The series so far:
- Introduction to HIPAA and SOX — Part 1
- HIPAA and Database Administration — Part 2
- SOX and Database Administration — Part 3
- SQL Server Auditing for HIPAA and SOX — Part 4
The U.S. Congress passed the Sarbanes-Oxley Act of 2002 (SOX) in response to the number of financial scandals surrounding major corporations such as Enron and WorldCom. By regulating financial reporting and other practices, the SOX legislation significantly expanded the role of the Securities and Exchange Commission (SEC) in its ability to oversee U.S. public companies.
The new law sought to improve the accuracy and reliability of corporate financial disclosures and to force companies to be more transparent. To this end, the law also established the Public Company Accounting Oversight Board (PCAOB) to oversee corporate auditing practices and to establish the rules, standards, and quality control mechanisms that govern financial reporting.
The SOX regulations are arranged into 11 titles that are broken down into individual sections. Each section defines a different aspect of a corporation’s responsibilities for achieving financial transparency and avoiding fraudulent practices. Corporate officers are legally bound to carry out the law’s requirements and ensure the accuracy and completeness of all financial disclosures.
Although officers carry the brunt of the responsibility, complying with the SOX regulations is a companywide effort, with most departments involved in the process. For many organizations, however, much of their financial data resides in databases, putting DBAs at the front lines for protecting data, ensuring its integrity, and supporting the internal controls required for SOX compliance.
Complying with SOX Regulations
The SOX regulations leave it up to the corporation to figure out the best methods to use to comply with the law. DBAs working for a public company should familiarize themselves with the regulations, particularly those sections most relevant to compliance. Although much of the focus around SOX compliance centers on sections 302 and 404, several other sections are also important to gaining insight into the regulations, including sections 401, 408, and 409.
Section 302 describes the corporation’s responsibilities when filing quarterly and annual SEC financial reports. The section states that signing officers must certify that the reports do not contain any “untrue statement of a material fact or omit to state a material fact” that would result in a misleading report. In addition, all material included in the report must fairly present the “financial condition and results of operations” for the applicable period of the report.
The main thrust of this part of Section 302 is that all financial SEC reports must be complete, accurate, and in no way misrepresent the organization’s financial condition. To ensure this compliance, Section 302 also outlines the corporation’s responsibilities for establishing and maintaining internal controls for financial reporting as well as for evaluating and reporting on the effectiveness of those controls.
In addition, signing officers must disclose to outside auditors and the internal auditing committee “all significant deficiencies in the design or operation of internal controls,” as well as any fraud that “involves management or other employees who have a significant role in the issuer’s internal controls.” Plus, the corporation must report any significant changes or other factors that could impact the controls.
The requirements for complete and accurate information, along with having internal controls in place, have serious implications for DBAs who manage database environments that contain financial information. The data’s integrity, security, and availability must be ensured at all times and the necessary mechanisms put into place to support an internal control structure.
Section 401 identifies additional disclosures that corporations must include in their quarterly and annual SEC financial reports. For example, each report must “reflect all material correcting adjustments that have been identified by a registered public accounting firm.” In addition, the section states that each report must include the following:
…all material off-balance sheet transactions, arrangements, obligations (including contingent obligations), and other relationships of the issuer with unconsolidated entities or other persons, that may have a material current or future effect on financial condition, changes in financial condition, results of operations, liquidity, capital expenditures, capital resources, or significant components of revenues or expenses.
In other words, corporate officers must fully disclose all corrections identified by outside auditors as well as relevant relationships that might impact the organization’s financial picture.
Section 401 also states that all financial information included in the SEC reports or in “any public disclosure or press or other release” shall not contain untrue statements or omit the facts necessary to understanding the corporation’s financial condition. Not only must corporations provide an accurate accounting to the SEC, but also to the public at large, again putting the pressure on DBAs to ensure the accuracy, security and availability of financial data.
Section 404 is specific to managing the assessment of internal controls. According to this section, each financial SEC report must include an internal controls report that states the management’s responsibility for “establishing and maintaining an adequate internal control structure and procedures for financial reporting.” In addition, the internal controls report must include an assessment of the effectiveness of the internal control structure and procedures.
Section 404 also states that registered public accounting firms that prepare or issue internal control reports for the corporation must “attest to, and report on, the assessment made by the management of the issuer.”
As noted earlier, Section 302 outlines the requirements for an internal control structure. Not surprisingly, the process of establishing such a structure will likely involve the database team either directly or indirectly, at least as it pertains to the database environment. Because of Section 404, the team will just as likely have to support an auditor’s ability to assess the effectiveness of that system. For example, if an employee with direct database access has left the company, an auditor should be able to see when and if the user’s account has been deleted from the database system. The good news here is that an effective internal control structure will likely have the mechanisms in place to support this type of verification.
On the surface, Section 408 is more about SEC responsibilities than those of the corporation. The section states that the SEC must review the financial disclosures submitted by a corporation on a “regular and systematic basis for the protection of investors,” no less frequently than once every three years. However, except for the three-year limit, the frequency with in which financial records are reviewed is left to the discretion of the SEC.
That said, Section 408 does provide several guidelines when a review might be warranted, such as a corporation’s stock prices being more volatile than other corporations. Of these guidelines, the final one is perhaps the most significant, stating that the SEC should consider a review for “any other factors that the [SEC] may consider relevant.” In other words, the SEC has free reign in deciding when to review on organization’s financial records, as long as it’s done at least once every three years.
The implication here is that a corporation could be faced with an SEC audit at any time, in which case the DBA must ensure that the systems are in place to handle an audit whenever it might occur. SEC auditors require vast amounts of information, not only financial data, but also details about the internal control structure and the mechanisms in place to assess that structure. If the database team and the rest of the corporation are not prepared for an audit, they could find themselves working 20-hour days trying to pull everything together and still come up short.
Section 409 is specific to real-time disclosures and is short and to the point:
Each issuer reporting under section 13(a) or 15(d) shall disclose to the public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer, in plain English, which may include trend and qualitative information and graphic presentations, as the Commission determines, by rule, is necessary or useful for the protection of investors and in the public interest.
The bottom line here is that the corporation must keep investors and the public informed about significant changes in the corporation’s operations or financial status “on a rapid and current basis.” For the DBA, this means ensuring the continual integrity and availability of the data so the corporation’s financial department can stay abreast of any significant changes and report on them immediately.
SOX Compliance and the DBA
The SOX law contains many more sections than those summarized above, and the sections I’ve summarized contain more information than what I’ve covered here. Before taking any steps to address SOX compliance, DBAs should understand exactly what the law expects and their role in the corporation’s larger compliance effort. The summaries I’ve provided here are meant only as a starting point for understanding how the regulations might impact database administration and what it will take to comply with them.
Not surprisingly, the exact steps that database teams need to take to achieve compliance will depend on the size of their organizations, the amount of financial data stored in their databases, how their teams and infrastructures are organized, and other important factors. Despite these variables, they should keep in mind the following six guidelines when planning how they’ll approach SOX compliance and the steps they’ll take to get there.
Defining Policies, Standards, and Procedures
Applies to sections 302, 404, 408 and 409 in the SOX regulations.
The database team should start by defining specifications that describe how the database environment will be protected and how the internal control structure will be implemented and assessed. The specifications should cover all aspects of database security and accountability. For example, they should include a security model that defines who can access what financial data, how user accounts are added and removed, what groups and roles will be set up, how users will be authenticated, and any other details that govern database security. The specifications should also address such issues as database coding practices, monitoring strategies, audit-response planning, and risk assessments.
Ensuring Data Integrity
Applies to sections 302, 401, and 409 in the SOX regulations.
A corporation must ensure that all financial data is accurate and complete. If that data is stored in databases, the database team must guarantee the data’s integrity, starting with normalized database designs that eliminate duplicate data and minimize the risks from data modification errors. In addition, the team should implement primary keys, foreign keys, unique indexes, defaults, triggers and other types of constraints as necessary to ensure integrity. The team might also need to work with application developers to verify that code reviews address query-related issues such as implicit data conversions or the use of zeroes or nulls for default values.
Ensuring Data Availability
Applies to sections 302, 401, 408, and 409 in the SOX regulations.
DBAs must ensure that financial data is available whenever it is required. The financial department should be able to access and update data as needed and permitted. Stakeholders should be able to generate reports to provide accurate financial insights. Full and accurate information should be available to internal, external, and SEC auditors as required. In addition, files and databases that support monitoring, reporting, or internal control components should also be readily available if they’re needed. The database team must implement disaster recovery and high availability strategies that protect against hardware failures, data corruption, natural disasters, cyberattacks, or any incidents that can lead to data being lost or unavailable in the short- or long-term.
Securing the Environment
Applies to sections 302 and 401 in the SOX regulations.
Database teams must ensure that financial data cannot be wrongfully deleted or modified, whether maliciously or inadvertently. To this end, they must take whatever steps necessary to protect the components that make up the database environment, working with other IT administrators as necessary to provide complete protection. Security considerations must include the entire physical infrastructure, including the database servers, storage media, network components, and facilities themselves, as well as database management systems, operating systems, and other supporting software. Database teams should also consider such factors as minimizing attack surfaces, applying security patches, or deleting built-in service accounts in the database system.
Controlling Data Access
Applies to sections 302 and 401 in the SOX regulations.
Part of securing the environment is to control access to the data itself to ensure that it cannot be wrongfully modified or deleted. Integral to this process is the effective management of the accounts and passwords that users and applications require to access the data. Data access should be based on the principles of least privilege so that individuals cannot access any more information than is necessary for them to do their jobs. The accounts should also be managed based on separation of duties to reduce the potential for fraud or error. In addition, only authorized personnel should be able to carry out such tasks as updating database schemas or configuring server settings.
Auditing and Monitoring Systems
Applies to sections 302, 401, 404, 408, and 409 in the SOX regulations.
Monitoring and auditing the database systems is essential to addressing all five of the SOX regulations described above. A comprehensive auditing strategy tracks user activity, data and schema modifications, security changes, and other events, helping to reveal both real and potential security threats. Detailed auditing is also integral to meeting the requirements for internal controls and for assessing those controls and determining their effectiveness. Although this level of auditing can impact performance and resource requirements, it must be utilized to its fullest to provide the necessary controls. Fortunately, auditing solutions are available in most major databases management systems and include the ability to set up alerts and generate comprehensive reports.
Achieving SOX Compliance
To comply with SOX regulations, DBAs must ensure the integrity, availability, and security of the data and its environment. They must also have in place an effective monitoring strategy to guarantee ongoing protection and meet the requirements for internal controls. The SOX law doesn’t specify how to go about implementing all this, only that it needs to be done. Fortunately for many database teams, much of what the law requires is consistent with the security and management best practices they already have in place.
Even so, complying with the SOX law can be a complex process, and the database team should work closely with other teams to ensure that all regulations are met and nothing slips through the cracks, only to be discovered during an SEC review. Those involved in planning a compliance strategy need to fully grasp how the regulations works and the implications for being out of compliance. The better they understand the law and more carefully they plan and prepare, the more effectively that can meet the SOX requirements and minimize the risks from an SEC audit.