In today’s technology-driven financial world, the increasing number of cybersecurity attacks has heightened the risk of material misstatement in reporting from breached (or previously breached) financial applications.
With this increase, cybersecurity has become a deeper focus within the Sarbanes-Oxley security framework of many organizations.
Companies need to remember that the scope of SOX only includes financial controls and, therefore, testing is limited to production in-scope financial applications, servers, operating systems, and databases. There are many other servers and devices not reviewed for SOX compliance that may be compromised and, in turn, impact financial reporting. Thus, it is critical to take a holistic security and internal audit approach that includes prevention, detection, and corrective controls to address cybersecurity risks.
For starters, internal auditors should be incorporating cyber risks within their annual audit risk assessments and should be interviewing key cybersecurity personnel during the process. Now that boards are asking more questions about cyber risks and mitigation efforts, there’s value in scheduling these meetings even more frequently. It is critical, then, that Internal Audit has IT audit resources that are familiar with current cybersecurity risks and that these resources are budgeted on non-SOX cyber audit work throughout the year. After cyber risks are identified and controls are designed, it is important to baseline your company’s SOX and cyber controls with a cybersecurity framework like NIST to test/monitor the effectiveness of mitigation efforts.
IT controls that companies review in SOX can be used in other applications and IT environments to strengthen cybersecurity posture, including:
Using least privilege for access control
Changing network, application, firewall, database, and operating system admin passwords regularly
Restricting service accounts to only those with necessary privileges
Segregation of duties in change management and access modification
Access review and certification of applications
Change management procedures
For direct SOX evidence, companies should complete a SOX cybersecurity memo annually and consider additional SOX controls. A SOX cybersecurity memo should be completed by the internal and external IT auditors to assess how prepared the company is for a cyberattack. These discussions often lead to how the IT security and internal audit groups in a company can benefit from each other. Based on the cyber discussions, obvious design gaps should be addressed, including issues like limited cyber resources, no cyber risk assessment, no cyber maturity framework, poor cyber policies and procedures, inadequate cyber training, etc. These discussions give auditors a high-level understanding of the current state of the cyber program.
Disaster recovery is also starting to appear as a SOX key control, despite being historically viewed as a corrective control and, subsequently, out of the scope of SOX. Adding this control includes additional focus if companies can recover their in-scope financial applications in the case of a cyberattack.
Not all necessary cyber controls will ever be within your SOX framework; therefore, security departments should require additional cyber controls and frameworks and Internal Audit departments need to schedule high-risk cyber/IT audits to validate the cyber department’s procedures, especially for controls out of scope of SOX compliance.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.