Sox

In 2002, the Financial Services - Credit Security division of a major Fortune 500 corporation, began conducting quarterly audits on user access levels. This audit is referred to as a "SOX" audit, also known as the Public Company Accounting Reform and Investor Protection Act of 2002. SOX is a United States federal law passed in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, and WorldCom (now MCI). These scandals resulted in a decline of public trust in accounting and reporting practices. Named after sponsors Senator Paul Sarbanes (D-Md.) and Representative Michael G. Oxley (R-Oh.), the Act was approved by the House by a vote of 423-3 and by the Senate 99-0. The legislation is wide ranging and establishes new and enhanced standards for all U.S. public company boards, management, and public accounting firms. The act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law (Volz & Tazian, 2006). Section 404 of the Act directs the Commission to adopt rules requiring each annual report of a company, other than a registered investment company, to contain (1) a statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) management's assessment, as of the end of the company's most recent fiscal year, of the effectiveness of the company's internal control structure and procedures for financial reporting. Section 404 also requires the company's auditor to attest to, and report on management's assessment of the effectiveness of the company's internal controls and procedures for financial reporting in accordance with standards established by the Public Company Accounting Oversight Board (U.S. Securities and Exchange Commission, 2003). Based on this legislation, the corporation, created an audit process that verified users access levels within TSYS (credit system) compared with their activity on the rest of the network. SOX become an issue when consumer data can be altered, i.e. change of address or phone number. After a two year audit of access, by users, within a particular platform, it was discovered that inappropriate access had been granted or never taken away from non-active users.

Corporations that are focused on remaining productive and competitive understand that customers, partners, and employees all need deeper access to the organization, giving them what they need, at the right time. Doing this effectively and in real-time means managing a multitude of user identities and interacting with a variety of systems in an environment of constant change while keeping quality of service high and the enterprise secure. The corporation considered every possible issue that could arise, such as terminations, transfers and changes in access for users. They found that some terminations, transfers and changes in access levels past their prescribed LOS (level of service) had been overlooked. The auditors established that if a user is terminated and/or transferred, it should take no more than fifteen days to take action (detach the user from access groups for a transfer or delete a user entirely in the case of a termination). For changes in access the time limit is only a five day LOS. After doing some investigating as to why the LOS was being missed, it was discovered that business partners were not reporting changes to the Credit Security department in a timely fashion. The challenge was to re-engineer the access criteria and have the auditors approve third quarter audits. This needed to be accomplished within a two week time period to avoid going in front of the Board of Directors to explain how the problem occurred and its potential impact on the corporation's bottom line.

The group manager, who is the SPO (SOX Process Owner), had gone in front of the board of directors earlier in the year to defend his departments actions and to explain why it was deficient. Discussions with auditors and other business areas with a vested interest were conducted to determine how to affect change. They began by examining the current process and how information was gathered, analyzed and reported. It was determined that the auditors were not completely accounting for each employee, outsourcer or contractor that had access to the credit systems. A team was formed to develop ways of improving standards without developing an entirely new process. The auditors and group manager inquired if there were ways of gathering the desired information using the human resource databases. This was not a viable option because the majority of the workforce (contractors and outsourcers) were not captured within the human recourse databases. A closer examination of the TSYS credit system revealed a field where

...