The Sarbanes-Oxley Act of 2002 has applied to all publicly-traded companies doing business in the US since 2006. The penalties can be severe - if Uncle Sam considers a corporate officer to have deliberately submitted an inaccurate certification, the corporate fine is $5 million with up to twenty years in prison for the individual(s). Accidental mis-certification (or non-submission) is just $1 million and 10 years in prison.
There are many aspects to full Sarbanes-Oxley (SOX) compliance, the legislation is over 60 pages long. As with other regulatory obligations, the goal is to regularly provide enough evidence to satisfy the auditor that the requirements have been met. As anyone running a compliance team knows, this is no small endeavour. The ability to automate the generation of such evidence, or make it available automatically to auditors, can result in significant cost savings. This article breaks down the areas where Data Controller can contribute to satisfying the requirements of the Sarbanes-Oxley Act.
Data Controller facilitates internal controls through a 4 eyes review & approve mechanism for data changes. This, combined with data validation and an integrated workflow feature, provides a mechanism to easily track and report on the number of internal controls (quality rules, signoffs, rejections), as well as the frequency they are applied, who is applying them, which data items the controls relate to, and who is performing them. Such metrics can be compared and contrasted with pre-existing and current quality measures to help determine control effectiveness. Variations in the number of submit / approve cycles between reporting teams, also provide objective and repeatable measurements to support the assessment of the effectiveness of internal controls.
Section 404 is widely considered the most onerous part of Sarbanes-Oxley, as the documentation and testing of all the controls requires significant time and effort. To address this, the Public Company Accounting Oversight Board (PCAOB - a US non-profit created by the Sarbanes-Oxley act itself) released additional guidance to assist management and auditors in producing their reports. This is officially labeled "Auditing Standard No. 5 - An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements" A few points are highlighted by the guidance in this standard that are pertinent to users of Data Controller.
Below is an example of column level lineage. Like Table Level lineage, this can be performed forwards or backwards and exported in multiple formats. Each arrow represents a SAS transform. Where business logic is applied, this is additionally extracted and showed in red.
The ability to define additional data lineages, outside of SAS (eg between spreadsheets or other reporting systems) is in the product roadmap, along with lineage from SAS Viya.
Coming back to the original 2002 SOx paper, there is an additional stick being waved against those who destroy records. This is, unfortunately, a common occurrence in DWh landscapes - poorly designed data models often result in frequent rebuilds of monthly datamarts when issues are found. If your BI / ETL teams are routinely destroying / modifying database records as part of regular work efforts, you might wish to: a) ensure there is a well documented ticketing system to make sure those individuals are protected from any accusations, or b) implement a Bitemporal data model to ensure a full and transparent version history of data is always kept regardless of rebuilds. IT-secured tools such as Data Controller enable auditors to see easily for themselves who has changed a record, when, why, and who signed it off - thereby vastly reducing the potential for unintentionally impeding an investigation.
We chose SAS as the platform on which to build Data Controller as it is very reliable, provides excellent support for data drivers (enables our code to run inside almost any database), long term customer support, and is very easy to deploy against. The demo version of Data Controller can be deployed in under 30 seconds (on a SAS 9 platform).
With SAS there are no additional servers to provision, firewalls to configure, scaling issues to address - everything works "out of the box". SAS also integrates nicely with existing enterprise authentication mechanisms such as LDAP, and the platform is typically fully secured under your existing IT policies at the backend.