCAOB approved Auditing Standard No. 5 for public accounting firms on 25 July 2007, so that section 404 audits and management evaluations are more risk-based and scalable to company size and complexity.16 As per the SEC, the following four features of Auditing Standard No. 5 provide the greatest impact:17 It is less prescriptive. It makes the audit scalable (so it can change to fit the size and complexity of any company) by allowing the auditor to balance the amount of internal control testing required for audits of small and less-complex organizations. The

standard also allows the auditor to consider alternative controls when there is limited segregation of duties. Moreover, when there is limited or no documentation trails, the auditor can decide to use inquiry along with other procedures, such as observation or reperformance, to provide supporting evidence of adequate controls.18 It directs auditors to focus on what matters most and eliminates unnecessary procedures from the audit. The standard; Directs auditors to the areas that present the highest risk, such as the financial statement closing process and controls designed to prevent fraud by management. It emphasizes that the auditor is not required to scope the audit to find deficiencies that do not constitute material weaknesses. It also allows auditors to use knowledge accumulated in previous years audits to reduce testing. The new standard clarifies that managements process is not the focus of the audit; rather, the audit focuses on the effectiveness of a companys internal control over financial reporting. As a result, it will eliminate auditors requiring companies to do work that is not necessary.19 It includes a principles-based approach to determine when and to what extent the auditor can use the work of others. DEfInInG thE COntROl EnvIROnMEnt The control environment construct is generally considered the most important component in the COSO-based audit framework. As discussed previously in this article, section 404 requires that management assess and report on the effectiveness of a companys internal control structure.20 To this end, the control environment must be understood, evaluated and testedfirst by management and then by the external auditors. An organizations control environment should exist as the pervasive foundational substructure affecting business processes. By most definitions, this foundational substructure is based on managements integrity and ethical values, operating philosophy and commitment to organizational competence, as well as other factors. To enable section 404 compliance, appropriate employee and specific control-related
ISACA JOURNAL VOLUME 6, 2009

policies, procedures, standards and rules should be provided by management and reviewed periodically. Controls should be in place to check such items as accuracy, completeness, validity (e.g., proper authorization) and security (e.g., restricted access) for transactions. Technically, application safeguarding controls should be present during input, processing and output (see figure 1). To dispatch information reliability requirements, an information security manager should ensure that designated application owners identify, understand, test and document internal accounting security controls for relevant information assets. For instance, information-security-related application accuracy controls should include input, edit and validation routines ensuring that information integrity is assessed through deployed protection evaluations.

fIgure 1Control Measure, Sarbanes-Oxley Key Control Matrix

Sarbanes-Oxley Key Control Control Measure Completeness Accuracy validity Security Quality Personnel Documenting Transactions Segregation of Duties Authorization Access Control Reconcilement X X X X X X X X X X X X

SECuRIty MEASuRES fOR SECtIOn 404 COMPlIAnCE Of ERP SyStEMS The following detailed security measures can be applied to an ERP system for preventing a number of common gaps identified on the path to Sarbanes-Oxley section 404 compliance:21 Secure identity managementGenerally, organizations understand the need to accommodate access to their data as per the accepted requirements of employees, customers and partnersin real time. Simultaneously, there is also a need to provide sensitive data protection through effectively managing user identities. Consequently, an organizations systems should remain secure, while the IT service supplies high-quality information. 4
ISACA JOURNAL VOLUME 6, 2009

Identity provisioningSenior management should make provisions for quick and secure viewing, changing, auditing and reporting of all user profiles and access privileges granted to the users across the organization. Policy-based access controlPolicy-based access control should be exercised for programs and data security. Audits of access authorities at public, group, user and object levels should be performed at regular intervals, to augment other internal controls for Sarbanes-Oxley section 404 compliance.22 Furthermore, enabling strong authentication in client-server environments aids in ensuring the safety of sensitive business and process-related information.23 Data protection and integrityIf an ERP database contains sensitive customer information, activities of users who have unrestricted access to the database should be tracked to detect unauthorized modifications. This usually requires regular journaling of changes to database tables with periodic reviews of infrastructure audit trails and reviews of the database transactions. Reviewing the before and after images of the database records and verifying authorized approvals of those changes helps in tracking processing discrepancies. Additionally, users who have access to the production database should be required to change their password at least every 90 days, while assigned passwords should be strong enough to prevent compromise by random guessing or bruteforce attacks. The security team should perform a daily review of logs to discover irregular activities that may jeopardize data integrity. For operating system (OS) level security, application and device drivers should be checked on a regular basis to identify vulnerabilities and threats that can compromise effective database protection. Only approved and tested database patches should be applied, utilizing appropriate change management procedures. ERP IntERnAl COntROl ACtIOnS SuPPORtInG SECtIOn 404 COMPlIAnCE Administrative processes should rely on internal controls to remain in compliance with internal and external requirements. Adequate controls to mitigate risks need to exist in critical daily business procedures.24 Without the deployment of adequate internal controls, functions would be noncompliant, inefficient and costly to operate, and could ultimately fail. Preventive controls are established to avoid undesirable circumstances and to maintain compliance with approved policies and procedures in financial and operational arenas.

For example, an organization can undertake the following preventive actions for Sarbanes-Oxley compliance: Every department/functional head should be an authorized requestor for: User profile creation User profile activation Menu access User authority Profile deletion Report disablement The functional heads should be able to request access only for certain privilege levels/roles within their respective area/ access level. As a collateral responsibility, requests should be documented on a form that mentions relevant details, such as the complete name of the user, department, users address book number, authorized requestor details (with signature of authorized requestor) and a clear mention of the request. The IT support team should check the feasibility of the request before execution. If request fulfillment is not feasible, the authorized requestor should be informed about the policies and procedures prohibiting the execution of the request.

Upon notification of request denial, the authorized requestor should be permitted to submit a modified form or ask the IT support team to close the ticket. Any security flaw already existing on the ERP system, and those that were not tracked as preventive actions, should be identified and mitigated by corrective actions. Detective controls are designed to identify irregular transactions or improper procedural events after they have occurred. Based on the deployment of detective controls, management can take proper corrective actions to remove material weaknesses. This can be enabled by generating information security control reports (see figure 2). PROCEDuRES fOR CREAtIOn AnD REvIEw Of COntROl REPORtS Information security control reports for ERP systems are a detective control that can be utilized quarterly to verify appropriate safeguarding deployment. These reports can be generated quarterly by querying the ERP systems security files and journals. Business intelligence tools can be used as a report writing vehicle. Control reports can be run and printed midquarter and presented to the IT operations manager for review. Subsequently, all control reports should be reviewed and signed for accuracy and completeness by the IT operations manager every quarter of each year.

figure 2Sample ERP Security Control Report

ERP Security Report list of Interactive users in Production Environment Executed On: user Group *CS001 *CS002 *CS003 *CS004 *CS005 *FI001 *FI002 *IT001 *IT002 *IT003 user name Scot G Kallis D John S Waugh C Peterson L Wilfred T Dujon Q Rhodes M Hodge L Sen H Environment Production Production Production Production Production Production Production Production Production Production Address Book number 98301 73452 71296 83527 72463 96532 98724 68187 17942 65784 last Sign-on Date 3/12/2006 3/12/2006 3/12/2006 7/30/2006 7/30/2006 12/2/2007 12/2/2007 1/7/2007 1/7/2007 1/7/2007 12-Dec-2008 Status *Disabled *Disabled *Disabled *Disabled *Disabled *Disabled *Disabled *Disabled *Disabled *Disabled

ISACA JOURNAL VOLUME 6, 2009

Based on the feedback from the functional heads, the IT operations manager should dispense directives to mitigate security weaknesses. Nevertheless, it is mandatory for security administration personnel to identify security gaps and, depending on their assigned responsibilities, take action to reduce, bridge or close security gaps. The following steps show how security control reports can be used to manage Sarbanes-Oxley section 404 compliance in ERP systems: Senior management, along with the IT operations manager and the functional heads, should develop standard procedures for normal business operations and review them on a quarterly basis for modifications and addendums. The IT operations manager should complete a risk assessment of the ERP system and define new reporting needs. The IT support team should create the security reports by querying the security files and required tables every quarter and save them in electronic form. The IT support team should identify the security gaps and report them to the IT operations manager. The IT operations manager, in consultation with the functional heads, should identify the actions to be taken to cover the security gaps and authorize the system administrator to take appropriate actions to remove the security gaps. The system administrator and the IT support team should take necessary corrective action to cover the security gaps and archive the printed reports. The IT operations manager should review and sign the security reports for conformity. ERP control reports should be designed to cover all aspects of system security that are necessary to run a compliant Sarbanes-Oxley section 404 enterprise. The primary purpose of these reports is to identify possible gaps in security settings and to verify whether ERP system security is operating as directed per the organizations policies. Various kinds of security reports can be developed and deployed based on the ERP system design. Some examples of associated control procedures for entity-centric designed information security reports are: Reviewing logical security of existing user profiles Identifying inappropriate and obsolete user profiles Reviewing environment setup and user profiles that have access 6
ISACA JOURNAL VOLUME 6, 2009

Reviewing object authorization lists and identification of obsolete objects Ensuring that user profiles have the appropriate password change frequency Reviewing users who have not logged on to the system in the previous quarter For an all doors closed security policy, verifying that sensitive objects are inaccessible through public profiles. COnCluSIOn Sarbanes-Oxley has established additional standards for US corporate accountability by mandating that publicly held companies assess and report the overall effectiveness of internal control processes affecting financial reporting. As a result, Sarbanes-Oxley section 404 is applicable to IT services. In relation to IT services, without exception, qualifying organizations using ERP systems for their business are mandated to develop and document information security controls as well as process supporting financial reporting. Utilizing suitable report generation software is a simple, yet powerful, tool for extracting pertinent data from an ERP database and for uncovering security breaches. The combined affect of preventive controls and detective actions, based on superior information security control reports, enables a secured Sarbanes-Oxley section 404 compliant ERP system. EnDnOtES 1 Brotby, Krag W.; Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition, IT Governance Institute, 2006, p. 7 2 The Institute of Internal Auditors, Common Misconceptions, March 2005, www.theiia.org/ periodicals/newsletters/tone-at-the-top/archives-by-topic/ index.cfm?c=580 3 US Congress, Sarbanes-Oxley Act of 2002, HR 3763, January 2002, http://news.findlaw.com/hdocs/docs/ gwbush/sarbanesoxley072302.pdf 4 Hewlett-Packard, HP ITSM and HP OpenView: An Approach to Attaining Sarbanes-Oxley Compliance, www.whitepapers.zdnet.co.uk/0,1000000651,2600847 22p,00.htm

10

11

12

13 14

Wikipedia, Committee of Sponsoring Organizations of the Treadway Commission, www.wikipedia.org Robinson, Scott; A Developers Overview of ERP, Developer.com, www.developer.com/design/article. php/3446551 Mandal, Purnendu; Angappa Gunasekaran; Issues in Implementing ERP: A Case Study, European Journal of Operational Research, vol. 146, 2003, p. 274-283 ISACA, Enterprise Resource Planning (ERP) Systems Review, Information Systems Standards, Guidelines, and Procedures for Auditing and Control Professionals, p. 8894, www.isaca.org/standards Shang, Shari; Peter B. Seddon; A Comprehensive Framework for Classifying the Benefits of ERP Systems, University of Melbourne, www.unimelb.edu.au Op cit, Committee of Sponsoring Organizations of the Treadway Commission IT Governance Institute, IT Control Objectives for Sarbanes-Oxley, 2nd Edition, 2006, www.isaca.org The Institute of Internal Auditors, Applying COSOs Enterprise Risk ManagementIntegrated Framework, www.theiia.org Op cit, US Congress Public Company Accounting Oversight Board, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements and Related Independence Rule and Conforming Amendments, PCAOB Release No. 2007-005A, www.pcaob.org/Rules/Docket_021/2007-06-12_ Release_No_2007-005A.pdf

15

16

17 18

19 20 21

22

23

24

Public Company Accounting Oversight Board, Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements, www.pcaobus.org/Rules/Rules_of_ the_Board/Auditing_Standard_No.5.pdf Ethisphere, SEC Approves PCAOB Auditing Standard No. 5 to Reduce Cost of SOX 404 Compliance, 27 July 2007, http://ethisphere.com/sec-approves-pcaob-auditingstandard-no-5-to-reduce-cost-of-sox-404-compliance/ Ibid. US Securities and Exchange Commission, SEC Approves PCAOB Auditing Standard No. 5 Regarding Audits of Internal Control Over Financial Reporting; Adopts Definition of Significant Deficiency, News Release, 25 July 2007, www.iasplus.com/usa/sec/0707as5secpr.pdf Ibid. Wikipedia, Sarbanes-Oxley Act, www.wikipedia.org Wikipedia, Sarbanes-Oxley 404 top-down risk assessment, www.wikipedia.org Soxlaw.com, Sarbanes-Oxley Section 404, www.soxlaw.com/s404.htm Check Point Software Technologies, Achieving Sarbanes-Oxley Act Section 404 Compliance With Check Point Solutions, 2007, www.ventech.com/PDF/SOX_ whitepaper.pdf Karl Nagel & Company LLC, Sarbanes-Oxley: Financial and Accounting Disclosure Information, www.sarbanes-oxley.com

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal. Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors content. 2009 ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org
ISACA JOURNAL VOLUME 6, 2009