Sarbanes-Oxley Act of 2002 (SOX). Congress passed the Sarbanes-Oxley Act (SOX) in large part to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. Section 404 of Sarbanes-Oxley not only requires companies to establish and maintain an adequate internal control structure, but also to assess its effectiveness on an annual basis.
Dependencies
The SOX compliance reports have the following dependencies.
| SA Rules | SA Lists | App Rules |
|---|---|---|
| Access to Compliance Data Details Access to Compliance Data Summary Accounts Created Accounts Deleted Accounts Modified Admin Access to Compliance Systems Details Admin Access to Compliance Systems Summary Change in Audit Settings Group Management Logon Failures Details Logon Failures Summary Password Changes Password Changes Summary User Access Revoked User Access to Compliance Systems Details User Access to Compliance Systems Summary | Administrative Users Compliance Data Compliance Systems | alm:cardholder-data account:created account:deleted account:modified account:logon-success config:change-audit-setting account:group-management account:logon-failure account:password-change access:user-access-revoked |
Citations
The SOX compliance reports have the following Citations.
| Report Rule | Citation Number | Citation Description |
|---|---|---|
| Accounts Created | SOX 404 | Management assessment of internal controls. |
| Accounts Deleted | SOX 404; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1 | Management assessment of internal controls; An access control policy should be developed and should state the access control rules and rights for all users and groups. Both logical and physical access controls should be used. |
| Accounts Modified | SOX 404 | Management assessment of internal controls. |
| Group Management | SOX 404; ISO 27002 - 11.1.1, 11.2.2, 11.4.6, 11.6.1 | Management assessment of internal controls; An access control policy should be developed and should state the access control rules and rights for all users and groups. Both logical and physical access controls should be used. |
| User Access to Compliance Systems - Top 25 | Sox 404; ISO 27002 -11.5.1 | Management assessment of internal controls.; All successful and unsuccessful logon attempts should be recorded. |
| Account Management | SOX 404 | Management assessment of internal controls. |
| Admin Access to Compliance Systems - Detail | Sox 404; ISO 27002 - 10.10.4 | Management assessment of internal controls; All activities by System Administrators and System Operators should be logged. |
| Admin Access to Compliance Systems - Top 25 | Sox 404; ISO 27002 - 10.10.4 | Management assessment of internal controls; All activities by System Administrators and System Operators should be logged. |
| Change in Audit Settings | SOX 404; ISO 15408-2 | Management assessment of internal controls; The system should ensure that security policy enforcement functions succeed before functions are allowed to proceed. |
| Access to Compliance Data - Detail | SOX 404 | Management assessment of internal controls. |
| Access to Compliance Data - Top 25 | SOX 404 | Management assessment of internal controls. |
| Logon Failures - Detail | SOX 404; ISO 27002 - 11.5.1 | Management assessment of internal controls; All successful and unsuccessful logon attempts should be recorded. |
| Logon Failures - Top 25 | SOX 404; ISO 27002 - 11.5.1 | Management assessment of internal controls; All successful and unsuccessful logon attempts should be recorded. |
| Password Changes - Detail Password Changes - Top 25 | SOX 404 | Management assessment of internal controls. |
| User Access Revoked | SOX 404; ISO 27002 - 11.2.1 | Management assessment of internal controls; Users who have changed jobs or left the organization should have their access rights removed immediately. |
| User Access to Compliance Systems - Detail | Sox 404; ISO 27002 -11.5.1 | Management assessment of internal controls.; All successful and unsuccessful logon attempts should be recorded. |
