IT security policies in a post-SOX world

IT security policies in a post-SOX world

3 MIN. READ

The Sarbanes-Oxley Act (SOX) enacted in 2002 had a profound effect on how public companies are governed, particularly regarding financial reporting and accuracy. While most people think of SOX as a financial compliance regulation, it had tremendous repercussions on IT security and still does. In today’s world of cloud and distributed computing, managing access to and protecting the integrity of key financial data requires ever-increasing security measures.

For example, enterprises document IT security policies for SOX audit and compliance to prove to auditors and regulators that the organization has proper controls to protect the integrity of financial and other critical information. For the IT policies to satisfy SOX, they must cover things like:

  • Access management and user authorization, which has grown increasingly more complicated with two-factor authentication and requirements for more complex, ever-changing passwords.
  • Network security and particularly cybersecurity to detect and prevent intrusions as well as encrypt confidential data.
  • Monitoring systems that keep track of usages and identify any unusual or suspicious behavior.

While most efforts on the IT side of SOX compliance deal with these items, protections for one key element of finance tracking, forecasting and calculations cannot be overlooked: spreadsheets.

Spreadsheet depth and breadth

The widespread use of spreadsheets in financial operations is well documented. In a typical enterprise, hundreds and sometimes thousands of spreadsheets may be incorporated into planning and reporting processes. One financial intelligence company, CODA, reported that 95% of U.S. firms use spreadsheets for financial reporting. And auditors are now extending efforts to cover spreadsheets, recognizing how pervasive they are in many SOX-related business processes. Clearly, the impact and importance of the role spreadsheets play in fueling critical business processes is undeniable.

Despite this, many enterprises do not incorporate controls for the spreadsheets containing their critical financial data. When considering the need for spreadsheet security in a post-SOX world, especially considering increasing advancements in technology, spreadsheet management technology must be elevated as a strategic imperative to ensure SOX compliance.

Managing spreadsheet risk

Controlling access to critical spreadsheets, like other access management protocols, is important. However, it is only the first step. Best practices start with improved governance, and include implementing:

  • An inventory of critical spreadsheets, who has access to them and who can edit them.
  • Segregation of roles to ensure no one person can influence and manipulate all the information presented to reduce the risk of fraud.
  • Version controls to protect against inadvertent changes.
  • Encryption and other security measures.
  • Use of software tools that comb through spreadsheets to identify issues, errors and inaccuracies to quickly remedy potentially embarrassing reporting of erroneous info.

The financial industry hailed the enactment of SOX as a way to reassure investors of the integrity of financial reports. That confidence relies heavily on IT security controls to protect the firm’s financial data from risks both within the enterprise and without. Ensuring the accuracy of spreadsheet data fuels accurate business decisions as well as investor and public trust. Aligning IT security controls and preventing risks, whether formula errors in important financial projections or data breaches, is critical for SOX compliance and corporate governance.

Incisive Software’s spreadsheet management solution provides a modern, automated approach to gaining accuracy, control, and insight into an organization’s most complex, sensitive and critical spreadsheets, enabling you to use accurate and consistent data that you can trust.

Read the Forrester study we commissioned, “Think Spreadsheet Risk Isn’t a Threat? Think Again”, to understand how you can begin to mitigate spreadsheet risk. You will learn why companies that prioritize spreadsheet risk are better positioned to protect customers, revenue and reputation.  


About Diane Robinette

Diane RobinetteDiane Robinette is President and CEO at Incisive Software, a company helping risk executives reduce exposure in critical business and financial processes. Prior to Incisive, Diane served in executive and senior level positions at companies including BroadVision, Contivo (acquired by Liaison Technologies), Covigna (acquired by ProQuest/Snap-on), Perfect Commerce and Proximex (acquired by Tyco). She also held management positions at KPMG and EY. Diane believes that by taking a modern and automated approach, risk teams can move towards a risk resilient posture that allows them to anticipate and reduce exposure, no matter what is thrown their way.