As an IT auditor in AlphaCo’s SOX Section 404 audit, my overall assessment would be that AlphaCo passes the compliance audit. The company has done a good job of developing an effective IT system, and it has competently identified and reduced IT risks related to security flaws which were present at the time of the hacking incident. Specifically our IT audit suggest that there are effective internal controls which have been further upgraded to keep up with the security vulnerabilities discovered after the intrusion. The tone at the top of the organization is also adequate.
Due to the size of the organization and the materiality (financial and reputation) of multiple hacking incidents to this IT reliant company, the CIO has proposed further increase in IT related budget. The CEO and the CFO are understandably reluctant to increase cost, but they are open to ...view middle of the document...
All critical servers are now required to be updated within 72 hours of patch release. Furthermore, database connections are now encrypted; virus scanners are upgraded; and, all software are required to be justified on critical servers.
New monitoring activities have been put into place. All new customer accounts are reconciled monthly for appropriate credit check approval and Security logs are reviewed each week for anomalies. Firewalls and account administration policies were also updated with emphasis on maximum security. Firewall configurations are maximized and open ports require justification. All non-business accounts are also removed from the critical servers leading to more transparent security logs. We believe that these control and monitoring activities are a huge step forward and helps the company effectively comply with control requirements of SOX 404.
Materiality wise the identified hacking incident cost the company $20 million. However, such incident have a potential cost of $200 million per year. Yet, under current control regime, such incident are very unlikely and still is only about 0.4% of the company’s $42 billion revenue.
Additionally, the company may not have had strong preventative control before the hacking incident, but they did have relatively effective compensative controls like their Accounts Receivable Aging Review process. This enabled the company to detect such issues before the external auditors did, and hence created an opportunity to improve IT security controls before the external audit.
In conclusion, I believe the current state of internal controls developed by AlphaCo’s management gives us enough evidence to believe that the company complies with Section 404 of SOX which “requires the CEO and CFO to annually state their responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting, conduct and provide an assessment of the effectiveness of the enterprise’s internal controls.”