Show TOC

Background documentationSOX Reporting Locate this document in the navigation structure

 

The Sarbanes-Oxley (SOX) Act of 2002 introduced major regulatory requirements for corporations regarding their governance and financial practices. Corporations are now required to regularly scrutinize risks that arise from users’ access to various company systems and roles, and to remediate those access risks by putting mitigating controls into place.

Compliance with SOX requirements involves scheduling periodic reviews of users’ tasks, access, risk violations, role assignments, and controls.

CUP provides the following automated features to support your company in complying with SOX regulations:

  • User Segregation of Duty (SoD) Review

  • User Access Review (UAR)

Coordinators and reviewers administer the SoD and User Access reviews. Coordinators monitor the process to ensure that reviewers complete the reviews. You define the workflow process in configuration for CUP.

The system generates requests for reviewers that contain user details that need reviewing:

  • The system uses data from Risk Analysis and Remediation to generate the SoD review requests.

  • The system uses data from the Enterprise Role Management capability to generate the User Access Review requests.

Approvers are required to mitigate risks before approving requests. A Request can move to the next stage of review only when all of the access issues have been resolved, by one of two methods:

  • Either the access causing the SoD conflict must be removed from the user’s responsibilities

  • Or, a mitigating control must be assigned to this risk.

For the User Access Review, all user/role combinations must be approved or removed. Reviewers can save their work lists for later completion if they are unable to complete the review at one sitting.

Reviewers may add comments in the Comments tab of each request. These comments become part of the Request Comments and have a date and time stamp. Line items that are flagged to be removed can be routed via a detour to a different review stage such as IT security.

In SoD Reviews, an additional review stage is required since someone, such as IT security, must determine which security roles need to be removed to resolve the SoD conflict.

In User Access Reviews, the roles to be removed are listed on the request and the system can automatically remove them if it is configured for auto-provisioning. If you do not use CUP or if you require a second approval for removals, you may want to establish a detour for these role removals.

Each request can contain multiple user records; the number of records per request can be controlled in User Review configuration.

Reviewers can forward requests to other reviewers by selecting the Forward button and by selecting one or more users from a list of all the users that are included on the request. The system then creates a subtask of the selected users and forwards it to the chosen reviewer. The original request remains open until both the original request and the forwarded sub requests are completed. The system logs a complete audit trail of all actions that are performed during User Reviews.