Abstract image of a woman sitting on books and studying on a laptop

Sox regulation and Analytics

B
brunomase

This document discusses how to comply with the Sarbanes-Oxley Act (SOX) using Business Objects and the 360Suite software. It outlines a 9-step process for organizations to identify, secure, and maintain control over financial data protected by SOX. The steps include backing up data incrementally, managing security rights, tagging protected information, analyzing usage logs, implementing version control, and finding/fixing discrepancies. The goal is to improve transparency and safeguard financial data as required by SOX.

Technology
1 of 13
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
Sox regulation and Analytics
Executive Summary The Sarbanes-Oxley Act (SOX) demands that companies establish internal controls to protect financial data. To comply with SOX, companies must be able to locate and safeguard financial data. Business intelligence applications expose data and therefore must be used in a manner that supports the goals and upholds the requirements of SOX. GB&SMITH, creator of 360Suite solutions to enhance Business Objects, developed a 9- step process to help organizations think through the challenges of SOX compliance and take appropriate action. What is SOX? SOX is shorthand for the Sarbanes-Oxley Act, which is a U.S. law that outlines auditing and financial regulations for publicly-traded companies. (Note: Some provisions apply to all enterprises, including private companies and not-for-profit organizations.) The Act was named for its sponsors -- U.S. Sen. Paul Sarbanes (D-MD) and U.S. Rep. Michael Oxley (R-OH). It was signed into law on January 30, 2002 by President George W. Bush. SOX was enacted in response to corporate scandals in the late 1990s and early 2000s (e.g., Enron, WorldCom, Tyco, etc.). It closed loopholes in accounting practices in an effort to improve the reliability of financial reporting and restore investor confidence. The goal of SOX is to protect shareholders, employees, and the public from accounting errors and fraudulent financial practices. SOX requires companies to establish internal controls to prevent tampering with financial data. It adds a section to the United States Code stating that “any person who attempts or conspires to commit any offense . . . shall be subject to the same penalties as those prescribed for the offense.” It also establishes harsh criminal penalties for anyone who is found guilty of certifying misleading or fraudulent reports. Finally, it requires external auditors to express an opinion on a company’s internal control structure.
Many other countries have regulations similar to SOX, including: • Australia (Corporate Law Economic Reform Program Act aka CLERP 9) • Canada (Keeping the Promise for a Strong Economy Act aka Bill 198 or Canadian Sarbanes-Oxley Act or C-SOX) • France (Financial Instruments and Exchange Act aka Loi de sécurité financière or LSF) • Germany (Deutsche Corporate Governance Kodex and Mindestanforderungen an das Risikomanagement) • India (Clause 49 of the Listing Agreement to the Indian stock exchange) • Italy (Disposizioni per la tutela del risparmio e la disciplina dei mercati finanziari) • Japan (Financial Instruments and Exchange Act aka J-SOX) • Netherlands (code-Tabaksblat, code-Frijns, and code-Van Manen) • South Africa (King Report on Corporate Governance) • UK (Companies (Audit, Investigations and Community Enterprise) Act 2004) How does SOX impact BI? Forrester defines Business intelligence (BI) as "a set of methodologies, processes, architectures, and technologies that transform raw data into meaningful and useful information used to enable more effective strategic, tactical, and operational insights and decision-making" (Evelson, 2008). Business intelligence applications (e.g, Business Objects, Tableau, Power BI, etc.) support this process by retrieving, analyzing, transforming, and reporting on data. It is safe to assume that all information technology, including CRM platforms, ERP systems, and BI applications contain financial data obtained from databases. SOX comes into play when BI applications are used to prepare, share, and publish financial data.
Sox regulation and Analytics
STEP 1: BACK UP One way for companies to ensure the reliability of financial data is to back them up regularly. A typical Business Objects recovery strategy involves backing up the entire Business Objects server and CMS database. This makes it possible to restore the full system, but not to perform selective rollbacks or restore individual deleted objects. Backing up the entire Business Objects server also doesn’t address the problem of corrupted environments (i.e., if an environment is corrupted, so too is the mirrored backup) and won’t restore personal folders and security settings if users are accidentally deleted. In contrast, 360Suite incremental backups allow organizations to perform full backups as well as restore previous versions of any object in any folder at any time. Incremental backups are particularly important in the context of financial data for the following reasons: 1. Every time IT modifies something, it opens the door to the possibility of technical issues, human error, or fraudulent behavior. 2. Information that was not originally identified as relevant to SOX may later become important due to tagging or segregation of duties (SOD). 3. Incremental backups allow for business continuity in the event of a non-technical crisis, including a natural or man-made disaster. SOX outlines rules for maintaining (aka archiving) information. Whereas archiving ensures that prior year information is accessible, backups ensure that current year information is accurate and complete. Both are important components of a robust internal control policy.
STEP 2: MANAGE SECURITY RIGHTS To safeguard data impacted by SOX, companies must control access to them. 360Suite makes it possible to identify, monitor, and control who has access to what information by: • Taking snapshots to track, document, and compare security over time; • Providing user-centric and resource-centric views of security; • Providing a patented comprehensive view of inherited rights, double-inherited rights, and broken inheritances, to protect against a cascade effect when security is modified; • Simplifying the process of auditing, recertifying, and modifying security rights; • Automating the process of administering and managing security to reduce human error; and • Making it possible to enforce the segregation of duties (SOD) by finding, flagging, viewing, and tracking potential conflicts of interest. STEP 3: FIND AND TAG SOX INFORMATION Companies must identify data impacted by SOX so they can take the necessary steps to safeguard them. 360Suite facilitates this process by making is possible to export Business Objects document properties and Universe object properties (e.g., name, description, SQL statement, etc.) to Excel spreadsheets that can be shared with data owners. Data owners can then tag SOX-related information (i.e., #SENSITIVE DATA_SOX) and document it in a data catalogue, taking into account that some information is impacted by SOX only when used in combination. Tagging can also include information about data sensitivity, life cycle, SOD, etc. Once tagging is complete, 360Suite can import tags back into Business Objects to update documents and Universe object descriptions.
STEP 4: ANALYZE AND DOCUMENT SOX INFO Tags make it easy to monitor actions on SOX data and spot unusual behavior. Companies should analyze and document the following in order to answer the questions: What? Why? When? By whom? • Security changes • Type of action/inaction on SOX data • Number of actions on SOX data • Number and format of exports and schedules of SOX data • Data report sources • Creation of new content based on SOX data Business Objects has powerful auditing capabilities, but can be subject to performance degradation over time. For example, Business Objects systems with a high rate of utilization can become bloated if they track every possible auditable event, write events to text files before they are loaded into the audit database, and retain audit data for long periods of time. This is why many organizations opt to purge Business Objects data after one year. Another problem is that Business Objects can audit actions, but not inactions. Sometimes what wasn’t done to SOX data is just as significant as what was done to them. Also, when organizations migrate Business Objects (e.g., from 4.1 to 4.2), the schema changes so they start a new Audit database. Since most companies migrate Business Objects every three or four years, their audit history is rarely longer than that. In contrast, 360Suite captures regular snapshots of metadata extracted from the CMS database, the Audit database, and the Input and Output Filestores. This makes is possible to display the activity of specific users on specific objects. And because the information is stored in an offline data mart specifically designed for BI-on-BI reporting, it doesn’t put a load on Business Objects during peak times.
STEP 5: IMPLEMENT VERSION CONTROL Version control refers to a system that records changes to a file or set of files over time, and makes it possible to recall specific versions. In the context of SOX, version control ensures the transparency and traceability of financial data and is an important part of an adequate internal control structure. 360Suite makes it possible to understand who made changes -- when, why, and how -- and who approved the changes. 360Suite features that contribute to version control include: • A check-out/check-in process for documents, Universes, and connections; • “Secured check-out,” which ensures that only the user who checked out an object can edit it (except the Administrator), until the object is checked back in; • The ability to require users to include a comment explaining changes at check-in; • A workflow approval process that requires changes to be approved before publication; • The ability to compare document versions and record changes over time; and • The ability to compare Universes and record changes over time. STEP 6: FIND AND FIX DISCREPANCIES Because the intent of SOX is to improve the accuracy and reliability of corporate disclosures, and because SOX grants issuers the opportunity to cure any defects, companies must devise a strategy to find and fix discrepancies in SOX data. Discrepancies can appear in documents, metadata, variables, and/or security. One way to identify discrepancies is through regression testing, which is an important quality assurance practice following upgrades, changes, and migrations. Regression testing is often performed only at the database level, but this approach has the potential to overlook regressions in documents published by business intelligence applications. 360Suite can perform regression testing at the document level. It can also search for
regressions in images (e.g., graphs, charts) at the pixel level, which is particularly useful for highly formatted documents. 360Suite can even identify regressions in metadata from the CMS and FileStore. And it can test for variable discrepancies caused by calculation engine changes, determine if the variables are used in other documents, and push bulk fixes. Another important quality assurance practice is regular user account recertification to reflect changes to staff and job functions. 360Suite facilitates this practice by tracking and documenting security over time, and identifying security discrepancies. This is an extension of Step 2 (Manage Security Rights), because controlling who has access to SOX data is not a one-off activity. 360Suite automates manual processes, like regression testing, that are time consuming and prone to human error. By scheduling regression testing using the latest values and highlighting differences, 360Suite helps companies find and fix discrepancies in SOX data before they cause lasting damage. STEP 7: CHECK FOR DELETED CONTENT SOX makes it a crime to knowingly alter, destroy, mutilate, conceal, cover up, or falsify documents. That’s why companies should keep track of all “delete” actions. Sometimes content is intentionally deleted for valid reasons. For example, employees may duplicate documents, customize them, and then delete one or more versions. Other times, content is accidentally deleted as a result of IT issues, human error, or fraudulent behavior. Business intelligence applications, like Business Objects, treat deletions as auditable events and record them. 360Suite accesses these audit records and combines them with information from the CMS and FileStore to generate a list of all actions (e.g., delete, copy, save to, etc.) linked to specific users. Because 360Suite back ups are incremental (see
Step 1), companies have the ability to restore suspiciously deleted content (e.g., users, inboxes, access control levels, etc.) at the object level. 360Suite also goes beyond the Business Objects recycle bin by making it possible to restore inboxes, including personal folders and security settings, if users are accidentally deleted. STEP 8: CONTROL UNGOVERNED CONTENT Despite their popularity, business intelligence applications haven’t entirely replaced ungoverned end-user computing (EUC) applications (e.g., Excel). It’s not uncommon to see data from business intelligence reporting (e.g., Webi) exported to Excel and then used as the basis for SOX reporting. Ungoverned content is problematic because: • Data sources can’t be controlled; • The information is easy to share; • The information is easy to alter, including for fraudulent purposes; • The information is hard to track; and • The information is subject to regressions when converted from the original format. Ideally, companies should take steps to prevent ungoverned content. At a minimum, they should take steps to control it. 360Suite makes it possible to password-protect .pdf, .xls and .zip instances from Business Objects. This limits unwanted sharing and minimizes security issues, but doesn’t necessarily prevent fraudulent behavior. 360Suite can also watermark .pdf and .xls documents. Finally, 360Suite can perform regression testing on Webi report sources before data are exported to Excel to ensure consistency.
STEP 9: ARCHIVE SOX INFO SOX requires companies to establish internal control structures and procedures that include maintaining records. In addition, SOX requires registered public accounting firms to maintain audit-related information for at least seven years. When archiving information, companies need to consider whether or not a particular format is likely to be retrievable seven or more years into the future. 360Suite supports automatically archiving and pseudo-archiving SOX content based on predetermined values (e.g., fiscal year) in common format standards. For the purposes of this paper, archiving refers to storing information outside of Business Objects, and pseudo-archiving refers to storing information within a Business Objects environment. In both cases, it’s important to consider restoration scenarios and security aspects. There are six ways to archive/pseudo-archive with 360Suite: 1. Take Webi (.wid) .pdf, .xls, .txt, and .csv instances of Business Objects documents and save them to a file system outside of Business Objects. (Note: Archiving a .wid requires access to the Web Intelligence Rich Client in order to open it.) 2. Flag unused content with #TOARCHIVE and automatically promote it to a folder on the current or another BIP environment. 3. Back up all content and delete unused content from the BI Platform, with the option to restore individual items, if required. 4. Pseudo-archive dynamically when triggered by Business Objects events, and burst instances to an external network location for record-keeping. 5. Pseudo-archive via security, so content remains within Business Objects, but is hidden from users via custom access level rights. 6. Pseudo-archive via security, so content remains within Business Objects but is stored in restricted folders. (Note: Only the Administrator can restore content to its original folder.)
If desired as part of internal control procedures, 360Suite can archive information to a “Write Once, Read Many” (WORM) device, from which information can be retrieved, but neither modified nor deleted. CONCLUSION Complying with SOX has a lot in common with complying with other regulatory requirements (e.g., GDPR, HIPAA, FISMA, etc.). But there are also important distinctions. For example, GDPR requires organizations to delete personal data in many situations, while SOX regulations require organizations to save financial data and be able to substantiate all deletions. • GDPR: Governs the processing and free movement of personal data • HIPAA: Regulates access to health information • FISMA: Requires federal agencies to implement an information security program • SOX: Requires companies to establish internal controls to prevent tampering with financial data In every case, organizations must understand what information is subject to regulations, be able to find and monitor that information, and safeguard the information by controlling access to it, ensuring accuracy, and creating backups. 360Suite achieves all these goals with unique and powerful solutions that run behind the scenes to help companies comply with SOX and other regulations in the context of business intelligence applications. REFERENCES Sarbanes-Oxley Act of 2002. Retrieved from https://www.congress.gov/bill/107th-congress/house-bill/3763/text Evelson, B. (2008). Topic Overview: Business Intelligence. Retrieved from https://www.forrester.com/report/Topic+Overview+Business+Intelligence/-/E-RES39218 Authors: Kristen Champagne Gray - Bruno Masek
Sox regulation and Analytics

More Related Content

PDF
Sox compliance
G Madhusudhan
 
PDF
Cso 4any ram rev 2.6 management summary
CSO GmbH
 
DOCX
There are regulatory rules that must be met as well as organizatio.docx
randymartin91030
 
PPT
Sox Compliance Presentation
Skye Rogers
 
PPTX
Auditing SOX ITGC Compliance
seanpizzy
 
PPTX
IT SOX 404 COMPLIANCE (1)_1689335175.pptx
RSAArcher
 
PPT
SOX compliance - Understanding Sarbanes-Oxley
Amarnath Gupta
 
DOCX
Running head MOBILE APPLICATION SECURITY .docx
charisellington63520
 
Sox compliance
G Madhusudhan
 
Cso 4any ram rev 2.6 management summary
CSO GmbH
 
There are regulatory rules that must be met as well as organizatio.docx
randymartin91030
 
Sox Compliance Presentation
Skye Rogers
 
Auditing SOX ITGC Compliance
seanpizzy
 
IT SOX 404 COMPLIANCE (1)_1689335175.pptx
RSAArcher
 
SOX compliance - Understanding Sarbanes-Oxley
Amarnath Gupta
 
Running head MOBILE APPLICATION SECURITY .docx
charisellington63520
 

Similar to Sox regulation and Analytics (20)

PDF
Simplifying SOX Compliance White Paper
Randy Hamilton
 
PPTX
Agile in a highly regulated organization 2014
Tami Flowers
 
PDF
Achieving IT Governance and compliance using Kovair
Kovair
 
DOC
Log Management in the Age of Compliance
Anton Chuvakin
 
PDF
Reducing The Time And Costs Associated With Sarbanes Oxley Compliance
Michael Findling
 
PPTX
Control and Audit Information System
arif prasetyo
 
PDF
Governance and Architecture in Data Integration
AnalytiX DS
 
PDF
White Paper-1-AnalytiX Mapping Manager-Governance And Architecture In Data In...
AnalytixDataServices
 
PDF
Support your business objects GDPR project with 360suite
Sebastien Goiffon
 
DOCX
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
catheryncouper
 
PPT
Fitter Faster Smarter
InSync Conference
 
PDF
Sarbanes-Oxley Compliance and the RFI/RFP Process
CXT Group
 
DOCX
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
danas19
 
PPTX
Automatski - The Internet of Things - Security Standards
automatskicorporation
 
PDF
GRC in Australia slides
InSync Conference
 
PDF
SharePoint and GDPR Compliance
SysKit Ltd
 
PDF
SOX ICMS Implmenetation - 2007
Slava Gorbunov
 
PDF
The Accounting Integration Platform Permits
Jennifer Letterman
 
PPTX
Internal controls & ai ss
Kashif Rana ACCA
 
PDF
Leveraging Log Management to provide business value
Enterprise Technology Management (ETM)
 
Simplifying SOX Compliance White Paper
Randy Hamilton
 
Agile in a highly regulated organization 2014
Tami Flowers
 
Achieving IT Governance and compliance using Kovair
Kovair
 
Log Management in the Age of Compliance
Anton Chuvakin
 
Reducing The Time And Costs Associated With Sarbanes Oxley Compliance
Michael Findling
 
Control and Audit Information System
arif prasetyo
 
Governance and Architecture in Data Integration
AnalytiX DS
 
White Paper-1-AnalytiX Mapping Manager-Governance And Architecture In Data In...
AnalytixDataServices
 
Support your business objects GDPR project with 360suite
Sebastien Goiffon
 
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
catheryncouper
 
Fitter Faster Smarter
InSync Conference
 
Sarbanes-Oxley Compliance and the RFI/RFP Process
CXT Group
 
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
danas19
 
Automatski - The Internet of Things - Security Standards
automatskicorporation
 
GRC in Australia slides
InSync Conference
 
SharePoint and GDPR Compliance
SysKit Ltd
 
SOX ICMS Implmenetation - 2007
Slava Gorbunov
 
The Accounting Integration Platform Permits
Jennifer Letterman
 
Internal controls & ai ss
Kashif Rana ACCA
 
Leveraging Log Management to provide business value
Enterprise Technology Management (ETM)
 
Ad

Recently uploaded (20)

PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PPTX
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
PDF
Unlock new opportunities with location data.pdf
Precisely
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
August Patch Tuesday
Ivanti
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
The various Industrial Revolutions .pptx
bandileshozi3
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
Unlock new opportunities with location data.pdf
Precisely
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
August Patch Tuesday
Ivanti
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Ad

Sox regulation and Analytics

  • 2. Executive Summary The Sarbanes-Oxley Act (SOX) demands that companies establish internal controls to protect financial data. To comply with SOX, companies must be able to locate and safeguard financial data. Business intelligence applications expose data and therefore must be used in a manner that supports the goals and upholds the requirements of SOX. GB&SMITH, creator of 360Suite solutions to enhance Business Objects, developed a 9- step process to help organizations think through the challenges of SOX compliance and take appropriate action. What is SOX? SOX is shorthand for the Sarbanes-Oxley Act, which is a U.S. law that outlines auditing and financial regulations for publicly-traded companies. (Note: Some provisions apply to all enterprises, including private companies and not-for-profit organizations.) The Act was named for its sponsors -- U.S. Sen. Paul Sarbanes (D-MD) and U.S. Rep. Michael Oxley (R-OH). It was signed into law on January 30, 2002 by President George W. Bush. SOX was enacted in response to corporate scandals in the late 1990s and early 2000s (e.g., Enron, WorldCom, Tyco, etc.). It closed loopholes in accounting practices in an effort to improve the reliability of financial reporting and restore investor confidence. The goal of SOX is to protect shareholders, employees, and the public from accounting errors and fraudulent financial practices. SOX requires companies to establish internal controls to prevent tampering with financial data. It adds a section to the United States Code stating that “any person who attempts or conspires to commit any offense . . . shall be subject to the same penalties as those prescribed for the offense.” It also establishes harsh criminal penalties for anyone who is found guilty of certifying misleading or fraudulent reports. Finally, it requires external auditors to express an opinion on a company’s internal control structure.
  • 3. Many other countries have regulations similar to SOX, including: • Australia (Corporate Law Economic Reform Program Act aka CLERP 9) • Canada (Keeping the Promise for a Strong Economy Act aka Bill 198 or Canadian Sarbanes-Oxley Act or C-SOX) • France (Financial Instruments and Exchange Act aka Loi de sécurité financière or LSF) • Germany (Deutsche Corporate Governance Kodex and Mindestanforderungen an das Risikomanagement) • India (Clause 49 of the Listing Agreement to the Indian stock exchange) • Italy (Disposizioni per la tutela del risparmio e la disciplina dei mercati finanziari) • Japan (Financial Instruments and Exchange Act aka J-SOX) • Netherlands (code-Tabaksblat, code-Frijns, and code-Van Manen) • South Africa (King Report on Corporate Governance) • UK (Companies (Audit, Investigations and Community Enterprise) Act 2004) How does SOX impact BI? Forrester defines Business intelligence (BI) as "a set of methodologies, processes, architectures, and technologies that transform raw data into meaningful and useful information used to enable more effective strategic, tactical, and operational insights and decision-making" (Evelson, 2008). Business intelligence applications (e.g, Business Objects, Tableau, Power BI, etc.) support this process by retrieving, analyzing, transforming, and reporting on data. It is safe to assume that all information technology, including CRM platforms, ERP systems, and BI applications contain financial data obtained from databases. SOX comes into play when BI applications are used to prepare, share, and publish financial data.
  • 5. STEP 1: BACK UP One way for companies to ensure the reliability of financial data is to back them up regularly. A typical Business Objects recovery strategy involves backing up the entire Business Objects server and CMS database. This makes it possible to restore the full system, but not to perform selective rollbacks or restore individual deleted objects. Backing up the entire Business Objects server also doesn’t address the problem of corrupted environments (i.e., if an environment is corrupted, so too is the mirrored backup) and won’t restore personal folders and security settings if users are accidentally deleted. In contrast, 360Suite incremental backups allow organizations to perform full backups as well as restore previous versions of any object in any folder at any time. Incremental backups are particularly important in the context of financial data for the following reasons: 1. Every time IT modifies something, it opens the door to the possibility of technical issues, human error, or fraudulent behavior. 2. Information that was not originally identified as relevant to SOX may later become important due to tagging or segregation of duties (SOD). 3. Incremental backups allow for business continuity in the event of a non-technical crisis, including a natural or man-made disaster. SOX outlines rules for maintaining (aka archiving) information. Whereas archiving ensures that prior year information is accessible, backups ensure that current year information is accurate and complete. Both are important components of a robust internal control policy.
  • 6. STEP 2: MANAGE SECURITY RIGHTS To safeguard data impacted by SOX, companies must control access to them. 360Suite makes it possible to identify, monitor, and control who has access to what information by: • Taking snapshots to track, document, and compare security over time; • Providing user-centric and resource-centric views of security; • Providing a patented comprehensive view of inherited rights, double-inherited rights, and broken inheritances, to protect against a cascade effect when security is modified; • Simplifying the process of auditing, recertifying, and modifying security rights; • Automating the process of administering and managing security to reduce human error; and • Making it possible to enforce the segregation of duties (SOD) by finding, flagging, viewing, and tracking potential conflicts of interest. STEP 3: FIND AND TAG SOX INFORMATION Companies must identify data impacted by SOX so they can take the necessary steps to safeguard them. 360Suite facilitates this process by making is possible to export Business Objects document properties and Universe object properties (e.g., name, description, SQL statement, etc.) to Excel spreadsheets that can be shared with data owners. Data owners can then tag SOX-related information (i.e., #SENSITIVE DATA_SOX) and document it in a data catalogue, taking into account that some information is impacted by SOX only when used in combination. Tagging can also include information about data sensitivity, life cycle, SOD, etc. Once tagging is complete, 360Suite can import tags back into Business Objects to update documents and Universe object descriptions.
  • 7. STEP 4: ANALYZE AND DOCUMENT SOX INFO Tags make it easy to monitor actions on SOX data and spot unusual behavior. Companies should analyze and document the following in order to answer the questions: What? Why? When? By whom? • Security changes • Type of action/inaction on SOX data • Number of actions on SOX data • Number and format of exports and schedules of SOX data • Data report sources • Creation of new content based on SOX data Business Objects has powerful auditing capabilities, but can be subject to performance degradation over time. For example, Business Objects systems with a high rate of utilization can become bloated if they track every possible auditable event, write events to text files before they are loaded into the audit database, and retain audit data for long periods of time. This is why many organizations opt to purge Business Objects data after one year. Another problem is that Business Objects can audit actions, but not inactions. Sometimes what wasn’t done to SOX data is just as significant as what was done to them. Also, when organizations migrate Business Objects (e.g., from 4.1 to 4.2), the schema changes so they start a new Audit database. Since most companies migrate Business Objects every three or four years, their audit history is rarely longer than that. In contrast, 360Suite captures regular snapshots of metadata extracted from the CMS database, the Audit database, and the Input and Output Filestores. This makes is possible to display the activity of specific users on specific objects. And because the information is stored in an offline data mart specifically designed for BI-on-BI reporting, it doesn’t put a load on Business Objects during peak times.
  • 8. STEP 5: IMPLEMENT VERSION CONTROL Version control refers to a system that records changes to a file or set of files over time, and makes it possible to recall specific versions. In the context of SOX, version control ensures the transparency and traceability of financial data and is an important part of an adequate internal control structure. 360Suite makes it possible to understand who made changes -- when, why, and how -- and who approved the changes. 360Suite features that contribute to version control include: • A check-out/check-in process for documents, Universes, and connections; • “Secured check-out,” which ensures that only the user who checked out an object can edit it (except the Administrator), until the object is checked back in; • The ability to require users to include a comment explaining changes at check-in; • A workflow approval process that requires changes to be approved before publication; • The ability to compare document versions and record changes over time; and • The ability to compare Universes and record changes over time. STEP 6: FIND AND FIX DISCREPANCIES Because the intent of SOX is to improve the accuracy and reliability of corporate disclosures, and because SOX grants issuers the opportunity to cure any defects, companies must devise a strategy to find and fix discrepancies in SOX data. Discrepancies can appear in documents, metadata, variables, and/or security. One way to identify discrepancies is through regression testing, which is an important quality assurance practice following upgrades, changes, and migrations. Regression testing is often performed only at the database level, but this approach has the potential to overlook regressions in documents published by business intelligence applications. 360Suite can perform regression testing at the document level. It can also search for
  • 9. regressions in images (e.g., graphs, charts) at the pixel level, which is particularly useful for highly formatted documents. 360Suite can even identify regressions in metadata from the CMS and FileStore. And it can test for variable discrepancies caused by calculation engine changes, determine if the variables are used in other documents, and push bulk fixes. Another important quality assurance practice is regular user account recertification to reflect changes to staff and job functions. 360Suite facilitates this practice by tracking and documenting security over time, and identifying security discrepancies. This is an extension of Step 2 (Manage Security Rights), because controlling who has access to SOX data is not a one-off activity. 360Suite automates manual processes, like regression testing, that are time consuming and prone to human error. By scheduling regression testing using the latest values and highlighting differences, 360Suite helps companies find and fix discrepancies in SOX data before they cause lasting damage. STEP 7: CHECK FOR DELETED CONTENT SOX makes it a crime to knowingly alter, destroy, mutilate, conceal, cover up, or falsify documents. That’s why companies should keep track of all “delete” actions. Sometimes content is intentionally deleted for valid reasons. For example, employees may duplicate documents, customize them, and then delete one or more versions. Other times, content is accidentally deleted as a result of IT issues, human error, or fraudulent behavior. Business intelligence applications, like Business Objects, treat deletions as auditable events and record them. 360Suite accesses these audit records and combines them with information from the CMS and FileStore to generate a list of all actions (e.g., delete, copy, save to, etc.) linked to specific users. Because 360Suite back ups are incremental (see
  • 10. Step 1), companies have the ability to restore suspiciously deleted content (e.g., users, inboxes, access control levels, etc.) at the object level. 360Suite also goes beyond the Business Objects recycle bin by making it possible to restore inboxes, including personal folders and security settings, if users are accidentally deleted. STEP 8: CONTROL UNGOVERNED CONTENT Despite their popularity, business intelligence applications haven’t entirely replaced ungoverned end-user computing (EUC) applications (e.g., Excel). It’s not uncommon to see data from business intelligence reporting (e.g., Webi) exported to Excel and then used as the basis for SOX reporting. Ungoverned content is problematic because: • Data sources can’t be controlled; • The information is easy to share; • The information is easy to alter, including for fraudulent purposes; • The information is hard to track; and • The information is subject to regressions when converted from the original format. Ideally, companies should take steps to prevent ungoverned content. At a minimum, they should take steps to control it. 360Suite makes it possible to password-protect .pdf, .xls and .zip instances from Business Objects. This limits unwanted sharing and minimizes security issues, but doesn’t necessarily prevent fraudulent behavior. 360Suite can also watermark .pdf and .xls documents. Finally, 360Suite can perform regression testing on Webi report sources before data are exported to Excel to ensure consistency.
  • 11. STEP 9: ARCHIVE SOX INFO SOX requires companies to establish internal control structures and procedures that include maintaining records. In addition, SOX requires registered public accounting firms to maintain audit-related information for at least seven years. When archiving information, companies need to consider whether or not a particular format is likely to be retrievable seven or more years into the future. 360Suite supports automatically archiving and pseudo-archiving SOX content based on predetermined values (e.g., fiscal year) in common format standards. For the purposes of this paper, archiving refers to storing information outside of Business Objects, and pseudo-archiving refers to storing information within a Business Objects environment. In both cases, it’s important to consider restoration scenarios and security aspects. There are six ways to archive/pseudo-archive with 360Suite: 1. Take Webi (.wid) .pdf, .xls, .txt, and .csv instances of Business Objects documents and save them to a file system outside of Business Objects. (Note: Archiving a .wid requires access to the Web Intelligence Rich Client in order to open it.) 2. Flag unused content with #TOARCHIVE and automatically promote it to a folder on the current or another BIP environment. 3. Back up all content and delete unused content from the BI Platform, with the option to restore individual items, if required. 4. Pseudo-archive dynamically when triggered by Business Objects events, and burst instances to an external network location for record-keeping. 5. Pseudo-archive via security, so content remains within Business Objects, but is hidden from users via custom access level rights. 6. Pseudo-archive via security, so content remains within Business Objects but is stored in restricted folders. (Note: Only the Administrator can restore content to its original folder.)
  • 12. If desired as part of internal control procedures, 360Suite can archive information to a “Write Once, Read Many” (WORM) device, from which information can be retrieved, but neither modified nor deleted. CONCLUSION Complying with SOX has a lot in common with complying with other regulatory requirements (e.g., GDPR, HIPAA, FISMA, etc.). But there are also important distinctions. For example, GDPR requires organizations to delete personal data in many situations, while SOX regulations require organizations to save financial data and be able to substantiate all deletions. • GDPR: Governs the processing and free movement of personal data • HIPAA: Regulates access to health information • FISMA: Requires federal agencies to implement an information security program • SOX: Requires companies to establish internal controls to prevent tampering with financial data In every case, organizations must understand what information is subject to regulations, be able to find and monitor that information, and safeguard the information by controlling access to it, ensuring accuracy, and creating backups. 360Suite achieves all these goals with unique and powerful solutions that run behind the scenes to help companies comply with SOX and other regulations in the context of business intelligence applications. REFERENCES Sarbanes-Oxley Act of 2002. Retrieved from https://www.congress.gov/bill/107th-congress/house-bill/3763/text Evelson, B. (2008). Topic Overview: Business Intelligence. Retrieved from https://www.forrester.com/report/Topic+Overview+Business+Intelligence/-/E-RES39218 Authors: Kristen Champagne Gray - Bruno Masek