Sarbanes-Oxley and Mainframe Compliance
Mainframe Sarbanes-Oxley compliance differs from much of the rest of IT compliance in one important way. Whereas integrated compliance solutions exist for many business applications, dealing with mainframe compliance issues require the solution to be applied as an overlay.
Because of the need for Sarbanes-Oxley compliance, certain manual IT processes that were considered acceptable in the past are now seen as too high-risk. They are being replaced by lower-risk, automated processes that map to formal control frameworks.
The Need to Change Processes
To be compliant, Business and IT processes that deal with financial data must have controls to manage data-related risk. Controls to prevent problems are preferred, but it they’re not in place, the company will have to compensate by having downstream controls to detect problems later.
Here are questions companies need to ask:
- How many mainframe databases are at your company? (attached to legacy applications, SAP, PeopleSoft, etc.)
- How many copies of each database exist? (testing, business intelligence and reporting, development, data warehouses, etc.)
- How often are copies created?
- Can your IT department guarantee that copies are exact?
Each copy receives a unique name, then, hundreds or even thousands of database pointers updated. Done manually, this is a labor intensive process; each step in the manual process is a potential point of error: updates can be overlooked, and typos can slip through and not be detected. In the past, the companies may have been willing to accept the risk that errors were introduced during the copy process. But Sarbanes-Oxley has raised the stakes. Section 404 means that the company CEO and CFO must acknowledge risks and attest that controls are in place to manage them. Controls must be in place somewhere in the company – either controls in the IT department to prevent an error, or other controls in Finance or other groups to detect the error later. Companies now must make a choice:
- Authorize extensive, expensive processes to detect data errors.
- Skip these processes and hope the company doesn’t fail its Sarbanes-Oxley (SOX) Section 404 audit because of the omission (usually not a favorite choice.)
- Automate the database copy process.
It’s Not Enough to “Do” IT
In the post-Sarbanes-Oxley world, it’s not enough to do IT tasks – even if they’re successful and everything works as designed. In the world of compliant processes, you need to Control it, Do it, Document it, and Prove it. This may mean creating detailed processes for non-automated tasks; detailed reports or check-listing each time a task is completed to provide auditable proof risks were acknowledged, controls were in place to manage the risk, and these controls were actually executed.
As a result, companies subject to SOX compliance often implement automated solutions that organizations not subject to SOX compliance might not prioritize.
Segregation of Duties
Sarbanes-Oxley guidance issued by the PCAOB stresses the importance of Segregation of Duties. This means duties are divided, or segregated, among different people to reduce risk of error or inappropriate actions. No one person has control over all aspects of any financial transaction.
The reasoning is sound: it’s a deterrent to certain types of internal fraud and collusion if a single individual is not allowed to perform tasks that could contribute to fraud and also those that could cover it up. If a company has single-person coverage of key mainframe databases, often a solution to mainframe compliance will involve automating tasks where possible. With tasks that fall under Separation of Duty requirements, at least one of the pair can be handled by someone other than the mainframe expert.
Once a companies Auditors have “blessed” a system or database as being Sarbanes-Oxley compliant, it is up to IT to avoid doing anything to take it out of compliance. Change Management efforts in IT broaden in scope and become more compliance focused in a SOX environment. Once again, automated processes will likely come into play.
Justifying IT Costs
An underlying theme in the preceding paragraphs seems to be replacing labor intensive, error-prone manual processes with automated tasks. In a pre-Sarbanes Oxley world, the justification for deploying automated solutions was strictly on an ROI basis. Sarbanes-Oxley has certainly changed equations used by decision-makers; the new definitions of ROI have broadened to include the phrase ‘Risk of Incarceration.”