Sarbanes-Oxley Compliance: Meeting Financial Data Security Audit Standards

Intensive Scrutiny

Financial auditing is both required by law and a basic "best practice" to assess and ensure the financial health of every firm. It is also a highly stressful experience that involves going through statements and records line by line to demonstrate that the firm's financial records are in fact a truthful and accurate picture of its financial operations and condition.

Failure to meet audit standards prescribed by law can expose company officers to criminal penalties as well as civil action. At the same time, meeting audit standards is a key line of protection against employee fraud. Effective audit is also a protection against errors, carelessness, and disorder that can cripple a firm even in the absence of malicious conduct on anyone's part.

Because financial data is now stored digitally, audit preparedness is not only an accounting issue. It is also an IT issue. Data must be securely stored and protected, but also be readily available when required for internal analysis or independent audit.

The systems and software that handle financial data must also be developed, upgraded and updated, and maintained. Whether these processes are handled done internally or by an outside vendor, they call for testing using realistic data. Yet actual, sensitive financial records must not be compromised.

Ensuring the integrity of financial data thus requires maintaining and ensuring a high standard of data security.

 

Overview

The Sarbanes-Oxley Act (SOX Act) was passed by Congress and signed into law in 2002 in response to major cases of financial fraud, of which the rise and collapse of Enron is the best known. The overall focus of the measure is on financial reporting responsibilities, and ensuring that financial audits are genuinely independent.

However, SOX also includes provisions that relate to the security and preservation of financial data. And the standards set out for its implementation "recognized that senior management can't just certify controls ON the system, these controls also have to control the way financial information is generated, accessed, collected, stored, processed, transmitted, and used through the system."

Senior management is thus held ultimately responsible for financial data security, including putting in place appropriate controls and procedures to ensure this data security. The good news is that powerful tools, including data discovery and Data Masking, are available to meet these standards.

 

Financial Data Audit Passed By Using Data Masking

A young, fast-growing manufacturing firm is upgrading its financial controls. In consultation with an independent accounting firm it develops a pre-audit checklist, setting forth best-practice standards for protecting the integrity of company financial data.

The standards are designed not only to meet immediate needs, but also to ensure that financial data will be protected throughout ongoing software upgrades. Provisions of the SOX act set forth requirements for protecting data on an ongoing basis:

Section 404 describes these controls, and requires that certification be both reasonable and that the outside auditors also certify the existence of such adequate controls over financial reporting … Section 802 mandates that companies and their auditors maintain accounting documents and work papers for a minimum of seven years.

The manufacturing firm adopts a Data Masking solution, beginning with a data discovery process. Data discovery provides the company's CFO with confidence that financial data is in fact stored where it is supposed to be stored.

Data Masking also ensures that this will continue to be the case, even as the financial data storage system is upgraded. Sensitive data is protected behind a security firewall, and only artificial data, in valid formats, is passed to development teams and training sessions.

With data discovery and Data Masking in place, the company can demonstrate to outside auditors that its financial records are complete and in order, setting the stage for an independent audit that is passed with flying colors.

 

Providing Ongoing Security

At GRT Corporation we believe that protecting your sensitive data, including key financial data, is an ongoing process. It is also a holistic process. Compliance with SOX Act standards for preservation of financial data is not an isolated exercise. It flows from a proactive policy based on best standards. Effective firewalls and checkpoint controls safeguard data "in motion" as well as "at rest," making compliance straightforward and natural.

 

Contact us to ease your compliance burden now