Reducing risk through data auditing: changes to company data could involve simple user errors, but for executives to confidently attest to the integrity of their data, they must ensure that the proper controls and monitoring are in place.

• Author: Benanto, Ron
• Position: Compliance

The Sarbanes-Oxley Act of 2004 has brought more professional and personal accountability to CFOs. It's easy to understand why: At its core, Sarbanes-Oxley is intended to protect shareholders by increasing the visibility and transparency of financial transactions. Financial misrepresentation is punishable by fines, imprisonment or both.

[ILLUSTRATION OMITTED]

Data auditing enables enterprises to meet Sarbanes-Oxley and other government regulations related to data access accountability. It also mitigates the significant business risks associated with the use of corporate data assets, including fraud, failed audits, lost customers and damage to brand and reputation. Without data auditing, companies are open to substantial losses, because a data-access incident that poses a threat often goes undetected until it's too late.

Some consider data auditing part of traditional security measures meant to prevent unauthorized access to data, such as firewalls or password protection. However, data auditing on activity inside firewalls is critical, too, since this is where the majority of data misuse--intentional or otherwise--occurs as a result of privileged users having direct access to data. Consequently, data auditing augments security measures that can't audit internal data access and use from these privileged users.

What if you were the CFO of a company where a database administrator (DBA) changed information in one of the company's databases, altering values that flowed into your company's public financial reporting? Perhaps the resulting financial statements showed a slightly better situation than was actually the case. Because the company did not audit data access, no one knew this change was made.

Maybe this hasn't happened to you--yet. However, situations like this have occurred. Think about this example. Unaware of the inaccurate figures, the CFO and CEO affirmed their accuracy. Whether the change was an unintended error or an attempt to manipulate stock values, once it was discovered, the company would be obligated by Sarbanes-Oxley Section 409 to immediately report the discrepancy and restate its financial report, then issue a public announcement, which could seriously harm shareholder confidence and the stock price. The board of directors would probably ask both executives to resign, and regulators could investigate.

While changes in data could be simple user errors, it doesn't matter if an error was intentional or not. For executives to...