Sarbanes-Oxley compliance and identity and access management

The Sarbanes-Oxley Act of 2002 (SOX) was passed in the wake of corporate scandals in which major companies’ financial reports failed to represent the severity of issues facing these companies. In reaction, SOX aims at restoring the confidence of investors in public companies and in the credibility of their financial reporting.

The Sarbanes-Oxley Act of 2002 is based upon some major principles:

• Integrity and accessibility of financial information
• Management responsibility
• Auditor independence

The part of SOX that most directly concerns IT security is Section 404, which aims at strengthening internal control over financial reporting, and in so doing, minimize material weaknesses in the reporting process.

Section 404 requires that the audited reports that concerned companies file yearly at the SEC, known as 10K, include a section on the status and effectiveness of internal control over financial reporting. The Securities and Exchange Commission issued its final rule in August 2003 and specified the content of this section, as well as the general procedure to be used in this management assessment.

As most financial activity is performed on IS resources, Identity and access management (IAM) plays a significant part in helping maintain the integrity of a company’s reporting process.

Of course, IAM is just one piece of the overall SOX compliance process, but it can help make that process significantly easier to implement, maintain and audit.