Data Auditing for Sarbanes-Oxley (SOX) Compliance
Printer Friendly Format

In 2002, in response to the need to restore market confidence after the accounting debacles of publicly traded companies such as Enron, WorldCom and Tyco, Congress passed the Public Accounting Reform and Investor Act, better known as the Sarbanes-Oxley Act (SOX). It is said to be one of the most important legislations to impact financial disclosure and public accounting since the 1930�s. These scandals highlighted the existence of fraudulent financial reports, shaking investor and employee confidence in corporate officers and accounting practices.

All publicly traded companies registered with the United States Securities and Exchange Commission (SEC) are required to comply with Sarbanes-Oxley. Companies and their officers risk severe penalties if they fail to routinely comply in their annual and quarterly filings. Corporate officers who knowingly certify false financial reports can face large monetary fines and/or imprisonment. Sarbanes-Oxley focuses on holding CEOs and CFOs personally liable for the accuracy of company financial reports and the internal control processes used in the generation of these reports.

Internal Controls in Sarbanes-Oxley Compliance

Section 404 requires that the process used to generate financial statements be accurate and meet an accepted industry standard. The standard most widely adopted by companies in achieving Sarbanes-Oxley compliance is the Internal Control Framework, published in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). It is used as a basis to establish, document and assess business control systems.

COSO defines internal controls as processes that provide reasonable assurance of how a company achieves objectives in the areas of operational efficiency and reliability of financial reporting and compliance. The COSO framework outlines five components of an internal control process:

  • Control Environment: primarily the organization and its philosophy.
  • Risk Assessment: the establishment of objectives and their related risks.
  • Control Activities: policies and procedures to achieve objectives and mitigate risks, like workflows, approvals, reconciliations and verifications.
  • Information and Communication: systems that record, exchange and report on enterprise data.
  • Monitoring: ongoing reviews of systems over time.

Sarbanes-Oxley seeks to regulate business processes and practices, not specifically the technology. However, in today�s corporate environment, technology plays a central role in internal control systems. It helps define, establish, execute and/or monitor business processes. But COSO itself doesn't define any controls for IT. COBIT, Control Objectives for Information and related Technology, aligns with the COSO framework, helping to translate it into practices more suitable for an IT organization. COBIT was developed by the IT Governance Institute and is increasingly accepted around the world as an IT security and control best practice.

Data Auditing as an Internal Control

In order for a principal executive to certify that financial results accurately represent the financial condition and results of the operation, complete confidence in the integrity of the financial system�s data has to exist. Assurance of the integrity of financial data is achieved by a combination of procedures and internal controls, including policies that ensure that:

  • Financial transactions are properly recorded by authorized users.
  • Data has not been compromised by unauthorized or authorized means.
  • All changes to the financial data are monitored.

This emphasizes the need for security policy and measures to be implemented at the perimeter and application levels, as well as data audit trails and logging. Although the data stored in financial systems is the primary focus here, it is important to consider that other systems such as Purchasing and Payroll interface with the financial systems and should be included in the reviews and assessments of internal controls. In this light, a trusted, independent audit trail is an invaluable element of the internal control system. It is a valuable tool to identify weaknesses and successes in systems, processes or procedures and becomes an absolute necessity during reviews for compliance � whether complying with industry or federal regulations or with company policy.

Many financial systems have built-in application-level audit trails, but these alone do not provide reasonable assurance that data was not changed via another source external to the financial application (like a batch job, query or other application). A key element in ensuring data integrity is the ability to generate a complete audit trail of all changes made to the data � recording who, what, when and where, regardless of where the change originated. An auditing system which operates at the database level, rather than the application level, is really the only means to ensure auditing of all data changes made through any conceivable interface.

Implementing Data Auditing with OmniAudit

OmniAudit is a data auditing solution for Microsoft SQL Server, providing a database-level mechanism to log and report data changes independently of the source of the change. In addition to recording the who, what, and when of all data changes, OmniAudit also records the application and workstation used to make the change (the how and where). Such an independent, comprehensive audit trail directly supports Sarbanes-Oxley compliance activities.

OmniAudit�s trigger-based architecture enables several key benefits:

  • Auditing occurs in the database itself, requiring no changes to applications which operate on the data.
  • Application activities can be audited even if the application itself provides no built-in audit trail capabilities.
  • Data changes made outside an application�whether authorized or unauthorized�can still be audited, which would not be possible with a self-auditing application.
  • Audit data from multiple sources is consolidated into a single homogenous data store.

Additionally, OmniAudit provides the flexibility to selectively choose which tables and fields to audit. This permits excluding inconsequential or transient data changes�for example, uncommitted shopping carts�from the audit trail. The scope of the audit data captured is dependent only on the organization�s needs and audit plan.

Reference data can also be easily added into the audit trail. For instance, the audit trail not only shows when an item price in an order was changed, but it can also show the customer who placed the order or the account manager responsible for the order, even though those values did not change.

The audit trail data itself is contained within standard SQL Server tables, allowing access to audit trail data for examination, reporting and archiving using conventional tools and skills�leveraging a company�s current investment in SQL Server training and tools. Audit trail data can be stored in a separate database independent of application data, permitting audit trails to be independently secured, backed up, and optimized for performance and resources.

Audit trail security is provided through the extensive security capabilities already built into SQL Server. Audit trail data is inherently restricted unless permission is explicitly granted to any privileged users. Audit trail permissions can be managed independently of application database permissions. That is, a user can be given delete or modify permission to application data but not to audit trail data, even if it is stored in the same database.

Finally, OmniAudit was designed to require minimal technical skills to create and maintain audit trails. A database can be completely audit-enabled in minutes.

Summary

Despite some vendor claims, there is no "compliance-in-a-box" solution for Sarbanes-Oxley. In reality, software and hardware solutions can only facilitate the implementation of the internal controls and procedures which form the basis of SOX compliance.

OmniAudit is an invaluable "best practice" solution. In addition to its own value in generating a trusted audit trail, it also supports other best practices such as security policy and intrusion detection. Its audit trail is securable, independent and captures all changes to data automatically, regardless of the source. Its ability to be deployed in a SQL Server database environment without requiring changes to existing applications or major effort from the DBA staff provides a powerful solution to organizations of any size or industry.