SOX

Sarbanes – Oxley “SOX”

U.S. Public Company Accounting Reform & Investor Protection Act of 2002

Key Provisions Affecting CIO’s
Section 302: Certification of Financial Reports*

Requirement Solution
CEO, CFO and an attesting public accounting firm must certify the accuracy of financial statements and disclosures in the periodic report. Because IT systems generate periodic reports and control email, the primary tool for communicating information internally, CIO’s must ensure host systems are secure and reliable
CEO, CFO and an attesting public accounting firm must certify that the statements fairly present in all material aspects the operation and financial condition of the issuer. Certified CARE assists with the following:

Reliability:

  • System availability reports
  • System OS reports
  • Network Utilization (NIC card)
  • Overall alerts/notification system
  • Exchange, Notes, Email application monitoring

Security:

  • Vulnerability assessments
  • Firewall monitoring
  • Patch assessment
Material information used to generate periodic reports must be retained and made available to the public Automatic archival of all reports for up to one year

*Prescribes criminal penalties
Section 404: Certification of Internal Controls*

Requirement Solution
Requires a statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company, attested to by the company’s auditor.

  • Includes an assessment of the controls and identification of the framework used for the assessment.
Critical systems may include but are not limited to:

  • Documentation/records management tool
  • Asset inventory
  • Layered security mechanisms to protect integrity of data
Reporting of material process changes** every quarter

  • Process changes to meet compliance must be documented and implemented by the IS organization.
  • Because the processes and internal controls are implemented principally in IT systems, section 404 audits involve a detailed assessment of those systems.
  • Process used to generate statements must be accurate and meet the committee of sponsoring organizations of the Treadway Commission Standard
  • Enterprises must pass Section 302 & 404 audits before filing
Certified CARE helps CIO’s address the assessment, identification and documentation of internal controls:

  • Use Certified CARE to take a quick “snapshot” and baseline network activity to establish what constitutes “normal” activity for comparison purposes
  • Asset report automatically discovers and documents resources across the IT infrastructure
  • Asset reports automatically identify all moves, adds, and changes
  • Notify on changes in access policies, changes in firewall configurations, router configurations, disk drive removals, and environmentals
  • Documentation of security controls:
    • firewall logs
    • intrusion monitoring
    • vulnerability assessment
    • patch assessment
    • assurance that virus updates are current
    • Better differentiate between Denial of Service attacks and legitimate increases or spikes in network traffic
    • Aggregated firewall reports ensure firewall is in compliance with organization security policy
    • Archive up to one year’s worth of history

*Required by June 15, 2004 for large companies and April 15, 2005 for other filers

**Sarbanes-Oxley limits the services that an attesting audit firm can offer to assure there is no conflict of interest. Thus, the auditor that signs an organization’s financial statement can’t implement

Section 409: Material Event Reporting*

Requirement Solution
Public companies must disclose information on material changes in their financial condition or operations on a rapid and current basis. IT systems as they support business operations and financial management, play a significant role in the detection and management of material events

  • Proactive use of IT solutions such as Certified CARE enable earlier detection and mitigation of material events with some of the following capabilities:
  • Overall monitoring, alerting and notification system on network, system, application and security issues
  • Use of thresholds, severity and time-based alerts and escalations

Full information: http://www.aicpa.org/info/sarbanes_oxley_summary.htm

Not only do we believe in Certified CARE, but we will offer you a free trail of Certified CARE to show that it provides a good investment in your environment. Get the process started today, call Certified NETS at (314) 292-6260.