Archive for

Achieving SOX Compliance Through Security Information Management

Introduction: Brief Overview of SOX The Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting Reform and Investor Protection Act of 2002, and commonly referred to as SOX, is a federal law designed to improve disclosures and closely supervise accounting practices for publicly traded companies and public accounting firms. The legislation, spawned from high profile fraud and scandal dating back to the late 1990s, represents one of the largest reform measures in the history of US business.

The regulation mandates strict operating and reporting practices for all publicly traded U.S. companies, foreign filers in US markets, and public accounting firms. The sections of SOX that impact the public company’s IT department include:

  • Section 302 — Corporate Responsibility for Financial Reports. Public company officers must confirm the reliability of quarterly and annual financial statements.
  • Section 404 — Management Assessment of Internal Controls. All publicly traded companies must submit an annual report to the SEC on the effectiveness of their internal accounting controls. The independent company auditor must also attest to the accuracy of the report. (While not explicitly defined, IT general controls are included in the scope of Section 404 compliance).
  • Section 409 — Real-Time Issuer Disclosures. Public companies must stay abreast of and declare material changes in their financial condition or operations within 48 hours. (While not specifically defined, a major breach in information security has the potential to cause a significant deficiency or material weakness in the internal control structure.)

The primary focus for SOX compliance has been Section 404. Management must consider the extent to which threats and vulnerabilities in the corporate computing environment can represent a significant deficiency or material weakness in the internal control structure. They must ensure that the systems, services, devices, and data involved in the production of corporate financial records and financial reporting are appropriately isolated, that physical and logical access is appropriately restricted, and that all controls are thoroughly tested and documented on a routine basis.

The SOX Challenge: Improving the Accuracy and Reliability of Financial Reporting Though SOX can positively affect corporate governance by improving the internal control structure, compliance presents significant challenges, particularly for IT organizations. The IT general controls are very closely scrutinized during the annual audit, because virtually all of the company’s financial data resides on network servers. IT departments must provide detailed information to internal and external auditors about the IT general controls protecting financial reporting data and processes. Network administrators need the ability to use existing technology to manage and report on access controls related to the target environment, and provide documented evidence of the reliability of those controls.

SOX mandates accountability and requires each organization to examine the effectiveness of their approach to information security. To be effective, an information security solution must demonstrate that IT general controls are managed and monitored over time. The solution should also ensure that all systems, services, devices, data, and every personnel that touches financial data and reporting processes are secured.

Financial information security is a complex task requiring a broad security strategy. Organizations must not only achieve SOX compliance — but also maintain it continuously.

Publicly traded companies must to do the following in support of Section 404:

  • Ensure that the IT security administration monitors and logs security activity and identified security violations.
  • Review a sample of problems or incident reports, to consider if the issues were addressed in a timely manner.
  • Determine if the organization’s procedures include audit trail facilities for incident tracking.
  • Review a sample of problems recorded on the problem-management system to consider if a proper audit trail exists and is used.
  • Ensure that system-event data are sufficiently retained to provide chronological information and logs to enable the review, examination, and reconstruction of system and data processing.

Identify all systems, services, devices, data, and personnel that participate in the production of financial data and financial reporting

  • Isolate this target environment from the rest of the corporate computing network
  • Restrict physical and logical access to the target
  • Monitor physical and logical access to the target
  • Monitor the target for unusual and/or anomalous activity
  • Create an incident response plan specific to the target
  • Test and review the incident response plan
  • Routinely test controls in place and prepare summary reporting for the internal audit team

Though no single software product can enable full Section 404 compliance, the right SIM technology can help public companies efficiently manage the IT general controls. An effective security management solution provides public companies the tools to implement, maintain, and report on information security controls with minimal utilization of resources.

SOX mandates that corporate governance now include the appropriate management of information security. Senior management and even board-level directors now bear personal responsibility for oversight of compliance. Executive management needs to work closely with IT organizations on risk assessment and the implementation of security policies and operations. Overall, a security program that integrates people, policies, process, and technology is the best approach to managing Section 404 compliance.

Register now to read the full report outlining in detail how an effective Security Information Management solution can enable SOX compliance [http://netforensics.com/resource_form.asp?f=/download/nF_SOX_WhitePaper.pdf&i=SOX_WP&source=article&topic=SOX].

Financial Fundamentals – What Every Small Business Owner Should Know!

Business owners rarely go into business to deal with the financial aspects of running a business. It’s easy to understand why! You are passionate about the products or services you provide and want to focus your time there. The financial aspect usually falls to the bottom of the “desired responsibilities” list. It is critical to the long-term success of your business that you understand some of the Financial Fundamentals of being a business owner though. You don’t have to be an accountant or financial analyst, but it is important that you have some key skills in your business toolkit to measure the financial aspects of your business. It’s okay to outsource this activity so that someone else can do the work you don’t like to do, but make sure you understand the output of the financial information. You’ll need it to help you make informed decisions about your business. Remember! Accounting is not just about taxes. There’s so much more to know about the numbers, so you’ll know how your business is doing from the management perspective.

There are a variety of key aspects of your financial picture that you need to be aware of and they can be outlined based upon the three critical financial statements: Profit/Loss, Cash Flow, and Balance Sheet.

I meet with entrepreneurs every day that are unsure of their profitability. They “think” they are making money because they have money in their checking account. This is NOT how you should be running your business. Having money in your checking account doesn’t mean you are profitable. It could mean you haven’t paid all the bills so you have a little cash. Cash and profit are two different concepts. If you aren’t profitable, you won’t have longevity in your business.

So what is the difference between profit and cash? Profits are determined through an equation of Revenues – Cost of Goods Sold = Gross Profit – Overhead Expenses = Net Profit. This equation is the makeup of your Profit/Loss Statement. Revenues are dollars from generating sales within your business. Cost of Goods Sold reflects the direct costs for labor and materials incurred in your business. Overhead Expenses are all those other costs that you incur so that your business can function (i.e. Rent, Taxes, Insurance, Marketing, Accounting, etc.)

You can have activities that affect cash but are not considered revenues or expenses. For example, when you borrow money from a lender, it is not considered income. It is classified as an increase in your liabilities (i.e. debt). When you repay that loan, it will not be considered an expense. It is a reduction in your liability. Any interest you might incur on that loan would be classified as interest expense, but the principal portion is not. Similar concept applies for owner investments and withdrawals.

Often times the two concepts of cash and profit are not clearly defined for small business owners; therefore, you don’t have a good handle on your finances and how to interpret any outcomes from financial reporting. You can show a profit and have a negative cash flow if your loan payments, owner withdrawals, and other non-expense activities are taking more cash out of your business than you have profit. Same goes for the opposite flow, you can have a lot of cash coming into the business through an increase in personal or lender-financed activities vs. revenues. The most basic of cash flow statement information can be outlined as Beginning Cash Balance + Cash Inflows – Cash Outflows = Ending Cash Balance. It’s important for you to understand the concept of your Profit/Loss Statement and your Cash Flow Statement. They provide two different views of our business.

The third financial statement you should be preparing monthly is the Balance Sheet. The Balance Sheet provides information on your Assets, Liabilities and Equity. Assets are what you own that is of value. Examples include Bank Accounts, Accounts Receivable, Inventory, Property, Plant, and Equipment. Liabilities represent your obligations to others. Examples of liabilities include Accounts Payable, Notes Payable to Lenders, Loans from Shareholders, etc. The Equity balance reflects the value of your ownership in our business. When you take the value of the assets less the value of your liabilities, the remainder is your equity.

It doesn’t matter the size of your business, profitability and ongoing financial stability is something you should be monitoring on a regular monthly basis. Some will say that they are too small for creating financial statements. That is your way of not holding yourself accountable to managing your business wisely. It’ll always be someone else’s fault when your business fails…or at least that is what you’ll say. Though it won’t be the truth, it’ll be your fault for not managing your business wisely. You can choose to succeed, or to choose to fail. It is always a choice, not a default. So make the choice to be a financially informed business owner. Your business will thank you through increased profitability and longevity!

The Building Blocks of Financial Translation

The ever-increasing process of globalisation continues to put companies under pressure to communicate financial information in numerous languages. Whether it’s annual and shareholders reports or corporate contracts, all documents require translation of the utmost accuracy. The consequences of errors can be dire; issues with investors, clients or suppliers may arise, or strict financial regulations that differ from country to country could potentially be violated leading to costly legal troubles.

Finance is a complex industry that people spend years studying heard to break into, so it’s no surprise that financial translation is a highly specialised field. As well as there obviously being mind-boggling financial jargon in need of careful linguistic handling, translators must also know their way in and around cash flow statements, balance sheets, and audited account reports among other documents. They have to use their understanding of the culture surrounding the target language to ensure translations are localised to suit the financial sector in their native country, with words and phrases that could even be considered offensive in some cultures being avoided.

Looking away from the linguistic side of things and focusing more on the financial translation service itself, time and confidentiality are two factors that always play a major role in satisfying the needs of financial translation clients. Translation companies providing these services all have efficient project managements systems to allow them to keep up with the fast-paced world of finance, delivering assignments in quick time to corporate clients. The fastest turnaround times on offer usually include rushed turnaround times and/or delivery within 24 hours. Confidentiality is equally important because many documents can’t be published until approved by the Financial Services Authority, meaning a leak of information beforehand could prove disastrous and have long-lasting effects. State-of-the-art IT security tools often play a part in guaranteeing maximum security, and confidentiality agreements are put to translators to sign by the service provider in question.

No two clients are ever the same, making it likely that they will usually return to the same financial service to have the aforementioned aspects delivered on a consistent basis. Some companies specialise solely in financial translation, although it’s more likely that a business will hire a company or agency that operates in all areas of translation. Those in the corporate world can rest assured that there are a great many service providers out there who understand that having the finest details of financial documents understood in any language is not a luxury, but a necessity.