在当今技术驱动的金融世界, the increasing number of cybersecurity attacks has heightened the risk of material misstatement in reporting from breached (or previously breached) financial applications.
随着增长, cybersecurity has become a deeper focus within the 萨班斯-奥克斯利法案 security framework of many organizations.
Companies need to remember that the scope of SOX only includes financial controls and, 因此, testing is limited to production in-scope financial applications, bet9平台游戏器, 操作系统, 和数据库. There are many other bet9平台游戏器 and devices not reviewed for SOX compliance that may be compromised and, 反过来, 影响财务报告. 因此, it is critical to take a holistic security and internal audit approach that includes prevention, 检测, 以及解决网络安全风险的纠正措施.
对于初学者来说, internal auditors should be incorporating cyber risks within their annual audit risk assessments and should be interviewing key cybersecurity personnel during the process. Now that boards are asking more questions about cyber risks and mitigation efforts, there’s value in scheduling these meetings even more frequently. 这很关键, 然后, that Internal 审计 has IT audit resources that are familiar with current cybersecurity risks and that these resources are budgeted on non-SOX cyber audit work throughout the year. 在识别网络风险并设计控制措施之后, it is important to baseline your company’s SOX and cyber controls with a cybersecurity framework like NIST to test/monitor the effectiveness of mitigation efforts.
IT controls that companies review in SOX can be used in other applications and IT environments to streng然后 cybersecurity posture, 包括:
- 使用最小权限进行访问控制
- Changing network, application, firewall, database, and operating system admin passwords regularly
- 密码控件
- Restricting service accounts to only those with necessary privileges
- Segregation of duties in change management and access modification
- 对申请进行审查和认证
- 改变管理程序
- 备份程序
直接的SOX证据, companies should complete a SOX cybersecurity memo annually and consider additional SOX controls. A SOX cybersecurity memo should be completed by the internal and external IT auditors to assess how prepared the company is for a cyberattack. These discussions often lead to how the IT security and internal audit groups in a company can benefit from each other. 基于网络讨论, 应该解决明显的设计缺陷, 包括有限的网络资源等问题, 没有网络风险评估, 没有网络成熟度框架, 糟糕的网络政策和程序, 网络培训不足, 等. These discussions give auditors a high-level understanding of the current state of the cyber program.
Disaster recovery is also starting to appear as a SOX key control, 尽管在历史上被视为纠正控制和, 随后, 超出了SOX的范围. Adding this control includes additional focus if companies can recover their in-scope financial applications in the case of a cyberattack.
Not all necessary cyber controls will ever be within your SOX framework; 因此, security departments should require additional cyber controls and frameworks and Internal 审计 departments need to schedule high-risk cyber/IT audits to validate the cyber department’s procedures, 特别是对于超出SOX遵从范围的控制.
来源: