Information Security and the Integrity of Financial Reporting
Securing Information
Integrity and trust will always remain important in relationships and transactions. This requires that information is secure and simple to understand and that the process to produce that information is also secure. The Enron Scandal along with Arthur Andersen, their accounting firm are the lessons from which laws were created, such as the Sarbanes-Oxley Act. SOX set out to address the lack of integrity and trust in creating reliable and understandable financial reporting. It’s so important to protect your application layer , especially when SAP customers generate 87% of the total global commerce. SAP offers solutions that help businesses comply with SOX. In this article, we’ll look beyond these SAP compliance solutions, such as segregation of duties.
Internal Controls for Financial Reporting
Sarbanes-Oxley section 404 mandates that the internal controls for annual reporting are attested to by both the publicly traded company’s management and by the public accounting firm executing the audit. Consequences of noncompliance can be dire and include fines and imprisonment. In addition to using SAP’s solutions for ensuring compliance, there’s more that needs to be addressed.
Addressing Information Security
SOX requires financial information to be secure, accessible to authorized personnel, and protected against fraud, ensuring its integrity. We must accomplish this with additional security measures, such as:
- Protecting servers and their operating systems.
- Ensuring network communications are secured.
- Establishing multi-factor authentication.
- Establishing a risk based vulnerability management system for your servers, networks, supply chain systems, and your SAP Landscapes.
- Executing a routine red team penetration test against your networks, computers, supply chain applications, as well as your SAP Landscapes.
- Deploy solutions that operationalize NIST’s Cybersecurity Framework addressing each of the six functions: Govern, Identify, Protect, Detect, Respond and Recover.
What are the Risks?
A business might implement all the right processes, procedures, and policies to ensure compliance with SOX; however, this may not prevent being targeted by a nation state threat actor, or an insider threat. All it takes is one crafty phishing email clicked by an employee to allow a threat actor to gain an internal foothold. Once inside, the threat actor may abuse an SAP vulnerability that permits them full access to a company’s financial data. Unfortunately, this can lead to a failure of internal controls for financial reporting and bring both civil and criminal penalties for executives.
What Can a Business Do?
Aside from implementing a healthy cybersecurity framework and utilizing what SAP offers, businesses must vet their supply chain and ensure vendors are also prioritizing information security. For instance, at Onapsis, we research SAP vulnerabilities and work with SAP to patch them. We also understand SAP vulnerabilities and ensure our platform can detect and protect SAP Landscapes, sometimes before SAP patch day, otherwise always on SAP Patch Day. We also offer black box penetration testing of SAP Landscapes.
Conclusion
The ultimate goal for SOX and the requirement for ICFR is to ensure financial data is secure and has integrity. This means that the data is not able to be manipulated. When systems and data are secure, that means publicly traded companies can report their financials both timely, and accurately. Ultimately this leads to transparency and trust in the company by the board of directors, by investors, by stockholders, by employees, and the public. And trust is what makes the global economy go round.
