In 2004, when Safety Components International Inc. began complying with Sarbanes-Oxley, controller Bill Nelli realized that the company needed a better way to manage the identities SCI’s 20 employees — specifically, their access rights to the corporation’s finance systems.
To keep tabs on which workers had access to the general ledger, purchase-order receipts, and other finance areas, Nelli recalls, they’d relied on a 95-page report on system-access rights. Early on in the compliance process, however, “the auditors said this is an area that needs to be addressed,” he says.
Eventually, the information-technology group of SCI — a Greenville, South Carolina-based manufacturer of auto air bags, military tents, and specialty fabrics — made the report much more reader-friendly. One improvement organized the report by groups rather than by individuals, which made it easier to discover employees with conflicting duties. “It was driven by a need to simplify the process, understand user-access rights, and understand segregation of duties to comply with Sarbanes-Oxley,” says Nelli.
Proper segregation of duties, of course, is designed to ensure that employees don’t have conflicting responsibilities. If conflicts emerge, that could indicate that a company isn’t in compliance with Sarbanes-Oxley Section 404, which governs internal controls over financial reporting.
Divvying up the work appropriately, however, is especially challenging at smaller companies, according to Nelli, because members of the finance team often back up each other, and some staffers work in both the general ledger and accounts payable. “On the face of it,” he says, “it may be a conflict in terms of segregation of duties; but in small organizations, that is just how life is.”
To guarantee that current and former workers don’t have access to parts of the company that they shouldn’t, an employer must update access rights regularly, experts say. One example that’s commonly overlooked: E-mail addresses that often continue to function after employees have left the company, granting at least some degree of continued access.
Another technique of “corporate identity management,” as the discipline is often referred to, is establishing compensating controls in case the front-line controls fail. In terms of accounts payable, suggests Nelli, a front-line control could match the purchase order with the receiver and the invoice. A compensating control might be a review of checks by someone outside that department — like a controller.
Climbing the Stacks
In years past, identifying users and their system access was mainly a means to help prevent hackers and wayward employees from obtaining proprietary information. Five or six years ago, say vendors, the prospect of reducing technology costs inspired companies to buy tools to automate that ability.
Today, different prospects are prompting companies to automate control over access to their critical files and systems, notes Sara Gates, vice president for identity management at Sun Microsystems. “With events such as September 11, 2001, Enron, and Sarbanes-Oxley, there is an increased focus on security and, ultimately, compliance,” observes Gates.
“The first time one Fortune 100 customer underwent a Sarbanes-Oxley audit, it took them 50 man-months to do the analysis across their 40 business-critical applications, such as billing, general ledger, and critical information-technology systems that impact financial reporting,” says Gates. (She declined to identify that client.)
Evaluating segregation-of duty compliance used to be hard to enforce and measure, says Renee Bacherman, chief executive officer of Fischer International, a technology company based in Naples, Florida. Two decades ago, she recalls, during her time as controller for another company, audit time might find employees hunting for copies of checks or even climbing atop filing cabinets.
Recently, in response to Sarbanes-Oxley deadlines, many companies have worked on better documentation of their internal controls, which often were reported only on paper, observes Glenn Choquette, director of product management at Fischer. Now businesses are looking to sustain compliance while reducing time and cost. About 17 percent of public U.S. companies have bought software to automate identity management, he estimates.
Managing access rights properly can also help preserve a company’s good name. In the past few years, published reports have branded numerous companies that failed to safeguard personal data of their customers or alumni. One prominent example is Choicepoint, which provides consumer-data services to businesses and government agencies. Last year, the Atlanta-based was reportedly duped by scammers posing as legitimate businesspeople into selling the identifying information of 145,000 Americans.
Many agree that maintaining control over user identification and access — whether by sorting through piles of paper or lists of names on a computer screen — is crucial. In the Sarbox environment, says Choquette, “companies need to prove to auditors that only the right people have the right access.”