SOX and CIO Accountability

By Walter Scott

(Back to article)

With every quarterly report that is filed with the Security Exchange Commission (SEC), the CEO and CFO are required to sign certifications that confirm they are responsible for establishing and maintaining controls and procedures under their supervision conform to the Sarbanes-Oxley Act (SOX).

They must ensure that material financial information, relating to the corporation and its subsidiaries, is accurate and represents the actual financial condition and results of the company.

By leveraging rules within the SOX, the Justice Department has obtained more than 600 corporate fraud convictions and charged more than 1,000 corporate executives with fraud.

The intentional ambiguity surrounding the definitions of "financial controls", "procedures under their supervision" and "financial information relating to the corporation" can also be interpreted in such a manner that SOX applies to internal IT staff and, specifically, the database and system administrators since they hold the keys to the data that support the financial information.

IT Access

IT staff has the ability to change the data in every public company's financial system from QuickBooks to SAP. The question CEO's and the SEC should be asking is: if the CEO and CFO can be held legally responsible for the actions of people under their supervision, should the CIO also be held accountable?

The majority of business' financial applications control usage and security at the application or client username/password layer. A database administrator with the system administrator's password can change corporate data that could materially affect the financials of a company.

For example, a simple SQL command such as: UPDATE ps_employee SET annual_rt = $100,000 COMMIT, would update a person's salary in a Peoplesoft HR application without triggering any security event.

A very similar command could also be used to update a direct deposit account number or change the name on a check or the sale price of a stock. This could be extended to any system administrator with root or system administrator privileges.

Accounts payable systems typically generate an output file that is submitted to a bank in order to have checks run. As a stock holder or as a corporate CXO, can you be confident that there's a procedure in place to ensure that a system administrator with the password to the system does not edit the account number in the output file prior to it being release to the bank?

With the increase in the number of corporate applications, the explosion of data volume and decrease in times allotted for reporting, do companies have the time and people resources to validate every material transaction?

The answer is no. Data structures and application code can encompass thousands of objects and millions of lines of code and potential entry points into the system.

Betting on Trust

A lack of internal IT controls recently left a race track in Kentucky exposed through the gaping hole between the application security layer and the underlying database administrator code. An internal IT person figured out that he could change a bet in the database as long as the bet was still in play.

The individual would bet the trifecta then change the first four bets prior to the fifth race. He won $3 million before he was caught. In another instance a database administrator was able to purchase a new oil well drill head worth in excess of $200,000, for the $1,000 price of a used one, merely by switching the asset identification numbers prior to the asset being disposed of via an auction.

In a more sinister example, a single database administrator who understands the process for end of day stock market closings could bring down the New York Stock Exchange for days.

Effective internal IT controls need to incorporate the logging of every transactional event by "super-users" in order to create an indispensable foundation of fraud prevention. Companies now have the ability to capture and store every email and instant message that travels over the corporate network. Something that Martha Stewart and Frank Quattrone, both should have realized.

The next request coming from the auditors and government is to force companies to track every electronic transaction an employee makes. Without the ability to track what data has been changed and who changed it, corporate executive officers and stock holders are at risk.

And companies have started to realize this, pushing the identity and access management, messaging security and vulnerability assessment markets to a projected double digit growth rate through 2008 with a total market size in excess of $6.7 billion.

Legislation can help strengthen the system, but it cannot keep corrupt people from corrupting the system. Regardless of size, if a company hasn't started projects to audit user transactions, the actions of database and system administrators and application level super users, it's time to get started.

Walter Scott is president & CEO of Imceda Software, a maker of database management tools. He has over 15 years experience in the enterprise systems management market and has held executive sales and marketing positions at Embarcadero Technologies and BMC Software.