Google Docs Sarbanes-Oxley (SOX) Compliance

SOX – Sarbanes-Oxley

Segment: Publicly Traded Companies
Google Apps Edition: Google Apps For Business

The Standard – Background

The Sarbanes–Oxley Act of 2002 also known as the ‘Public Company Accounting Reform and Investor Protection Act’ and ‘Corporate and Auditing Accountability and Responsibility Act’ applies to all us public companies (large and small), public accounting firms and firms providing auditing services.

The bill was enacted as a reaction to a number of major corporate and accounting scandals (including those affecting Enron and Tyco International). Although SOX does not apply to privately held companies, those considering or planning for an IPO must demonstrate SOX compliance readiness.The following 2 sections of SOX have a compliance impact on IT:

Sarbanes–Oxley Section 302: Disclosure controls – requires that the company’s principal officers (typically the Chief Executive Officer and Chief Financial Officer) certify and approve the integrity of their company financial reports quarterly. Internal access controls should be developed, implemented and reviewed periodically.
Sarbanes–Oxley Section 404: Assessment of internal controls – requires management and external auditors to report on internal controls. Access controls should be maintained, reviewed and reported periodically.

Challenges

With the transition to the cloud and companies storing documents in the Google Docs, the same internal data control requirements must be followed in a cloud file system. IT therefore is tasked with implementing technical controls and continuous access auditing to assure the reliability of data related to financial transactions in Google Docs.Effective implementation of SOX control processes requires making them repeatable. Automation reduces the amount of resources required to maintain on-going SOX compliance and can provide a positive return on investment.

Sarbanes-Oxley Compliance in Google Apps with CloudLock:

CloudLock for Google Apps can be used as an effective solution to facilitate SOX compliance with Google Drive. It provides a comprehensive system to meet the requirements of SOX sections 302 and 404 for information stored in Google Drive.

SOX Requirements	Action Required	CloudLock Feature
Section 302 - Disclosure Controls	Report on access controls and assess risk. To comply with SOX, management must have a clear understanding of who owns and who is authorized to access financial documents.	CloudLock provides a complete access management system with reporting on user access rights for each document in the domain. This is supported by automatic discovery of all the documents and users in the domain and classification of documents by access and exposure levels. CloudLock supports review and approval processes to make sure only authorized users can access sensitive financial documents. CloudLock Apps Firewall provides the visibility into all 3rd party applications that are granted access into the domain and the level of their access rights.
Section 302 - Disclosure Controls	Demonstrate to external auditors that effective internal controls over financial reporting were maintained over time	CloudLock’s Security Policy Engine lets IT set content, context and sharing based policies and set security monitoring on Auto pilot. The policy engine will detect and alert once the sharing deviate from the policies defined for the financial documents.
Section 302 - Disclosure Controls	Audit and report on all access rights and changes in access permissions to regulated data stored in Google docs. SOX requires organizations to provide ongoing evidence that they are compliant.	CloudLock provides ongoing monitoring of all the documents in the domain. A daily change report for each document details changes in ownership, collaborators and permissions.
Section 404 - Assessment of Internal Controls	Management is required to produce an “internal control report” that is shows that the organization is establishing and maintaining an adequate internal control structure and procedures for financial reporting	CloudLock’s Security Policy Engine provides an ongoing scanning and alerting based on the Acceptable User Policies, therefore serves as an evidence in the third party auditing process.
Section 404 - Assessment of Internal Controls	Implement access controls to limit user rights based on a need-to-know basis. Identify users with excessive rights to protect financial data from unauthorized activities.	CloudLock provides IT with the visibility and control to all the documents in the Google Apps domain without the need to be shared on these documents. IT can easily secure access rights to financial documents according to company policy, and can transfer document ownership in bulk without manually logging into accounts. CloudLock Apps Firewall provides the ability to classify 3rd party apps based on their risk profile and allows IT to take action to secure the domain by revoking the unapproved apps and notifying associated users.
Section 404 - Assessment of Internal Controls	All activities should be reported for auditing and to support forensic investigation.	A complete change report is available for every document. Alerts and email notifications are generated for permission changes and new exposures. All admin activities and changes are reported in a tamper-proof audit trail.
Section 404 - Assessment of Internal Controls	Separation of duties and enable for auditor independence.	Sox auditors can be delegated access to CloudLock to review the access rights to all financial documents. This is done without making them domain administrators or collaborators on these documents.