Strategies for Success with Your SOX IT General Controls
As technology continues to evolve and become more robust, organizations have realized they need expertise and to be proactive in identifying risks and implementing controls. But even as new solutions are introduced, the backbone of many compliance and cybersecurity initiatives—including SOX— remains an organization’s internal technology general controls (ITGCs).
As an experienced audit firm that has an entire service dedicated solely to evaluating ITGCs, we understand their importance more keenly than most. That’s why, in this article, we’re going to explain what ITGCs are—including specific controls that will —as well as their significance to your security and SOX obligations.
What are IT General Controls (ITGCs)?
After a series of corporate accounting scandals in the early 2000s—the most notable of which was the Enron debacle—legislators sought a solution that would address the concerns regarding corporate governance and help restore the integrity of financial markets while enhancing transparency, accountability, and responsibility.
Enter the Sarbanes-Oxley Act (SOX). Enacted in 2002, SOX mandates that public companies establish and maintain effective internal controls over financial reporting in an attempt to prevent and detect fraud and ensure the reliability of financial information—the required internal controls include both financial controls and ITGCs.
Typically incorporated into an organization's environment through a combination of policies, procedures, and technological measures, ITGCs govern how your company’s IT systems operate and ensure that your environment and other business processes are protected against vulnerabilities.
As such, there are a few different types of ITGCs.
What are Access Management ITGCs?
Serving as gatekeepers, your access management controls ensure that only authorized users can interact with your data and systems, making them pivotal in preventing data breaches.
Successful access management strategies include the following controls:
- User Authentication Mechanisms: Verification methods such as strong password settings or multi-factor authentication (MFA) that require multiple credentials before permitting access help ensure that only authorized users have access to the system.
- Role-Based Access Control (RBAC): These tools assign and remove permissions based on designated job roles, safeguarding that users only have access to resources necessary for their responsibilities.*
- Access Monitoring and Logging: Security Information and Event Management (SIEM) systems that automate log analysis and alerting of user activities such as failed access attempts—as well as regular reviews of the users with access to systems—enhance the detection of suspicious behavior and unauthorized access.
* Regular reviews and updates to role assignments are essential to prevent access creep.
What are Change Management ITGCs?
Proper change management controls are essential for ensuring that only secure and authorized changes are implemented to infrastructure, applications, and configurations and that the integrity of your software applications, systems, and networks is maintained with minimal disruptions.
Some of the most important components of change management include:
- Change Approval Process: Establishing a formalized process for requesting, approving, and implementing changes ensures that alterations are properly evaluated—sometimes with the help of a change advisory board (CAB)—for their potential risks and impacts before they’re deployed.
- Change Validation Procedures: This rigorous testing can help identify and mitigate any adverse effects on system functionality and security before the changes are implemented in production environments.
- Documentation and Version Control: Maintaining comprehensive documentation of changes— including version control mechanisms that track and audit modifications over time—enables you to maintain accountability and traceability.
- Segregation of Duties (SOD): As this division prevents any single person from having the sole power to initiate, approve, and implement changes, this system of checks and balances forces each modification to undergo scrutiny at various levels, ensuring that only necessary and vetted changes are executed and thereby reduces the potential for unauthorized changes, fraud, or mistakes in the development process.
What are Patch Management ITGCs?
As it involves the acquisition, testing, and installation of patches (code changes) to software and systems, patch management is crucial to your IT maintenance in that it addresses software vulnerabilities, improves functionality, and protects systems from exploitation by malicious actors.
Effective patch management encompasses the following:
- Vulnerability Assessment and Prioritization: Conducting regular vulnerability assessments and prioritizing patches based on severity and criticality helps you address the most significant risks first.
- Patch Testing Before Deployment: Performing thorough testing before implementing patches in production environments ensures compatibility and minimizes the risk of unintended consequences, such as system downtime or functionality issues.
- Patch Compliance Surveillance: Coupled with automated patch deployment mechanisms, continuous monitoring of patch compliance status across your IT infrastructure helps your systems remain up-to-date and protected against known vulnerabilities.
What are Data Backup ITGCs?
A fundamental aspect of any IT security strategy, data backups provide a safety net so that—in the event of a cyberattack, system failure, or natural disaster—critical data can be recovered quickly and with minimal data loss.
Key data backup controls include:
- Periodic Data Copies: Implementing automated backup solutions to regularly create copies of critical data ensures that you can recover data from recent points in time should you need to.
- Offsite Storage and Redundancy: Storing encrypted backup copies of data in offsite locations while also leveraging redundant mechanisms—such as cloud-based backups—reduces the risk of data loss due to localized disasters or hardware failures.
- Backup Testing: Regular validation of backup procedures and restoration processes to confirm the integrity and reliability of backup data enables you to quickly recover and resume operations in the event of an emergency.
IMPORTANT NOTE: While all these specific controls represent a few critical components of a comprehensive IT audit framework, they represent only a subset of the entire set of control measures available to organizations—depending on your risk profile and specific requirements, your critical control areas may differ from these areas we chose to focus on in this article.
The Importance of ITGCs to SOX Compliance
Establishing an effective overall IT control environment—that includes those focus areas and more—provides reasonable assurance to shareholders that you’re well-positioned across risk categories. Not only that, but your ITGCs also play a crucial role in supporting financial reporting and compliance— particularly in the context of regulations such as SOX.
You see, during the planning phase of your financial audit, external auditors will work closely with your internal audit function to identify financially relevant applications based on the materiality of the business processes that those applications support—this could include a range of systems, from those that enable financial operations to those that process data that is key to financial control activities.
In order to maintain a mature control environment compliant with SOX, any application your external auditors deem financially relevant must have established ITGCs that are assessed for operating effectiveness during that audit period.
It’s at this point when your internal audit function enters the picture—it plays a pivotal role in not just in supporting your external auditors, but also in that it’s responsible for periodically testing the effectiveness of your organization’s controls prior to that external audit. By conducting comprehensive reviews and tests of the organization's internal controls over financial reporting, your Internal Auditors provide valuable insights and assurance on the control environment's integrity and operational effectiveness that can then be leveraged to potentially reduce the scope of their testing through the reliance approach.
Ensure the Endurance of Your ITGCs - Partner with Schellman
Altogether, ITGCs anchor your security posture and help to mature your daily operations processes so that you can better mitigate risks such as material misstatement, IT incidents, and loss of market confidence. But to do that—and for organizations to remain SOX compliant—your ITGCs must remain effective.
That being said, many organizations, and their internal audit teams, haven’t yet evolved with respect to how they monitor their ITGCs, often just relying on what they’ve always done from a testing perspective. That—as well as any other deficiency in your internal audit function—could potentially hamper a SOX audit. To avoid any doubt, it may suit you to leverage a top cybersecurity and IT compliance firm to perform that control testing.
Schellman offers a value-based ITGC and Business Control Testing Service, in which our highly skilled and experienced IT audit team evaluates your ITGCs so that you achieve a greater level of comfort regarding your obligations to regulators and external assessors. Your external assessors can gain similar comfort, given the quality of the testing, while also driving down their hours and costs by leveraging that internal audit work.
To learn more about our technical knowledge and how we can help your organization gain efficiencies within your ITGCs and financial audits, contact us today.
About Andrew Broderick
Andrew Broderick is a Principal in the SOC Services practice of Schellman. As a part of the SOC Services group, Andrew helps clients solve problems and explore new areas for improvement based on the organization’s adoption of new processes and technology. Prior to joining Schellman, Andrew worked in internal audit for six years, including four years in IT audit performing NIST SP 800-53 assessments, ITGC evaluations, and application development consulting engagements. During this time, Andrew attained the Certified Information Systems Auditor (CISA) certification and gained experience with numerous control frameworks, platforms, and databases including Windows, Unix, and DB2. In addition, his experience includes nearly four years of financial statement audit and tax compliance at a regional Certified Public Accountant firm in Columbus, OH. He attained his CPA license while serving clients in the manufacturing, hospitality, and not-for-profit industries.