Ezine

This article can also be found in the Premium Editorial Download "Storage magazine: Who owns storage in your organization?."

Download it now to read this article plus other related content.

IT auditing basics

    Requires Free Membership to View

    Login

While several published auditing frameworks exist, when it comes to Sarbanes-Oxley, the one to become familiar with is the "COSO Internal Control--Integrated Framework." The Committee of Sponsoring Organizations of the Treadway Commission (COSO) (www.coso.org), is a voluntary private organization focused on addressing fraudulent financial reporting. This framework has been endorsed by a number of auditing and accounting organizations.
There are five key components to COSO:
  1. Control environment: the "the tone at the top" of the organization is demonstrated by corporate standards and objectives and a good understanding of roles and responsibilities.
  2. Risk assessment: identification and management of both internal and external risks.
  3. Control activities: the defined policies, procedures and practices that are in place to achieve business objectives and address risk.
  4. Information and communication: making sure that information required to perform control activities is appropriate, accurate, current and available.
  5. Monitoring: overseeing and assessing the entire control operation.
These components are broad, and while it is clear that IT has a role in this, a clearer definition of IT responsibilities is needed. Fortunately, the IT Governance Institute has mapped the COSO guidelines into its Control Objectives for Information Technology (CobiT). While CobiT is a comprehensive and far-reaching IT control framework, a subset of the framework maps well into the COSO structure. For details, refer to the document "IT Control Objectives for Sarbanes-Oxley," which is available at the ITGI Web site (www.itgi.org).

Recently i've had several conversations with clients about compliance and its relationship to storage. The tenor of the discussions has been generally the same: The organization is planning an evaluation or audit of its IT infrastructure to determine how well it complies with Sarbanes-Oxley, SEC 17a, HIPAA, FDA 21CFR11, internal corporate auditing standards or some combination of the above. Currently, the hottest topic of regulatory interest is the U.S. Public Company Accounting Reform and Investor Protection Act of 2002, better known as Sarbanes-Oxley (SOX). Enacted in response to such high-profile corporate mishaps as Enron and WorldCom, this law is taking effect in several stages.

IT audits aren't new, but with the continuing flow of news stories concerning investigations and indictments, corporate executives are highly motivated to keep their organizations out of the news. So compliance initiatives are underway in many companies, and their impact ripples throughout the IT organization.

When you get past the particulars of SOX compliance and consider the overall objective of SOX and similar regulations, they can be viewed as essentially evaluation tools for overall operational capabilities. In reality, these new demands require little more than striving for excellence in storage management, and that's what you should focus on.

Data retention only part of it
SOX isn't just about data retention. In fact, its primary concern is the accuracy and verifiability of financial reporting. It strives to ensure that all inputs supporting financial data are above suspicion--in other words, it's about policy, process and good management practices.

Up until now, SOX has almost exclusively been the concern of the finance department. However, a new section of the law--Section 404--is scheduled to be phased in starting in November 2004 (recently delayed from June 2004). It requires a company to file an internal control statement with its annual report that includes "an assessment, as of the end of the most recent fiscal year ... of the effectiveness of the internal control structure and procedures of the issuer for financial reporting."

Essentially, the government is demanding not just that data be retained, but that companies must provide evidence that they're managing and protecting this information in a way that ensures compliance. In other words, show us some proof!

While IT is not specifically mentioned in the law, practically speaking, all of the financial systems--as well as other systems that support financials--are managed and controlled by IT. The need to demonstrate proper control and process management of this information impacts IT at both the application and infrastructure levels.

So if you were a CEO or CFO and had to sign this document under threat of fines or imprisonment, you would want to be certain that the statements are accurate. You would most likely demand of your CIO an assessment or audit of your IT organization to verify that the controls and processes are in place to ensure that the information affected by the law is being managed appropriately. If it hasn't happened in your organization, get ready, it probably will.

The basics of storage compliance
At its fundamental level, compliance is essentially about good management practices: establishing a set of policies and procedures and defining related measurement criteria to demonstrate conformance to those policies and procedures. How does this specifically impact storage management?

Let's begin by looking at what makes up an audit. Auditors speak in terms such as "governance" and "control." Governance relates to the overall policies and ethical climate with regard to reporting information. Control is the set of processes and measurement that enforces these policies. (See "IT auditing basics")

This was first published in May 2004

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top