Let’s face it: Sarbanes-Oxley (SOX) audits aren’t something any of us want to have to think about. All publicly traded companies, wholly owned subsidiaries, and foreign companies that are publicly traded and do business in the United States must comply with SOX. While these audits may be necessary, they are also cumbersome and stressful. Several sections of SOX apply directly to IT departments who are responsible for managing and documenting the ongoing security and access protocols of their data and systems.
Because Oracle EPM applications contain important financial data and reports, they are an essential review point for an audit, along with underlying databases and technologies. And with end of support for EPM 11.1 on the horizon, concerns about SOX audits and software compliance are top of mind for many Hyperion administrators and managers.
But don’t panic; there are things you can do to prepare so you can feel confident that everything will go smoothly. We’ve been around this block many times with our clients. Here are our top tips for getting your EPM applications ready for a SOX audit.
1) Get Informed
As an EPM administrator or manager, the responsibility for keeping your Hyperion applications compliant with SOX falls on you. Be sure you are fully aware of every requirement necessary to pass the audit so you can take action well before the audit occurs. Also do your best to see the big picture - what is the overall goal of the audit? What steps can you take to ensure the security and validity of your applications? Are there additional best practices you could implement that are not yet required, but will increase the quality of data security?
As you’re pulling together your requirements, maintain a personal checklist and notes on everything you’ll need to prepare. Be scrupulous about the details and don’t rely on your memory. This will not only keep you organized, but it will also show auditors and your internal team that you take security and compliance seriously.
2) Stay Current on Application Versions and Certifications
Depending on the requirements of your company’s SOX audit, implementing the latest patches and security updates may be necessary to stay compliant. This means you need to be on the latest version and in-support with the vendor.
In the case of Oracle EPM, end of support for 22.214.171.124 is coming up quickly in December 2021. This means you’ll need to upgrade to 11.2 or migrate to Oracle EPM Cloud by the end of the year to continue to receive security patches and bug fixes. In addition, your databases and third-party applications need to be certified for use with your version of Oracle EPM, so upgrades might also be required for Java, Windows Server, Oracle Database, and more.
We recognize how important and daunting this can be, so we’ve put together a matrix you can reference to make sure your systems are in compliance. This is a snapshot of the certifications you’ll need to be aware of; the full matrix is available here.
3) Document Everything
We mean this literally. One of the number one rules of SOX preparation is “document, document, document.” Even if your security processes and policies are airtight, auditors are going to want to see proof that they are established and communicated to the appropriate parties. They may ask for documentation for everything from security policies to user access criteria to password requirements. You’ll also want to document change management policies, archiving strategies, and how you monitor for security breaches. All violations should be recorded as well, including the steps that were taken to ameliorate the situation.
Pull these pieces together now and review them regularly to ensure you haven’t missed anything. And stay up to date - if you initiate a new protocol or adjust your password requirements, make sure it’s in your documentation.
This is by no means a comprehensive list of SOX audit must-dos, but these three steps are foundational to a much broader SOX preparedness strategy. To fully understand the components of Sarbanes Oxley, read up on sections 302, 404, and 409. These sections detail the many aspects of IT systems that are required to be monitored, logged, and audited including databases, network activity, user and account access, account activity, and overall information access. Good luck!