How to Incorporate Cybersecurity in a SOX Framework

In today’s technology-driven financial world, the increasing number of cybersecurity attacks has heightened the risk of material misstatement in reporting from breached (or previously breached) financial applications.

With this increase, cybersecurity has become a deeper focus within the Sarbanes-Oxley security framework of many organizations. 

Companies need to remember that the scope of SOX only includes financial controls and, therefore, testing is limited to production in-scope financial applications, servers, operating systems, and databases. There are many other servers and devices not reviewed for SOX compliance that may be compromised and, in turn, impact financial reporting. Thus, it is critical to take a holistic security and internal audit approach that includes prevention, detection, and corrective controls to address cybersecurity risks.

For starters, internal auditors should be incorporating cyber risks within their annual audit risk assessments and should be interviewing key cybersecurity personnel during the process. Now that boards are asking more questions about cyber risks and mitigation efforts, there’s value in scheduling these meetings even more frequently. It is critical, then, that Internal Audit has IT audit resources that are familiar with current cybersecurity risks and that these resources are budgeted on non-SOX cyber audit work throughout the year. After cyber risks are identified and controls are designed, it is important to baseline your company’s SOX and cyber controls with a cybersecurity framework like NIST to test/monitor the effectiveness of mitigation efforts.

IT controls that companies review in SOX can be used in other applications and IT environments to strengthen cybersecurity posture, including:

• Using least privilege for access control 
• Changing network, application, firewall, database, and operating system admin passwords regularly
• Password controls
• Restricting service accounts to only those with necessary privileges
• Segregation of duties in change management and access modification 
• Access review and certification of applications 
• Change management procedures
• Backup procedures

For direct SOX evidence, companies should complete a SOX cybersecurity memo annually and consider additional SOX controls. A SOX cybersecurity memo should be completed by the internal and external IT auditors to assess how prepared the company is for a cyberattack. These discussions often lead to how the IT security and internal audit groups in a company can benefit from each other. Based on the cyber discussions, obvious design gaps should be addressed, including issues like limited cyber resources, no cyber risk assessment, no cyber maturity framework, poor cyber policies and procedures, inadequate cyber training, etc. These discussions give auditors a high-level understanding of the current state of the cyber program. 

Disaster recovery is also starting to appear as a SOX key control, despite being historically viewed as a corrective control and, subsequently, out of the scope of SOX. Adding this control includes additional focus if companies can recover their in-scope financial applications in the case of a cyberattack. 

Not all necessary cyber controls will ever be within your SOX framework; therefore, security departments should require additional cyber controls and frameworks and Internal Audit departments need to schedule high-risk cyber/IT audits to validate the cyber department’s procedures, especially for controls out of scope of SOX compliance. 

Source:

https://www.auditboard.com/blog/sox-cybersecurity-compliance/?utm_campaign=sox-cybersecurity-compliance-03312021&utm_medium=email&utm_source=marketo&utm_content=content?&mkt_tok=OTYxLVpRVi0xODQAAAF8dXu_AtFOXk4tru4R3lnPY1jaETAqaodKQNTQR5BxhgoyQzvSFk5ZhLDWCMZpikGuIeOccydRRZbi1-8Ktk3FsBSMNVonUx6xNKr6q5Fa