Achieving Sarbanes-Oxley Compliance with Penetration Testing

The Sarbanes-Oxley Act was enacted to prevent financial statement fraud among public companies doing business in the United States. The Act sets mandates for strengthened controls, accurate financial auditing and reporting, and increased risk management. The reality of the Sarbanes-Oxley Act: Each public company needs to develop an individualized approach to reporting and compliance.

Under SOX Section 404: Management is required to produce an “internal control report” as part of each annual Exchange Act. To accomplish this, management has adopted an internal control framework such as that described in COSO.

Section
15 U.S.C. § 7262	“the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.”
15 U.S.C. § 7262)a)	“contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.”

Section 404 begins with a self-assessment of the internal controls the organization has around its financial reporting process. Self-assessment typically involves internal stakeholders and an external audit firm that will work through a standardized framework (COSO). This identifies the gaps in compliance and any associated risks an organization may face.

Penetration Testing: Internal Controls - Meeting Sarbanes-Oxley Requirements

COSO	COSO is a framework for meeting financial reporting requirements under Sarbanes-Oxley. Key issues addressed include: control environment, risk assessment, control activities, information and communication, monitoring.

Control environment.
Penetration testing can assist to protect your network assets from unauthorized access and ensure the integrity of application-driven controls. Penetration testing exposes actual attack vectors, allowing an organization to effectively remediate the vulnerabilities that can put your controls at risk.

Risk assessment.
Leveraging penetration testing can systematically identify vulnerabilities that can lead to exploitation and system compromise. This provides your organization a comprehensive assessment of your information security risks.

Information and communication.
Penetration testing enables an organization to validate that information and communication channels that support internal control objectives and organizational systems of record are secure and stable. The integrity of the control environment must be proven. The detailed reports that a penetration test can provide assist with compliance by quantifying your testing procedures.

Monitoring.
An organization must ensure that all internal control objectives are continuously monitored, regularly tested, and revised as necessary to support changing business conditions. Penetration testing can provide the assurance required though comprehensive testing

The impact of non-compliance can range from, felony charges, fines to jail terms, and includes the harsh reality that failure to comply will ultimately impact organizational public image.

iVOLUTION Security Technologies can enable you to independently monitor the security of your IT infrastructure. Penetration testing and vulnerability assessment should be part of your security process and completed on a regular basis or as internal controls and processes change.

"Through 2008, insiders, working alone or with outsiders, will account for the majority of financial losses from the unauthorized use of computers and networks."
Gartner Group