Question

What is required by Sarbanes-Oxley (SOX) to be logged? Or Describe the system processes executed and data collected in the process of logging an event.

Answer 1

The Sarbanes Oxley Act requires all financial reports to include an Internal Controls Report. This shows that a company's financial data are accurate (within 5% variance) and adequate controls are in place to safeguard financial data. Year-end financial dislosure reports are also a requirement. An independent external SOX auditor is required to review controls, policies, and procedures during a Section 404 audit.

An audit will also look at personnel and may interview staff to confirm that their duties match their job description, and that they have the required training to safely access financial information.

Specifically, SOX sections 302, 404 and 409 require the following parameters and conditions must be monitored, logged and audited:

Internal controls

Network activity

Database activity

Login activity (success and failures)

Account activity

User activity

Information Access

SOX auditing requires that "internal controls and procedures" can be audited using a control framework like COBIT. Log collection and monitoring systems must provide an audit trail of all access and activity to sensitive business information.

A review of a company's internal controls is often the largest components of a SOX compliance audit. Internal controls include all IT assets, including any computers, network hardware, and other electronic equipment that financial data passes through. A SOX IT audit will look at the following internal control items:

IT security: Ensure that proper controls are in place to prevent data breaches and have tools ready to remediate incidents should they occur. Invest in services and equipment that will monitor and protect your financial database.

Access controls: This refers to both the physical and electronic controls that prevent unauthorized users from viewing sensitive financial information. This includes keeping servers and data centers in secure locations, implementing effective password controls, and other measures.

Data backup: Maintain backup systems to protect sensitive data. Data centers containing backed-up data, including those stored off-site or by a third-party are also subject to the same SOX compliance requirements as those hosted on-site.

Change management: This involves the IT department process for adding new users and computers, updating and installing new software, and making any changes to databases or other data infrastructure components. Keep records of what was changed, in addition to when it was changed and who changed it.