checklist: sox compliance and cloud financials
TRANSCRIPT
Sarbanes-Oxley (SOX) compliance for financial software like cloud-based Enterprise Resource Planning (ERP) requires process management,
documentation and high levels of service and system availability. Use this checklist to better understand cloud accounting SOX requirements when
reviewing your current financial systems or to evaluate new providers of cloud-based financial software for SOX.
S O XCLOUD ERP COMPLIANCE
CHECKLIST
www.roseasp.com
www.RoseASP.com
8 5 8 - 7 9 4 - 9 4 0 3
RoseASP’s customers look to RoseASP as their trusted data custodians. Our robust array of controls and written policies allow RoseASP to provide secure hosted Microsoft Dynamics AX, GP, NAV and SL solutions for SOX ERP compliance. Our commitment to service allows regulated customers to go cloud with confidence.
ABOUT ROSEASP:
How much does a SOX compliant enterprise cloud
solution cost?
Click for Pricing
Change Control Checklist
“As changes occur... we evaluate the impact of those changes on internal controls, and revise or add new written policies as needed.”
Glen Medwid, Chief Compliance Officer, RoseASP »
ERP Change Requirements:
Written policies regarding how changes to the system and the software are approved, documented and tracked
Controls in place for adding system users or changing existing user passwords and access levels
Controls in place regarding changes within the application itself, such as upgrades and new modules
Control policies establishing a process for change requests and tracking who is authorized to make change requests
Why Cloud ERP for SOX?65%-70% of SOX compliant businesses are spending an increased amount of time on SOX compliance processes. Cloud ERP from the right provider can streamline your SOX accounting and reporting practices.ERP Change Management for SOX Compliance
60% of business are moving to more modern technology to free up IT resources and work more on strategic tasks.
4 Characteristics of ModernBiz »
Logical Access Control Checklist
Strict controls and advanced hardware & software tools used to restrict access and prevent breaches
Policies and procedures in place to ensure any user access changes are authorized and processed in a timely manner
Controls to ensure system security regarding user passwords, firewalls and encryption
Policies establishing controls for the maintenance of user level access restrictions
Physical Security Control Checklist
Multi-factor security infrastructure at data center sites including video surveillance, alarmed access and egress points, Kevlar impregnated drywall, bulletproof glass and NOC security personnel on-site 24/7/365
Data centers which regularly undergo independent audits to verify security is working effectively
Documentation available to verify recent SOC 1 Type II Certification of the data center in a timely manner
Data physically separated on servers with secured ports
IT OperationsControlChecklist
24/7/365 Customer service for application availability & cloud support
Strict controls around accessing customer data, audit traceability and documentation
System monitoring, intrusion detection and customer notification of security events
Standardized policy for tracking and responding to service requests
Controls in place to ensure systems are maintained in accordance with SOX policies
Backup &RecoveryControlChecklist
Strict daily, weekly, monthly and annual backup schedule
Tailored backup and recovery plan to fit your company’s needs and schedule
Regular “test” restores to validate backup plan
Recovery policies ensuring data integrity during Force Majeure events
Redundant power and fire suppression systems at data centers to protect against disaster events.
Redundant backup sites with a copy of the backup retained offsite from the data center
ERP Access Requirements:
“It is important that a cloud services provider offers the highest levels
of IT monitoring, firewall protection and encryption, but they must also follow strict policies around password naming schemes and password resets to ensure the authenticity of data.”ERP Logical Access for SOX Compliance
ERP Secur i ty Requirements:
“Cloud based account ing requires a fu l l -
service c loud host ing partner. Whi le many cloud providers can offer server environments wi th SSAE 16 Type 2 compl iance, few cloud providers offer ongoing support for appl icat ion avai labi l i ty, upgrades and compl iance.”ERP Physical Security for SOX Compliance
Additional Benefits of SOX Compliance:SOX guidelines are a set of accounting best practices. 78% of businesses that adhere to SOX guidelines experience improvement of all business processes that impact financial reporting.ERP Cloud IT Operations for SOX Compliance
ERP Cloud Requirements:
ERP Backup Requirements:
“T he hoster should provide adequate documentation of
successful backups along with periodic restore data from the backup media to allow you and your auditors to test and verify it. This allows your business to check that restore data is accurate and consistent with live data.”ERP Backup & Recovery for SOX Compliance
Public companies need to produce SOC 1 Type II certification from the hosting provider with adequate data security, availability, processing integrity, confidentiality and privacy.
SOX Cloud Requirements eBook »
58% of large company’s say they spend more than $1 million on SOX compliance annually.
Protiviti 2016 SOX Compliance Survey »
“Governance is about protecting the organization without disrupting business... A great hosting provider will work to build a cloud solution that helps align information security processes with business requirements.”
Linda Rose, CEO-Founder, RoseASP »
Is the cloud meeting your requirements for SOX financials?
© 2016 by RoseASP, Inc.