- Staff may find their typical duties augmented with extra responsibilities designed to provide audit trails.
Before SOX, database professionals were expected merely to do their job. With SOX, the motto has changed from, “Just do it,” to “Do it, control it, document it, and prove it!”
If you’re a DBA, data architect, analyst or other data professional, there’s now intense interest in what your job entails, and who’s doing it. Because of SOX, departments that deal with financial data can’t simply be left alone to do their jobs. Instead, the SOX team has to understand how your work fits into the areas of Governance, Risk, Controls, and Security (GRCS).
Governance, Risk, Controls, and Security
Your auditors must issue an adverse opinion (a failed audit) if they find your company has inadequate governance, security, or control:
- Adequate governance means the staff in your department can make decisions based on professional judgment with a clear understanding of how decisions are to be made, by whom, under what circumstances, and when.
- Adequate security in a database environment means mechanisms have been designed that protect your data and such controls are implemented and monitored.
- An adequate control environment means your company’s “tone from the top” sends the right message about ethics and controlling risk and that the company provides supporting structures and activities to support both general and specialized control activities.
When your CEO and CFO sign SOX Section 404 attestions, they’ll also be declaring they’ve assessed risks to their financial data, employing a universal risk language (e.g., probability and impact of risks) and one or more industry-accepted control frameworks. They probably will have chosen a framework from the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, whose framework describes financial controls, or the Control Objectives for Information and related Technology (COBIT) framework, which describes IT-specific controls.
Those in your company who are dealing with SOX must be able to express an IT or data concept using the languages of IT, risk, and auditing. If you want to be seen as part of the solution, not another problem, then you, too, should learn to express your key concerns in all three languages.