Sarbanes-Oxley (SOX) Detailed Analysis

Sarbanes-Oxley (SOX) is a federal law that aims to ensure accurate information is provided to investors. To understand how to comply with SOX, we have to drill through multiple layers:
  • The Federal Law (SOX)
  • The SEC regulation
  • The compliance framework
  • Practical Oracle database auditing
This article shows our analysis of SOX and the different layers from the federal law to practical requirements as they relate to Oracle database auditing.
Go to page1234All

The Law

United States Code Title 15 is Commerce and Trade. Chapter 98 (§7201 – §7266) is Public Company Accounting Reform and Corporate Responsibility, better known as the Sarbanes-Oxley act, or SOX for short.
SOX aims to ensure accurate information is provided to investors. To do that, SOX created a method for controlling the accounting and auditing practices of publicly traded companies.
There are two sections that might be of particular interest to you:
  • §7241 – Corporate responsibility for financial reports
  • §7262 – Management assessment of internal controls
Section 7241 deals with for company’s responsibility:
§7241 – Corporate responsibility for financial reports
(a) ...require, for each company filing periodic reports... that the principal executive officer... certify in each annual or quarterly report... that—
(1) the signing officer has reviewed the report;
(2) based on the officer’s knowledge, the report does not contain any untrue statement... or omit to state a material fact...
(3) based on such officer’s knowledge, the financial statements, and other financial information included in the report, fairly present... the financial condition and results of operations...
(4) the signing officers—
(A) are responsible for establishing and maintaining internal controls;
(B) have designed such internal controls to ensure that material information... is made known to such officers...
(C) have evaluated the effectiveness of the issuer’s internal controls...
(D) have presented in the report their conclusions about the effectiveness of their internal controls...
(5) the signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors...
(A) all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report financial data and have identified for the issuer’s auditors any material weaknesses in internal controls; and
(B) any fraud...
(6) the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls... including any corrective actions...
Section 7262 expands on what the annual report should contain:
§7262 – Management assessment of internal controls
(a) Rules required
The Commission shall prescribe rules requiring each annual report... to contain an internal control report, which shall—
(1) state the responsibility of management...
(2) contain an assessment... of the effectiveness of the internal control structure and procedures...
(b) Internal control evaluation and reporting
...each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer...
(c) ...

The Law in a Nutshell

What this is saying in a nutshell is that the CEO certifies that:
  • The financial reports are true, complete, and represent the situation of the company
  • The company has internal controls to ensure the information is accurate
  • The controls have been evaluated by a public accounting firm
  • Any problems with the controls, or any fraud, is disclosed to the auditors
  • The financial reports include any changes in the controls and the audit report
Next we need to see the implementation of the law in the regulation

The Regulation

The Securities and Exchange Commission (SEC) is responsible for enforcing SOX. As such, it adds more detail about the implementation of the law.
Title 17 of the Code of Federal Regulations is Commodity and Securities Exchanges. Chapter II is the Securities and Exchange Commission.
Part 229 Item 308 deals with the internal controls:
§229.308 (Item 308) Internal control over financial reporting.
(a) Management’s annual report on internal control over financial reporting.
Provide a report of management on the registrant’s internal control over financial reporting... that contains:
(1) A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the registrant;
(2) A statement identifying the framework used by management to evaluate the effectiveness of the registrant’s internal control...
(3) Management’s assessment of the effectiveness of the registrant’s internal control... This discussion must include disclosure of any material weakness... identified by management. Management is not permitted to conclude that the registrant’s internal control... is effective if there are one or more material weaknesses...
(4) ...
(b) Attestation report of the registered public accounting firm...
(c) Changes in internal control over financial reporting...
Instructions to Item 308:
1. ...
2. The registrant must maintain evidential matter, including documentation, to provide reasonable support for management’s assessment of the effectiveness of the registrant’s internal control over financial reporting.
Going into more detail about the controls:
§240.13a–15 Controls and procedures.
(a) Every issuer... must maintain disclosure controls and procedures...
(b) Each such issuer’s management must evaluate... the effectiveness of the issuer’s disclosure controls and procedures...
(1) ...
(2) ... within the 90-day period prior to the filing date of each report...
(c) The management... must evaluate... the effectiveness... of the issuer’s internal control over financial reporting. The framework on which management’s evaluation of the issuer’s internal control over financial reporting is based must be a suitable, recognized control framework...
(d) The management... must evaluate... any change in the issuer’s internal control...
(e) ...the term disclosure controls and procedures means controls and other procedures of an issuer that are designed to ensure that information required to be disclosed... is recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms.
Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed... is accumulated and communicated to the issuer’s management... to allow timely decisions regarding required disclosure.
(f) The term internal control over financial reporting is defined as a process... to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements... and includes those policies and procedures that:
(1) Pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer;
(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements..., and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and
(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer’s assets that could have a material effect on the financial statements.

The Regulation in a Nutshell

There are two kinds of controls:
  • Disclosure Controls – ensure all the relevant financial information is processed correctly, and in a timely manner
  • Internal Controls – ensure the financial information is reliable.
The Internal Controls must:
  • Be based on a suitable, recognized control framework (e.g. CobiT)
  • Include prevention and detection of unauthorized changes
The financial reports must include:
  • A report from a registered public accounting firm
  • Identification of the framework used for internal controls
  • Effectiveness of the internal controls
  • Material weaknesses in the internal controls
  • Changes made to the internal controls
Additionally, the company must maintain evidence to support the effectiveness of the controls.
Next we need to drill into the internal controls.

Internal Controls

Based on the regulation, SOX requires internal controls that are based on a suitable, recognized control framework and include prevention and detection of unauthorized changes.
There are several recognized control frameworks, including: CobiT, COSO, ITIL, ISO/IEC 27000.
While each framework is different, the same basic principles apply in all:
  • Identify the Risks
  • Setup Controls to mitigate the risks
  • Monitor the activity
  • Evaluate the risks and the effectiveness of the controls. The conclusions from this evaluation must also be published in the financial reports (effectiveness of controls, material weaknesses, and changes made)

Risks

While every Oracle database environment is different, similar risks to the data exist in most:
  • Application – a bug in the application or a SQL injection attack
  • Administrator Privilege Abuse – a DBA of privileged user abusing their privileges
  • Access Abuse – an individual abusing the application password
  • Compromised Password – either a DBA or an application password that was compromised (stolen, cracked, etc)
  • Contractor / Partner – abuse of access or general lax security that leads to a breach
  • Human Element – manipulation of individuals to knowingly or unknowingly abuse their access
  • Compromised Internal Asset – an external agent compromising a desktop, mail server etc, and use it to compromise the database
  • Complex attack – attacks on networks, servers, storage, physical breaches, Oracle vulnerabilities, and more

Controls

While every Oracle database environment is different, similar controls are applied in most:
Preventive Controls:
  • Authorization Policy – a policy for approving access to the Oracle database and events that trigger its removal (e.g. termination of employment or a change in position)
  • Password Policy – Oracle password length, complexity, duration, etc
  • Least Privilege – grant minimal privileges to Oracle accounts
  • Change Control – obtain approval for changes in the Oracle database prior to performing those
Detective Controls:
  • Auditing Reconciliation – ensure actual Oracle activity matches expected activity (account logons, change control, authorization changes)
  • Access Auditing – ensure DBAs, privileged users, application accounts etc do not abuse their access or privileges
  • Intelligent Auditing – alert or report on abnormal activity (unusual programs, unusual SQLs, high SQL volume, etc)
The preventive controls are well-known and probably already implemented. The detective controls merit some more detail about practical implementations

Practical Oracle Auditing

Oracle database auditing is explicitly required by the SEC regulations, by the compliance framework, and by the risk-control process.
In addition to all those, Oracle database auditing is also part of the monitoring process that helps evaluate the effectiveness of the preventive controls. As such, the Oracle audit data is part of the evidential matter the company is required to retain to support its conclusions about the effectiveness of the controls.
To deploy an Oracle auditing solution on a production Oracle database, the first and most important requirement is Full Capture with Low Overhead – the ability to capture all the Oracle SQL activity without impacting the production system.
Given that we can capture, process, store, secure, and report on the information, what should a SOX compliance Oracle auditing system provide?

Reconciliation

The first thing the audit solution should do is help ensure that the basic preventative controls are providing the expected protection. This is important because some of these “preventative” controls are voluntary and cannot be enforced.
  • User Logons – ensure that all the users, programs, machines, etc that connect to the database are allowed to do so.
  • Change Control – ensure all changes in the database have gone through change control
  • Authorization Changes – ensure all changes to users, roles, and privileges have been approved
  • Application Account – ensure the application account is only accessed by the application program, from the application servers

Financial Records Access

Ensure DBAs, privileged users, and the application user, do not abuse their access to modify financial records.
Additionally, while not required by SOX, other SEC regulations require that confidential financial information is not accessed by unapproved individuals.
  • DBAs & Privileged Users – ensure DBAs and Privileged users do not abuse their access by accessing financial records
  • Application – ensure the application account is not used to access financial records from unapproved sources (programs or machines)

Intelligent Auditing

The auditing measures discussed for far are declarative in nature and contain a deterministic definition of items to review. Declarative auditing is limited in its scope because Oracle databases execute thousands of SQLs per second and the rules are designed to provide a manageable amount of entries for review.
Additionally, even with its limited scope, declarative auditing can sometimes produce a vast number of entries, and important information can get lost in the noise.
An important complementing type of auditing is Intelligent Auditing. Intelligent Auditing contains algorithms that analyze all the activity in the database looking for unusual patterns.
Intelligent Auditing can, therefore, detect SQL injection, Zero day attacks, abnormal activity volumes, etc. The following reports/alerts are recommended for SOX controls:
  • SQL Source Anomaly – an Oracle account, program, machine, OS user, or combination of the above that hasn’t been seen recently
  • SQL Injection – an application SQL that hasn’t been seen recently
  • Financial Record Access – a SQL accessing financial records that hasn’t been seen from this program and Oracle account
  • Time of Day – access to financial records at an unusual hour