Jun 1 ’05
SOX & the Database Professional: Setting the Stage
Every publicly traded company in the U.S. has felt the impact of the Sarbanes-Oxley Act of 2002 (SOX). The Act’s provisions are significant enough that many consider SOX the most significant change to federal securities laws since the New Deal.
Complying with SOX requires a lot of work, but SOX can also provide career-enhancing opportunities for database professionals. That’s because it requires changes to how data-related risks are managed and documented. Few SOX-preparation teams include staff experienced in designing and administering database systems, and as a result, database professionals are being called on to participate. Those who enthusiastically assist in compliance efforts often find themselves identified as “business-oriented” technical resources who are candidates for other high-value, high-profile projects. They’re also finding themselves uniquely situated to make a compelling argument for using compliance dollars to purchase database productivity tools.
Not long ago, Americans believed in the people running public companies. Investors used corporate reports and balance sheets to judge the health of a company, trusting the data on those reports because independent auditors had examined and certified them. Then came the Enron, Worldcom, and Arthur Andersen scandals, and another picture emerged.
It turned out that many companies’ financial practices had been progressing steadily into gray areas, and their auditors had been supporting—sometimes encouraging—these practices. The CEOs and CFOs who were issuing corporate reports were relying on financial data that bubbled up from various business units using different processes, different IT systems, and different data models, so no person in the organization could say with certainty that the data was complete and correct. While there have always been penalties for fraud, there were no penalties for mistakes, and it was simply too easy to “mistakenly” paint an incorrect picture of a company’s financial health.
Investors and politicians got fed up by fraud, greed, plausible deniability by executives, too little transparency into corporate processes, and lack of accountability. Finally, Congress passed SOX, which was sponsored by U.S. Senator Paul Sarbanes and U.S. Representative Michael Oxley.
What Is Sarbanes-Oxley?
SOX applies to publicly traded companies and the firms that audit their financial statements. The Securities and Exchange Commission (SEC), which has jurisdiction over publicly traded companies, and the newly created Public Company Accounting Oversight Board (PCAOB), which reports to the SEC and oversees auditing firms, enforce SOX.
The stated purpose of SOX is to “strengthen corporate governance and restore investor confidence.” What’s it really about? Data! The many provisions of SOX are designed to ensure that:
- Data that appears on corporate financial reports is complete and accurate.
- Mismatched systems or processes haven’t degraded data that feeds into financial reports.
- Uncontrolled staff or management haven’t corrupted financial data.
- The auditors who verify financial reports aren’t influenced by staff, executives, or corporate board members.
- The processes used to derive financial data are transparent, standardized, and auditable.
How Important Is SOX?
Companies can’t choose to ignore SOX. If certain provisions aren’t implemented (e.g., a whistleblowers hotline), the SEC can order the company be delisted.
CEOs and CFOs potentially face both criminal and financial consequences for SOX violations. The CEO and CFO must certify corporate financial statements, removing the excuse of plausible deniability. If the CEO and CFO submit bad certifications, they could be liable for fines up to $1 million and imprisonment for up to 10 years. If their incorrect certifications were submitted “willfully,” the law says the fine can be increased up to $5 million and the prison term up to 20 years.
If the company complies with SOX but fails its audit, there are no direct consequences. However, they can expect “market reaction,” which is code for falling stock prices. For most companies, the market tends to react to any disclosure of a material weakness, even if it was corrected in time to pass the audit.
Stock prices fluctuate every day. So what does it matter if a company stock price is affected by a poor audit? The answer depends on who you ask. In general, companies have expressed relief that SOX announcements have resulted in only a 3 percent drop in their stock price. For companies whose management is respected and trusted by investors, such drops have been temporary. For companies whose investors already had misgivings about management or financial practices, the price drop tends to be much greater and more long-lasting.
Implications for You
A high enough penalty for failure means you should be able to get the attention of management if you believe your department is at risk. Even if you don’t own company stock, you should care if your department is at risk because:
- A failed audit could lead to layoffs.
- Recognizing a potential failure point and correcting it can improve your image, marking you as business-savvy.
- The way to avoid a failure might be to implement a productivity tool you’ve long wanted but couldn’t justify.
What is your argument if you believe you’re at risk, but you’ve already been audited and your department wasn’t cited? That doesn’t mean it won’t be next year. Auditing guidelines for evaluating database compliance came out so late in 2004 that many firms gave databases little attention during the last auditing cycle. Now that expected controls for databases have been established, you can expect more attention in the next cycle.
The Impact of SOX
SOX affects many areas of your company. Your board of directors, for example, is required to serve in a stronger checks-and-balance position, offsetting the power held by the corporate CEO and CFO. The board is required to include a minimal number of independent directors, and board members (instead of executives) are now required to take responsibility for engaging auditors. A board committee is charged with providing oversight of the company’s internal control system, and all board members face greater personal responsibilities and liabilities.
The CEO and CFO are also affected:
- They can’t control the company’s outside auditors or the reports they produce.
- The CEO and CFO must personally attest to the accuracy of the data in corporate financial reports and that the company has adequate internal controls over financial reporting. Such controls must protect financial processes and also the IT systems and processes that feed them.
- CEO and CFO affirmations generally have a trickle-down affect on any other executives and managers who deal with financial data.
Burdens on Finance departments include:
- Financial processes must be documented.
- Controls over those processes must be documented.
- Roles and responsibilities for the processes and controls must be formalized, documented, and proved.
SOX requires that financial data must unambiguously roll up from multiple departments and locations into a single report. This can be a problem where multiple systems exist. To comply, Finance departments have found they must sometimes replace informal or undocumented practices with more formal ones.
Data and IT departments have been affected, too:
- Because many IT projects and systems are costly, they can affect corporate financials. Rules about funding, allocating charges to capital vs. expense budgets, and time reporting are stricter.
- Because financial systems must have corresponding controls, IT staff that use and support the systems have been asked to participate in completing system and process documentation.
- Databases, systems, and processes may have to go through a more formal change management process.
- Staff may find their typical duties augmented with extra responsibilities designed to provide audit trails.
Before SOX, database professionals were expected merely to do their job. With SOX, the motto has changed from, “Just do it,” to “Do it, control it, document it, and prove it!”
If you’re a DBA, data architect, analyst or other data professional, there’s now intense interest in what your job entails, and who’s doing it. Because of SOX, departments that deal with financial data can’t simply be left alone to do their jobs. Instead, the SOX team has to understand how your work fits into the areas of Governance, Risk, Controls, and Security (GRCS).
Governance, Risk, Controls, and Security
Your auditors must issue an adverse opinion (a failed audit) if they find your company has inadequate governance, security, or control:
- Adequate governance means the staff in your department can make decisions based on professional judgment with a clear understanding of how decisions are to be made, by whom, under what circumstances, and when.
- Adequate security in a database environment means mechanisms have been designed that protect your data and such controls are implemented and monitored.
- An adequate control environment means your company’s “tone from the top” sends the right message about ethics and controlling risk and that the company provides supporting structures and activities to support both general and specialized control activities.
When your CEO and CFO sign SOX Section 404 attestions, they’ll also be declaring they’ve assessed risks to their financial data, employing a universal risk language (e.g., probability and impact of risks) and one or more industry-accepted control frameworks. They probably will have chosen a framework from the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, whose framework describes financial controls, or the Control Objectives for Information and related Technology (COBIT) framework, which describes IT-specific controls.
Those in your company who are dealing with SOX must be able to express an IT or data concept using the languages of IT, risk, and auditing. If you want to be seen as part of the solution, not another problem, then you, too, should learn to express your key concerns in all three languages.
Risk and Controls
For every identified risk, your company is expected to choose one or more strategies:
- Accept it
- Transfer it to someone else
- Mitigate it by preventing it, detecting it if it happens, and reducing its impact if it happens.
Once the company picks a strategy, corresponding controls are designed and implemented:
- Preventive controls are designed to prevent a problem from occurring. They might include requiring approval for all purchase orders over a certain dollar threshold, or the use of passwords to gain access to networks, systems, and data.
- Detective controls uncover problems after they’ve occurred. They include reviews, reconciliations, and certain types of analysis.
- Corrective controls either solve a problem (so it isn’t a problem anymore) or reduce the impact.
Hierarchy of Controls
Not all controls are created equal. For instance, if you don’t bother with virus protection, it won’t matter how many controls you’ve put on at the application level. Eventually, your data is bound to get infected. Forget to put a lock on your front door, and it won’t matter that you’ve trained your employees to put their paperwork out of sight. To help companies understand how controls build on each other, the big auditing firms have established the following hierarchy of controls (1 being at the top, 5 at the bottom):
- Manual process controls
- Application controls
- Database controls
- Operating system/infrastructure controls
- General IT and operations controls.
General IT and operations controls include areas such as physical security, electronic security, and data access management. Without effective general controls, all other efforts to ensure data integrity could be rendered worthless. Operating system and infrastructure controls include efforts such as network firewalls and virus protection. Unless these are in place, databases could be violated. Likewise, database controls are required to ensure application security and to complement application-specific controls. Typically, controls over manual processes rely upon the effectiveness of controls at all the supporting hierarchy levels.
Database controls support most process and application controls, including those that touch financial data. They’ll be included in your company’s SOX preparation and documentation efforts. Who will assess your database-related risk and design your database controls?
You need to ask: Does your company’s internal SOX preparation group know your data management environment as well as you? How about any external consultants your company has hired? If others are intimately familiar with your databases and data management environment, then you and your department are probably in good shape.
However, if this isn’t the case, you can bring value to your company’s SOX compliance efforts. Your work could affect the outcome of your audit, your company stock price, and the possibility of CEO/CFO fines and jail time.
You may be in a position to assist with SOX documentation. This could include helping develop system documentation or process flows, choosing risk management approaches, developing controls documentation, or recording roles and responsibilities. You may be able to help prove that control activities are happening. You may be asked to contribute to governance and stewardship records, activity logs, audit trails, or controls tests.
Opportunities for Your Department
Becoming involved in your company’s SOX preparation efforts could also generate opportunities for your department. A common problem auditors find is a lack of “segregation of duties.” This principle states that any financial process that contains the potential for abuse should be separated into distinct steps assigned to different users. This segregation, or separation, of duties ensures that no individual acting alone can compromise the security of the financial data. The reasoning is sound: It’s a deterrent to certain types of internal fraud and collusion if a single individual isn’t allowed to perform both those tasks that could contribute to fraud and also those that could cover it up.
But what if you have single-person coverage of key mainframe databases? Short of hiring extra staff, what can you do to achieve compliance? One answer is to automate tasks where possible. That way, when you have pairs of tasks that fall under segregation of duties requirements, at least one of the pair can be handled by someone other than your mainframe expert.
Often, productivity tools include the ability to automate steps. You may be able to justify the purchase of productivity tools if they enable segregation of duties. You may also be able to justify upgrades to tools if they enable audit trails.
Opportunities for You