Data Auditing for Sarbanes-Oxley (SOX) Compliance
In 2002, in response to the need to restore market confidence after the accounting
debacles of publicly traded companies such as Enron, WorldCom and Tyco, Congress passed
the Public Accounting Reform and Investor Act, better known as the Sarbanes-Oxley Act (SOX).
It is said to be one of the most important legislations to impact financial disclosure
and public accounting since the 1930�s. These scandals highlighted the existence of
fraudulent financial reports, shaking investor and employee confidence in corporate
officers and accounting practices.
All publicly traded companies registered with the United States Securities and Exchange
Commission (SEC) are required to comply with Sarbanes-Oxley. Companies and their officers
risk severe penalties if they fail to routinely comply in their annual and quarterly filings.
Corporate officers who knowingly certify false financial reports can face large monetary
fines and/or imprisonment. Sarbanes-Oxley focuses on holding CEOs and CFOs personally liable
for the accuracy of company financial reports and the internal control processes used in the
generation of these reports.
Internal Controls in Sarbanes-Oxley Compliance
Section 404 requires that the process used to generate financial statements be accurate
and meet an accepted industry standard. The standard most widely adopted by companies in
achieving Sarbanes-Oxley compliance is the Internal Control Framework, published in 1992
by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). It is used
as a basis to establish, document and assess business control systems.
COSO defines internal controls as processes that provide reasonable assurance of how a
company achieves objectives in the areas of operational efficiency and reliability of
financial reporting and compliance. The COSO framework outlines five components of an
internal control process:
- Control Environment: primarily the organization and its philosophy.
- Risk Assessment: the establishment of objectives and their related risks.
- Control Activities: policies and procedures to achieve objectives and mitigate risks, like workflows, approvals, reconciliations and verifications.
- Information and Communication: systems that record, exchange and report on enterprise data.
- Monitoring: ongoing reviews of systems over time.
Sarbanes-Oxley seeks to regulate business processes and practices, not specifically the
technology. However, in today�s corporate environment, technology plays a central role in
internal control systems. It helps define, establish, execute and/or monitor business processes.
But COSO itself doesn't define any controls for IT. COBIT, Control Objectives for Information
and related Technology, aligns with the COSO framework, helping to translate it into practices
more suitable for an IT organization. COBIT was developed by the IT Governance Institute and is
increasingly accepted around the world as an IT security and control best practice.
Data Auditing as an Internal Control
In order for a principal executive to certify that financial results accurately
represent the financial condition and results of the operation, complete confidence
in the integrity of the financial system�s data has to exist. Assurance of the integrity
of financial data is achieved by a combination of procedures and internal controls,
including policies that ensure that:
- Financial transactions are properly recorded by authorized users.
- Data has not been compromised by unauthorized or authorized means.
- All changes to the financial data are monitored.
This emphasizes the need for security policy and measures to be implemented at the
perimeter and application levels, as well as data audit trails and logging. Although
the data stored in financial systems is the primary focus here, it is important to
consider that other systems such as Purchasing and Payroll interface with the financial
systems and should be included in the reviews and assessments of internal controls. In
this light, a trusted, independent audit trail is an invaluable element of the internal
control system. It is a valuable tool to identify weaknesses and successes in systems,
processes or procedures and becomes an absolute necessity during reviews for
compliance � whether complying with industry or federal regulations or with company policy.
Many financial systems have built-in application-level audit trails, but these alone
do not provide reasonable assurance that data was not changed via another source external
to the financial application (like a batch job, query or other application). A key element
in ensuring data integrity is the ability to generate a complete audit trail of all changes
made to the data � recording who, what, when and where, regardless of where the change
originated. An auditing system which operates at the database level, rather than the
application level, is really the only means to ensure auditing of all data changes made
through any conceivable interface.
Implementing Data Auditing with OmniAudit
OmniAudit is a data auditing solution for Microsoft SQL Server, providing a database-level
mechanism to log and report data changes independently of the source of the change. In
addition to recording the who, what, and when of all data changes, OmniAudit also records
the application and workstation used to make the change (the how and where). Such an
independent, comprehensive audit trail directly supports Sarbanes-Oxley compliance activities.
OmniAudit�s trigger-based architecture enables several key benefits:
- Auditing occurs in the database itself, requiring no changes to applications which operate on the data.
- Application activities can be audited even if the application itself provides no built-in audit trail capabilities.
- Data changes made outside an application�whether authorized or unauthorized�can still be audited, which would not be possible with a self-auditing application.
- Audit data from multiple sources is consolidated into a single homogenous data store.
Additionally, OmniAudit provides the flexibility to selectively choose which tables and
fields to audit. This permits excluding inconsequential or transient data changes�for example,
uncommitted shopping carts�from the audit trail. The scope of the audit data captured is
dependent only on the organization�s needs and audit plan.
Reference data can also be easily added into the audit trail. For instance, the audit
trail not only shows when an item price in an order was changed, but it can also show the
customer who placed the order or the account manager responsible for the order, even though
those values did not change.
The audit trail data itself is contained within standard SQL Server tables, allowing
access to audit trail data for examination, reporting and archiving using conventional
tools and skills�leveraging a company�s current investment in SQL Server training and
tools. Audit trail data can be stored in a separate database independent of application
data, permitting audit trails to be independently secured, backed up, and optimized for
performance and resources.
Audit trail security is provided through the extensive security capabilities already
built into SQL Server. Audit trail data is inherently restricted unless permission is
explicitly granted to any privileged users. Audit trail permissions can be managed
independently of application database permissions. That is, a user can be given delete
or modify permission to application data but not to audit trail data, even if it is
stored in the same database.
Finally, OmniAudit was designed to require minimal technical skills to create and
maintain audit trails. A database can be completely audit-enabled in minutes.
Despite some vendor claims, there is no "compliance-in-a-box" solution for Sarbanes-Oxley.
In reality, software and hardware solutions can only facilitate the implementation of the
internal controls and procedures which form the basis of SOX compliance.
OmniAudit is an invaluable "best practice" solution. In addition to its own value
in generating a trusted audit trail, it also supports other best practices such as
security policy and intrusion detection. Its audit trail is securable, independent
and captures all changes to data automatically, regardless of the source. Its ability
to be deployed in a SQL Server database environment without requiring changes to
existing applications or major effort from the DBA staff provides a powerful solution
to organizations of any size or industry.