Connect with us


Identity security in the era of SOX

Identity security in the era of SOX 1

By Steve Bradford, Senior Vice President, EMEA, SailPoint 

The Sarbanes-Oxley Act (SOX) is a federal law that mandates practices in auditing and financial regulations for public companies. Its original intent being to restore trust in a corporate and financial system that had been rocked by major accounting scandals such as Enron, WorldCon and Tyco. Legislators believed if there was no trust in the major corporate institutions of America, then the whole fabric of capitalism could be brought into question.

Initially only applying to American companies, every major institution that dealt with America had to comply with SOX. It was a huge a success with the number of financial scandals emanating from the US dropping dramatically since compliance. But can The UK follow suit?

Preparing for “SOX UK”

The UK has had its own high profile business collapses – notably BHS and Carillion. So, the government has launched a consultation programme that mimics the US SOX rules. The consultation on reforms aims to ‘restore trust in audit and corporate governance’ and applies to auditors, companies, directors, audit committees, investors, other stakeholders, and the regulator.

A focus is on companies with a significant public interest, otherwise known as Public Interest Entities (PIEs). These include financial institutions, banks, insurance companies, underwriters, and alike – many of which are already familiar with a high degree of financial scrutiny. A noteworthy difference is the stated preference to expand the UK SOX controls beyond public interest companies, which could include large companies in retail, manufacturing, logistics and automotive.

UK SOX may seem like a massive undertaking if unfamiliar, but with the right technologies in place manual tasks can become automated, reducing time which can be then redirected to greater priorities or risks, and everyday operations will be guided by a strong set of well-defined controls.

A growing threat 

The Sarbanes-Oxley Compliance 9-Step checklist provides a series of recommendations to protect the validity of all reported information and help businesses to ensure they are following the rules. This includes the need to establish controls to prevent data tampering, track data access, test the effectiveness of safeguards and detect security breaches – any of which need to be reported to SOX auditors on time.

As both physical and digital information are affected, accurate management is an integral part of compliance. Remote working, blockchain integration, and the emergence of cloud-based banking (Banking as a Service) have led to growing cyber threats, privacy concerns and compliance requirements through the complexities of connectivity.  For example,  multiple devices now connect to networks from different locations, accessing the vast amount of information in the cloud. There is now critical need to close security gaps outside the perimeter.

Some of the greatest threats lie within an organisation – either human error or more likely, the rise in risk facing the access today’s workforce has to technology. Complex corporate structures and departmental silos hinder management’s visibility into workforce roles, responsibilities, and data access. Traditional reliance on spreadsheets and manual processes for tracking data access and user identities leads to inaccuracies and inconsistencies.

Apart from being an auditing and reporting nightmare, the situation creates system gaps that are ripe for exploitation by threat actors.

Maintaining security through identity 

To meet security and compliance regulations, companies and organisations must act smarter in how they protect their “perimeter”, which is centred on its people – the new threat vector of choice. Companies must prepare to automate business processes and embrace new security practices that fully protect the workforce and the tools they need to  do their job.

Staying in compliance with regulation is important for the safety of the company, but it is crucial that the right safety measures are in place. Identity access management can reduce the risk of insider threat, data breaches and human error for financial reporting – enabling automated logging and report generation for companies to make smart decisions whilst uncovering and remediating hidden or unknown issues that pose inherent risk.

The countdown to SOX 

One commodity companies don’t have is an abundance of time. With less than 18 months to go until the SOX recommendations deadline, any form of automated access system is an essential first step in ensuring companies are prepared. Starting early is critical – given an implementation programme can take 18-24 months for a company that is used to stringent financial regulations. It’s time to get identity and access compliance right – automation can save a significant amount of effort and money, whilst improving the accuracy of identity management processes.

As seen in the US, UK companies not used to financial compliance procedures will have to catch up or ask for help – learning from the financial sector – and scale up their auditing and control to comply with more stringent regulations. The rules are there to help provide the security that regulators need for a secure commercial environment. Now is the time to act in order to reduce the risk.

Editorial & Advertiser disclosure
Our website provides you with information, news, press releases, Opinion and advertorials on various financial products and services. This is not to be considered as financial advice and should be considered only for information purposes. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third party websites, affiliate sales networks, and may link to our advertising partners websites. Though we are tied up with various advertising and affiliate networks, this does not affect our analysis or opinion. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you, or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish sponsored articles or links, you may consider all articles or links hosted on our site as a partner endorsed link.
Global Banking and Finance Review Awards Nominations 2022
2022 Awards now open. Click Here to Nominate


Newsletters with Secrets & Analysis. Subscribe Now