Satisfy your Sarbanes-Oxley Auditors

……… if only there was a tool that, without programming, would notify appropriate personnel with only the exceptional database transactions that violate Sarbanes-Oxley controls; and if it could capture electronic signatures and reason codes for the change.

Remember the old adage “like finding a needle in a haystack?” That is how many companies are today treating the database monitoring component of SOX compliance. It is quite common to schedule massive batch audit reports to print overnight. Supposedly some poor soul will review all the transactions and sign off on the veracity and appropriateness of each. Alternatively access is so locked down that supporting the system becomes a nightmare. Appropriate data correction or master file maintenance is delayed. Several people are required to perform the same task in order to maintain the segregation of duty requirements.

Several companies are now using DataThread as a totally automated solution for monitoring database changes and enforcing SOX compliance. Simply stated:

DataThread will watch all database changes over monitored files and pass them through configured filters representing your company’s additional SOX business logic. If exception conditions are found, notification is sent to appropriate compliance personnel.

The image below shows configuration of a watch point where price is increased by greater than 20%. In this particular case, the price is a field on the order detail file and the monitoring is for unusually large credits being given.

Since the DataThread watch point configuration is completely soft coded based on the fields in the file being monitored; and as the comparison criteria can be used in a combination of “and/or” relationships, there is no limit to the sophistication of the monitoring. Below are some examples:

• Records affected by database utilities such as DBU, DFU, SQL, ODBC
• Database activity associated with programmer profiles
• Data changed by users not in a table of supervisors. In effect greater
• application security than available in the existing system
• Program other than XYZ500 used to change order detail records
• Changes made by a particular department
• Changes made by a legitimate and authorized person where the content of the change is exceptional
• Changed addresses on customer, or order records.
• Terms code changes.
• Modified credit limits.
• Vendor related changes.
• Manipulated AR and AP amounts.
• Changes to transaction, or G/L records
• Updates to security files
  

To achieve this monitoring, there is absolutely no intrusion into the programs of the ERP or financial systems and since great importance was given to efficiency there is minimal impact to system performance.

Additionally, if an exception condition is identified, DataThread’s workflow module is utilized to capture an electronic signature for the change, including reason codes and comments.

Because of DataThread’s independent audit database, and the fact that only important fields are audited, the need to keep journals on the system is eliminated. Imagine keeping years of audit data online with an acceptable impact to disk utilization. The included archiving module also allows for placing older audit information to off-line storage which can be readily restored and analyzed using the standard DataThread functionality.

Since efficient access to audit data and exception conditions is key, DataThread has extensive reporting and on-line inquiry capabilities. A web interface is also available for filtering and viewing activity – all without any programming.

Full Size Report

Only

Sarbanes-Oxley, Gramm-Leach-Bliley, 21 CFR Part 11, Internal Audit & WorkFlow

Home | About Us | Products | Services | Compliance | Support | Press | Contact Us