Problem I used to work for a small organization with a few SQL Servers. I have changed jobs and started working for a much larger publicly traded company. When I was at my last job, I heard a great deal of buzz about SOX and some other types of audits and legislation. Since it did not really pertain to me, I did not worry too much about it. Now that I am faced with it and a pending audit, I need to get up to speed quickly. As such, can you provide me with some basic information about SOX? What items I should be concerned about as a DBA? Where can I find more information before an upcoming audit?
Solution The Sarbanes-Oxley Act of 2002 (SOX) includes provisions to address audits, financial reporting and disclosure, conflicts of interest, and corporate governance at public companies. This legislation is certainly an whole new challenge and has changed the way many organizations operate from the top down. The SOX legislation is in response to Enron, WorldCom, and other corporate governance issues where the "books were cooked" with inaccurate financial figures.
As a DBA in the trenches new to SOX, it is important to learn from your peers or internal auditors on how SOX is handled in your organization. SOX is really about how to handle processes, but is not tied to a specific technology or technique. The good side of that situation is that you have flexibility in how you approach the need, the bad side is that you may need to build a process from the ground up. Since you are new to the organization and since the organization has probably completed previous audits, start with that information and validate the needs are met. If they are not, then begin to work towards compliance and validate the steps you are taking are correct.
A SOX Primer
Although the legislation is long and covers a wide range of financial matters, below outlines the sections that have been interpreted as being pertinent to IT (information technology) departments:
SOX Section 302 - Corporate Responsibility for Financial Reports
The CEO and CFO must review and approval all financial reports. They are responsible for any misrepresentations, internal accounting controls, any fraud involving the management of the audit committee and they must indicate any material changes in internal accounting controls.
SOX Section 404: Management Assessment of Internal Controls
All annual financial reports must include an Internal Control Report stating that management is responsible for an "adequate" internal control structure and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the management’s assertion that internal accounting controls are in place, operational and effective.
SOX Section 409 - Real Time Issuer Disclosures
Companies are required to disclose on almost real-time basis information concerning material changes in its financial condition or operations.
SOX Section 902 - Attempts and Conspiracies to Commit Fraudulent Offenses
It is a crime for any person to corruptly alter, destroy, mutilate, or conceal any document with the intent to impair the integrity or availability for use in an official proceeding.
SOX Preparation Checklist for DBAs
As you begin to learn about SOX and your environment, use the following items as a baseline when preparing your environment for an audit:
Data integrity ownership and responsibilities communicated to appropriate business owners acceptance of responsibilities.
Key database systems inventoried and owners identified
Database Management staff understands and accepts their responsibility regarding internal controls
Division of roles and responsibilities, a segregation of duties between logical DBAs (SQL Developers) and physical DBAs that prevents single DBA from unauthorized alterations
Review documented database management processes
Review documented database management risks
Documented database management process controls
Testing of database management control methods
Gap identification and controls improvement process
Update database management processes and document controls
Data Auditing Checklist
Below outlines some best practices when auditing data across your SQL Server databases:
Pervasive – Monitor and record critical data activity across the full range of databases, applications and systems.
Transparent – Non-intrusive and invisible to users, especially privileged users. In addition, transparent from a performance perspective such that the databases, overall system, users or network are not negatively impacted.
Intelligent – Ability to filter and collect only specified target activities as required to achieve compliance and discard the unneeded items. This enables an organization to efficiently manage compliance and data, reducing both storage costs and liability.
Scalable – Scale easily and cost-effectively to keep pace with changes in the enterprise IT environment.
Flexible – Allow an organization to easily tailor data auditing to its specific needs. Flexible, policy-based rules will enable easy customization. Create and modify policies to meet the data auditing needs of other regulations, handling multiple compliance challenges with a single solution.
Real-time – Isolate and identify unusual activity in real time to help detect, alert and stop non-compliant data activity rapidly to mitigate risk.
Historical – Document a comprehensive, easily searchable audit trail for monitored data activity. Then provide rich reporting capabilities, in alignment with an organization’s own corporate business processes.
Common Auditor Requirements and Research
As a point of reference, below outlines some of the common areas an auditor will be interested in from a SQL Server perspective:
Monitoring database access by privileged users
Monitoring changes in privileges
Monitoring access failures
Monitoring schema changes
Monitoring direct data access
Documentation review and verification
Review of audited data from monitoring system
Below are some additional SOX resources to consider:
The information in this tip should serve as a primer on SOX and putting the right procedures in place. Depending on your organization and the applications in use, you should understand how to best prepare for the audit.
As you begin to learn about SOX and data auditing, consider this tip a spring board to dive deeper into the variety of requirements from a SOX perspective.