How to Incorporate Cybersecurity in a SOX Framework

In today’s technology-driven financial world, the increasing number of cybersecurity attacks has heightened the risk of material misstatement in reporting from breached (or previously breached) financial applications.

With this increase, cybersecurity has become a deeper focus within the Sarbanes-Oxley security framework of many organizations. 

Companies need to remember that the scope of SOX only includes financial controls and, therefore, testing is limited to production in-scope financial applications, servers, operating systems, and databases. There are many other servers and devices not reviewed for SOX compliance that may be compromised and, in turn, impact financial reporting. Thus, it is critical to take a holistic security and internal audit approach that includes prevention, detection, and corrective controls to address cybersecurity risks.

For starters, internal auditors should be incorporating cyber risks within their annual audit risk assessments and should be interviewing key cybersecurity personnel during the process. Now that boards are asking more questions about cyber risks and mitigation efforts, there’s value in scheduling these meetings even more frequently. It is critical, then, that Internal Audit has IT audit resources that are familiar with current cybersecurity risks and that these resources are budgeted on non-SOX cyber audit work throughout the year. After cyber risks are identified and controls are designed, it is important to baseline your company’s SOX and cyber controls with a cybersecurity framework like NIST to test/monitor the effectiveness of mitigation efforts.

IT controls that companies review in SOX can be used in other applications and IT environments to strengthen cybersecurity posture, including:

  • Using least privilege for access control 
  • Changing network, application, firewall, database, and operating system admin passwords regularly
  • Password controls
  • Restricting service accounts to only those with necessary privileges
  • Segregation of duties in change management and access modification 
  • Access review and certification of applications 
  • Change management procedures
  • Backup procedures

For direct SOX evidence, companies should complete a SOX cybersecurity memo annually and consider additional SOX controls. A SOX cybersecurity memo should be completed by the internal and external IT auditors to assess how prepared the company is for a cyberattack. These discussions often lead to how the IT security and internal audit groups in a company can benefit from each other. Based on the cyber discussions, obvious design gaps should be addressed, including issues like limited cyber resources, no cyber risk assessment, no cyber maturity framework, poor cyber policies and procedures, inadequate cyber training, etc. These discussions give auditors a high-level understanding of the current state of the cyber program. 

Disaster recovery is also starting to appear as a SOX key control, despite being historically viewed as a corrective control and, subsequently, out of the scope of SOX. Adding this control includes additional focus if companies can recover their in-scope financial applications in the case of a cyberattack. 

Not all necessary cyber controls will ever be within your SOX framework; therefore, security departments should require additional cyber controls and frameworks and Internal Audit departments need to schedule high-risk cyber/IT audits to validate the cyber department’s procedures, especially for controls out of scope of SOX compliance. 

Source:

https://www.auditboard.com/blog/sox-cybersecurity-compliance/?utm_campaign=sox-cybersecurity-compliance-03312021&utm_medium=email&utm_source=marketo&utm_content=content?&mkt_tok=OTYxLVpRVi0xODQAAAF8dXu_AtFOXk4tru4R3lnPY1jaETAqaodKQNTQR5BxhgoyQzvSFk5ZhLDWCMZpikGuIeOccydRRZbi1-8Ktk3FsBSMNVonUx6xNKr6q5Fa

 

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2024 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
IPE 101 – Assessing Management IPE Controls and Report Risks
IPE 101 – Differentiating Populations and Key Reports
$1 Billion a Day: Unpacking the Financial Aftershock of the Change Healthcare Cyber-Attack
IPE 101 – Defining and Understanding Information Produced by Entity
Get the Low Down Before You Download: Exploring the Temu App’s Security Risks
Understanding SOC Report Opinions
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Pittsburgh

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×