Sarbanes-Oxley

Compliance - Sarbanes-Oxley

Satisfy your Sarbanes-Oxley Auditors

...if only there was a tool that, without programming, would notify appropriate personnel with only the exceptional database transactions that violate Sarbanes-Oxley controls, and would capture electronic signatures and reason codes for the change.

Remember the old adage "it's like finding a needle in a haystack?" That's how many companies today feel about the database monitoring component of SOX compliance. It's quite common to schedule massive batch audit reports to print overnight so that some poor soul can review all the transactions and sign off on the veracity and appropriateness of each. In some cases access is so locked down that supporting the system becomes a nightmare; appropriate data correction or master file maintenance is delayed. Several people are required to perform the same task in order to maintain the segregation of duty requirements.

A growing number of companies are now using DataThread as a totally automated solution for monitoring database changes and enforcing SOX compliance. Simply stated:

DataThread will watch all database changes over monitored files and pass them through configured filters representing your company's additional SOX business logic. If exception conditions are found, notification is sent to appropriate compliance personnel.

The image below shows configuration of a watch point where price is increased by greater than 20%. In this particular case, the price is a field on the order detail file and the monitoring is for unusually large credits being given.

Since the DataThread watch point configuration is soft coded based on the fields in the file being monitored, and the comparison criteria can be used in a combination of "and/or" relationships, there is no limit to the sophistication of the monitoring. You can monitor:

  • Records affected by database utilities such as DBU, DFU, SQL, ODBC
  • Database activity associated with programmer profiles
  • Data changed by users not in a table of supervisors. This gives you greater application security than available in the existing system
  • Programs other than XYZ500 used to change order detail records
  • Changes made by a particular department
  • Changes made by a legitimate and authorized person where the content of the change is exceptional
  • Changed addresses on customer or order records.
  • Terms code changes.
  • Modified credit limits.
  • Vendor related changes.
  • Manipulated AR and AP amounts.
  • Changes to transaction or G/L records
  • Updates to security files

To achieve this monitoring, there is zero intrusion into the programs of the ERP or financial systems. Great importance was given to efficiency so there is minimal impact to system performance.

Additionally, if an exception condition is identified, DataThread's workflow module is utilized to capture an electronic signature for the change, including reason codes and comments.

Because of DataThread's independent audit database, and the fact that only important fields are audited, the need to keep journals on the system is eliminated. Imagine, keeping years of audit data online, with an acceptable impact to disk utilization. The included archiving module also allows for placing older audit information to off-line storage which can be readily restored and analyzed using the standard DataThread functionality.

Since efficient access to audit data and exception conditions is key, DataThread has extensive reporting and on-line inquiry capabilities. A web interface is also available for filtering and viewing activity - all without any programming.

FDA 21 CFR Sarbanes Oxley Gramm-Leach-Bliley Case Studies
IBM Business Partner

Copyright ©2010 Innovatum, Inc.