sox cloud criteria cloud hosted accounting
TRANSCRIPT
R O S E A S P M I C R O S O F T D Y N A M I C S H O S T I N G
CONSIDERATIONS FOR AUDIT-READY CLOUD ACCOUNTING
S O XREQUIREMENTSC L O U D
Contents:
Change Management
Logical Access
Physical Security
IT Operations
Backup and Recovery
4
6
8
11
14
© 2016 by RoseASP. Reproduction in whole or part without the expressed permission of RoseASP is prohibited.
I f your organization is a publicly-traded company or preparing for an initial public offering, you have substantial considerations to address before deploying financial data in
the cloud. When evaluating cloud ERP solutions and hosting environments, it’s important to verify that the provider delivers cloud services with the necessary security and internal controls to satisfy the Sarbanes-Oxley Act (SOX) of 2002. This will ensure the integrity of the financial system and help your organization avoid noncompliance issues.
Although some cloud providers can ensure the necessary SOC 1 Type II security where data storage is concerned, their response to SOX compliance often falls short in meeting the process management and support requirements of publicly traded companies. At RoseASP, we are dedicated to SOX compliance and can produce documentation to substantiate that the system and data are securely maintained, so stakeholders can feel confident in the integrity of the reporting.
This eBook identifies five critical components of SOX compliance that need to be addressed to ensure your ERP cloud provider delivers an audit-ready accounting solution. It also shares how RoseASP’s internal controls respond to each of these components to help streamline your audit process and reduce the risk of noncompliance.
SOX in the Cloud
© 2016 RoseASP
CHANGE MANAGEMENT1All changes, including adding
and removing users, to a SOX compliant data system must be properly approved and then documented. Changes within the application like applying upgrades, patches or adding new modules
need to be performed in a “test” environment before moving into a live production environment. Comprehensive testing ensures the system is operating as designed when changes are made.
“ “Choosing a cloud provider that could satisfy SOX and FDA compliance requirements was key to our operations. We chose RoseASP because their ability to work with regulated companies gave us a comfort level other providers could not match.”
Tony Brew Head of IT and Senior Director Hyperion Therapeutics »
© 2016 RoseASP
Audit-Readiness Considerations
CHANGE MANAGEMENT
Is a test environment provided with sufficient time to perform tests before changes are made in production?
How are changes to the system and the software approved, documented and tracked?
What controls are in place when adding users or changing existing user passwords or access levels?
What controls are in place regarding changes within the application itself, such as upgrades and new modules?
Who can request changes and how is this controlled?
Audit-ready standards for creating or changing user accounts and system access levels
Upgrades or new module implementations performed in a controlled test environment
Standardized change request practices
Change management policies strictly maintained, regularly reviewed
Change control documentation available upon request
RoseASP’s Written Change Management Policies:
© 2016 RoseASP
LOGICAL ACCESS2Protecting and maintaining logical
access to the system ensures that only the approved users are accessing the system and helps to protect data and reporting integrity. It is the responsibility of your hosting
provider to protect your cloud system against hacking, viruses and other unauthorized access through strict user access controls, firewalls, encryption and current anti-virus protection.
Did you know that a cloud provider’s Service Level Agreement guarantees more than uptime? A cloud hosting SLA is a critical legal document with direct impact on your GRC practices.
Learn more about cloud SLAs from RoseASP »
© 2016 RoseASP
Audit-Readiness Considerations
LOGICAL ACCESS
What controls and software tools does the cloud provider use to restrict access and prevent breaches?
How do you document that all changes for user access are authorized and processed in a timely manner?
What controls and monitoring policies are in place to maintain the integrity of user passwords, firewalls and encryption?
How are controls maintained around user level access restrictions?
Does the application offer user authentication and audit traceability?
Highest levels of IT monitoring, firewall protection, 256 bit encryption, 90-day password resets and intrusion detection
Standardized user naming schemes and authentication restrictions
Regular review of firewall system logs and database administrators
Security policies exceeding industry requirements
RoseASP’s Written Logical Access Policies:
© 2016 RoseASP
PHYSICAL SECURITY3
Did you know you that your existing Microsoft Dynamics ERP system can be moved to a secure and audit-ready cloud environment in 3 steps.
Learn more about ERP cloud migrations »
Public companies and startups that plan to go public need to produce
SOC 1 Type II certification from the hosting provider to assure that
financial data is stored in an audit-ready environment with adequate data security, availability, processing integrity, confidentiality and privacy.
© 2016 RoseASP
Audit-Readiness Considerations
PHYSICAL SECURITY
Can the hosting organization provide documentation to verify SOC 1 Type II Certification of the data center?
Is data stored and backed up in state-of-the-art data centers with multiple co-location centers?
Do physical security measures meet or exceed industry standards?
All data centers are regularly audited and meet SSAE 16 SOC 1 Type II requirements
Physically separated data and intrusion free ports on boxes
Multi-factor security infrastructure, video surveillance, alarmed access/egress points, Kevlar impregnated drywall and bulletproof glass, on site NOC staffing 24/7/365, biometric identification with dual factor authentication.
RoseASP’s Written Physical Security Policies:
© 2016 RoseASP
““Better, consistent fulfillment of compliance obligations is essential, but so are objectives such as customer service, revenue growth, and improved agility in oh-so competitive markets. (Information Governance) is not just about getting rid of junk content, it is more importantly about instilling trust in the data and communication we use to run our businesses.”
Forrester Analyst - Cheryl McKinnon
© 2016 RoseASP
IT OPERATIONS4Internal control policies and
procedures ensure that the provider’s IT staff is maintaining the appropriate documentation for SOX compliance and undergoing regular training to stay current with IT trends and developments. Hosting providers that are committed to SOX
compliance will have their internal controls documented in policies which are accessible to customers and auditors for review. These controls should be frequently tested by the hosting provider to ensure compliance.
“ “New markets and product lines mean additional regulations and compliance requirements. You need a solution that provides audit trails and formal business processes that a growing business needs to manage and control risk.”
© 2016 RoseASP
Make Technology Your Business Advantage - eBook »
Audit-Readiness Considerations
IT OPERATIONS
What controls are in place internally among staff to assure that application maintenance remains current and SOX policies are upheld?
Who has access to the system and how is access tracked, documented and reviewed?
How is accountability for customer support requests tracked among the hosting firm’s internal IT staff?
What are the hosting firm’s policies around scheduled downtime and notification?
24/7/365 Customer support
Strict controls around accessing customer data
System monitoring, intrusion detection and notification
Standardized policy for tracking and responding to service requests
Ongoing training of IT team members and unmatched standards of expertise in cloud, accounting and compliance
RoseASP’s Written IT Policies:
© 2016 RoseASP
“Compliance is a collaborative effort of all IT team members.”
RoseASP Chief Compliance Officer, Glen Medwid explains what is required of a cloud provider to support SOX compliance.
© 2016 RoseASP
Go to SOX compliance video »
BACKUP AND RECOVERY5Along with SSAE 16 SOC 1
Type II certification, a SOX data center must employ redundant power and fire suppression systems to protect against disaster events. Your software hoster should provide adequate documentation of successful backups as well as periodically providing restore data
from the backup media. This allows you and your auditors to test and verify that restore data is accurate and consistent with data in the production database and to verify all backups are occurring according to the terms of your Service Level Agreement.
“ “In my case, I have banking information from all our franchisees and other data for which I could have serious liability. I trust RoseASP and Microsoft to encrypt the data and host it in a secure way. Quite frankly, that’s a main reason I’m planning to stay in a hosted environment.”
Michael Jensrud, CFO, BRIX Holdings »
© 2016 RoseASP
Audit-Readiness Considerations
BACKUP AND RECOVERY
How frequently are test restores performed?
How are backups scheduled?
What are data ownership policies?
What is included in backup procedures?
Are redundant backups performed in separate locations to protect your data against disaster events?
Is a copy of the backup retained off site from the data center?
Strict daily, weekly, monthly and annual backup schedule
Tailorable backup plan to fit customer needs
Regular “test” restores to validate backup plan
Recovery policies ensuring data integrity and standardizing ownership and responsibility during force majeure events
RoseASP’s Written Backup & Recovery Policies:
© 2016 RoseASP
W ith sufficient due diligence, leveraging a cloud based accounting system does not mean an organization has to risk the integrity of the financial data and reporting.
If you are a CFO or CIO considering cloud based accounting for a public company, it is important that a hosting provider is able to work closely with auditors to provide documentation on internal controls and the operational effectiveness of those controls. If any control issues or exceptions are noted during preliminary audit procedures SOX compliant hosting providers will remediate those exceptions quickly so controls can be retested prior to year-end.
Whether your organization is already publicly traded, preparing for an initial public offering or a start-up with an eye on the future, you can save time and avoid problems down the road by deploying an ERP cloud solution through a hosting firm that supports all compliance needs and responds quickly to requests for audit support and SOX documentation.
Takeaways
A growing company uses the cloud to support SOX compliance.
Read a SOX Cloud Story »
Everything you need to know about SLAs for cloud based accounting software.
Learn What’s in an SLA? »
© 2016 RoseASP
How much does a SOX audit-ready cloud
solution cost?
Get a Quote
SOX Compliant Microsoft Dynamics Cloud
RoseASP works closely with clients to provide a comprehensive service level agreement that meets
the needs of your business and provides assurance that compliance, performance and system availability requirements will be met.
RoseASP has a proven record of helping customers streamline auditing and reporting procedures to reduce the cost and risks associated with SOX. We offer highly secure, audit-ready environments and services for Microsoft Dynamics AX, GP, NAV, SL and CRM.
With 24/7/365 support for any connectivity, backup, restore, password reset or other application readiness issues, RoseASP is committed to personalized service and responds quickly to any documentation requests. We work closely with customers and Dynamics Partners to ensure that Dynamics ERP customers get the application support they need with internal controls and backstops to support requirements for SOX, HIPAA and FDA compliance.
About RoseASP
8 5 8 - 7 9 4 - 9 4 0 3