The Sarbanes-Oxley Act of 2002 was revolutionary in that it forced public companies to take responsibility for internal risk management, controls and review.
Specifically, Section 404 called on companies to protect the integrity and accuracy of financial data by implementing internal controls, which are continuously assessed and evaluated.
Since the passing of Sarbanes-Oxley and other federal regulations such as the Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA), entitlement reporting has been widely adopted as part of the process for evaluating internal corporate financial risk and data integrity.
Entitlement reporting, simply put, is an audit performed against a corporate environment to ensure the right employees have access to the appropriate resources, such as financials and personal customer data. Entitlement reporting is one small piece of a corporate risk management strategy.
Entitlement reporting is mandated for corporations that have to adhere to federal regulations. But all corporations, regulated and non-regulated, should develop and implement an entitlement reporting process.
History shows us that not evaluating employee access, especially in relation to financial data comes with great risk.
The 2002 fall of Enron, highlighted by fabricated financials, billions in debt and ultimately bankruptcy, brought financial risk management into the spotlight. Other corporations such as Adelphia and WorldCom also fabricated their financials to hide corporate debt.
The U.S. Securities and Exchange Commission (SEC) mandated that high-level management would be held responsible for all financial activity. Entitlement auditing and reporting is a measure that corporations can use to help ensure the integrity and accuracy of their data.
In fact, on April 16, the SEC charged Goldman Sachs with subprime fraud, though it is yet to be seen if this charge is founded.The process for which corporations and financial institutions implement entitlement reporting is not mandated by law, meaning each corporation can conduct their audit however they wish.
Generally the following steps are taken:
- Educate: An organization determines who should have access to what information, usually based on job function.
- Review: Management reviews how each employee has obtained their particular level of access.
- Act: Corrective actions are taken, as applicable.
Management, not the IT department, is ultimately responsible for all entitlement reporting decisions.
If an entitlement reporting audit is conducted manually, IT professionals may be required to dispatch people to remote locations in order to asses systems or connect to the physical systems using applications that allow for remote management. The information obtained would then need to be recorded and documented for review by management.
Companies that are not subject to laws enforcing risk assessment and reporting should also consider entitlement reporting.
Private companies face the same risks as public companies. In fact, they carry a higher risk for fraudulent activity and incidents of unauthorized data because these corporations are not required to adhere to the same regulations as public companies. Regardless of legal obligation, privately held companies should also undertake entitlement reporting audits to decrease risk.
While best practices for entitlement reporting have not yet been standardized, I recommend the following:
- Understand your resources.
- Implement a change control process that provides an audit trail.
- Develop a repeatable audit process.
- Develop a repeatable review process.
- Automate the process where possible and where it makes sense.