The Sarbanes-Oxley Act of 2002 (SOX) is a federal regulation establishes for how publicly traded U.S. companies communicate, store, and protect financial information. Section 302 of the law requires companies to establish “internal controls” to ensure the accuracy of their financial reporting, while Section 404 requires companies to assess and document the effectiveness of those internal controls. The relationship between IT processes and the “internal controls” described in Section 404 is not very clearly defined. There are, however, a few different standards, such as COBIT 4.1, COSO, and ISO 27001:2013, that can be used for modeling IT processes. K2 IT Audit LLC uses these standards as a framework for IT Governance and Controls (ITGC) and as guide for performing IT security assessments for organizations regulated by SOX.

K2 IT Audit LLC has extensive experience performing SOX ITGC and Application Control assessments.

Information Technology General Controls (ITGC) and Application Level General Controls.

ITGC and Application level General Controls represent the foundation of the IT control structure. They help ensure the reliability of data generated by IT systems and support the assertion that systems operate as intended and that output is reliable. ITGC and Application Level General Controls usually include the following types of controls:

Access Controls: Access controls include controls that can impact all three layers (Operating System, Database, and Application):

Performing a review to determine if Physical Access to IT resources is appropriately restricted.

Performing a review to determine if Logical Access to IT resources is appropriately restricted.

Performing a review of Auditing and logging procedures/processes at all layers to determine if various security related events are being logged and monitored periodically.

Performing a review to determine if Access Recertification’s are being performed for users at all layers.

Performing a review of Password parameters at all layers to determine if they are compliant with policies/best practices.

Performing a review of Identification and Authentication processes at all layers.

Assessing Session lock and other system configurations for compliance with policies/best practices.

Performing a review to determine if inactive users are being identified and disabled after a predetermined threshold at all layers.

Change Management: Change Management controls include controls that can impact all three layers of the Information System (Operating System, Database, and Application):

Performing a review of changes at all layers to determine if changes are appropriately requested, tested and authorized, prior to being deployed to the production environment.

Performing a review of Production Source Code directories to determine if access is appropriately restricted.

Assessing Server Baseline Configurations against their applicable DISA STIGS or CIS Benchmarks to determine compliance.

Assessing Vulnerability Scans to determine if various CAT I, II, and III vulnerabilities are being remediated in a timely manner per organization policies.

Segregation of Duties: SOD controls include controls that can impact all three layers of the Information System (Operating System, Database and Application):

Performing a review to determine if incompatible duties have been identified and documented via a SOD matrix at all layers?

Performing a review to determine if any conflicting roles have been allowed by management and if so, have compensating controls been implemented to minimize the risk (i.e. Audit logging)?

Contingency Planning: Contingency Planning controls include controls that can impact all three layers of the Information System (Operating System, Database, and Application):

Performing a review to determine if a Contingency Plan/Disaster Recovery plan has been developed, implemented, and tested periodically.

Performing a review to determine if data is being backed up periodically according to policies/procedures/best practices and that backups are being rotated offsite.

Performing a review to determine if data center controls are adequate with respect to Fire Detection and Suppression, Redundant power, Emergency Lighting, Flood protection etc.

Business Process Application Controls: Testing Business Process controls involves performing a review of the various data inputs and outputs to determine if Edit and Validation checks are in place within the application and to ensure data integrity, completeness and accuracy.

Interface Controls: Testing key Interfaces between various applications involves performing a detailed review of the Interface reconciliation process and procedures to determine if Interface data is complete and accurate between source and target systems.

Please contact us for more information about our SOX ITGC and Application Audit services.