SOX Compliance in Google Apps

SOX refers to Sarbanes-Oxley Act of 2002, which established a broad set of new corporate accounting and accountability laws, primarily in response to a series of financial debacles caused by purposely misleading accounting practices by large companies. The most famous example – which many people older than thirty years of age will remember – is the Enron scandal of 2001, in which the worlds largest energy company and the seventh largest company in the United States (Enron) was discovered to have hidden tens of billions of dollars in financial losses from investors. The revelation of this and many other fraudulent practices by corporations purposely meant to mislead the public created a far more serious crisis of confidence in the market as a whole and led to the loss of billions of dollars in retirement savings by millions of Americans.

The crucial segment of the SOX act is Section 404 titled “Management assessment of internal controls.” Although SOX is primarily aimed at protecting the integrity of accounting practices and ensuring accurate public reporting of finances in publicly traded companies, its requirements reach deeply into the area of data security and access control. Section 404 of the SOX act imposes management to take responsibility for the integrity of financial information by evaluating IT systems and processes. The implications for IT are significant, given that most financial data in the organization flows through IT environment.

To prove compliance with SOX, management is required to assess the effectiveness of internal controls over financial reports and the auditors are required to attest to that assessment. Auditors do this after a thorough review of the controls implemented by the company.

SOX was created in response to a serious breach of public trust and enormous public outrage, and the penalties for noncompliance are potentially severe. One feature of SOX that forces every company to pay strict attention to compliance is the fact that responsibility for compliance rests with the CEOs and CFOs of the company. CEOs and CFOs can no longer take the defense of not being aware of the operations/financial reporting of the company thus making them accountable for the accuracy of declared results.

Failure to submit accurate reports by a company can lead to imprisonment of its CEO and/or CFO (up to twenty years) and personal fines up to five million dollars. Failures at any level in the company, even if unintended or accidental, can become the personal liability of these key personnel of the company.

The biggest challenge companies face when selecting an IT application, more importantly, a cloud-based solution is whether the selection will affect the company’s SOX compliance.

Google Apps and Google Apps engine are subject to annual audit under ‘SSAE-16’ and ‘ISAE-3402’ providing a third party auditor attestation on the processes and controls in place for their customers. These audit reports can be submitted by Companies to their SOX auditors, to provide a comfort on the internal controls over financial reporting when using Google Apps. It becomes important for Companies to check for similar third-party auditor attestation before using any of the Apps from Google Marketplace.

The clear differentiator for Google Apps is that it is already designed to accommodate the security demands of the company and is highly flexible to fit into the overall strategy of compliance with SOX and other regulatory regimes.

One area where companies have been shamed in the media for non-compliance with SOX has been the reporting of deficiencies in its internal controls. In 2013, Chase Bank was cited for failing to report concerns over internal auditing procedures. In July of 2014, the Securities and Exchange Commission charged the CEO and former CEO of computer equipment company QSGI of misrepresenting to auditors and the public the state of the company’s internal controls over financial reporting. These were not specifically failures of data security or access control, but compliance with auditing procedures and control over record-keeping, including records of auditing procedures, can be strongly influenced by the procedures and systems in place for controlling access to records and streamlining internal review procedures. Improved and more efficient and reliable control over access and records can make monitoring of internal procedures easier to achieve, avoiding violations of SOX.

When it comes to data security and access control, there are five important areas that underlie a company’s ability to efficiently maintain a best practices stature with respect to SOX compliance. In each case, Google Apps can provide an efficient means to achieve best practices and enable ease of review and modification of procedures as needed. Here are the five areas and the ways in which Google Apps can make compliance easier.

As part of implementing measures to ensure control over access to data and the integrity of all records, a component of the SOX requirement to ensure methods for securing and auditing records and procedures, Google Apps provides the company with extensive and flexible control over users and their privileges through the Google Admin console.

Through this console, the admin can provide regular reports of access controls, access histories, the current status of access and methods used to control authentication through automatic logging functions. This allows management to easily access and review records of access control and changes made over time to these controls, as needed to ensure adequate security and review procedures for SOX compliance.

Importantly, it easily enables changes in user access as needs change and as employees come and go. One of the most important capabilities is turning off employee access upon termination and removal of accessibility from all company data and apps.

If effectively managed, with Google Apps it is easier for organizations to demonstrate that the right person has got the right level of access.

Google Apps allows the tailoring of authentication controls to match the needs of the company. Google apps allow the organization to implement strong authentication controls thereby restricting unauthorized users from gaining access to cardholder data. Google Apps allows organizations to strengthen their authentication mechanism through the implementation of multi-factor authentication. As a first step, users are required to log in using their username and password. Google Apps allows organizations to force the usage of strong passwords. As a second step, users can either use a code that will be sent to their phone via text, voice call, or Google mobile app or use a code from the security key plugged into the USB port of the computer.

Google Apps helps organizations to demonstrate the implementation of the above through the admin panel. Administrators can also demonstrate the strength of user passwords from the security admin panel.

One area of particular vulnerability in data and accounting security in general that has led to some difficulty in maintaining clear control and records of accounting and security practices is the use of third-party services, where security procedures may not be well integrated into the company’s main security scheme. Google Apps provides the ability of third parties to provide services through Google Marketplace. The security of these third-party services can be monitored and managed through the use of the Google Admin interface, which allows admins to monitor both user access and third-party accessibility from the same console. The strict requirements that Google places on third-party apps, which are based on Google APIs or Google Script, helps to ensure the unified security structure.

The ability to access all data and prevent inadvertent data loss is critical to SOX compliance, particularly as the Enron and other scandals made inappropriate deletion of company communications and records a headline in the news.

Regular Google Apps backups can be achieved with the archiving capabilities of third-party apps. These third-party apps provide significant capabilities like scheduled data backup, abilities to find specific information in the archives, secure storage of archives and restore data directly into apps along with structure and permissions. These also include historic dashboards which can demonstrate the design and operating effectiveness of the controls to the SOX auditors.

The provisions of SOX make it clear that compliance at all levels is ultimately the responsibility of the CEO, making it critically important that all aspects of data security be accessible and reported on throughout the management structure. Google Apps provides not only extensive and flexible security and access capabilities but makes access to logs and records of security procedures and data and account histories easy, as well. These logs include a clear track of version history of the documents, providing logs of the change, time of change and the user making the change.

This is critical for the ability to efficiently review internal security, implement improvements in data security procedures, and, critically, to provide clear documentation to auditors reviewing compliance with SOX. The failure to report or even to be aware of lapses in security procedures is one of the most commonly cited failures of SOX compliance and a potential source of trouble for any company, large or small. Logging features allow the company to ensure it is able to audit its own procedures and recognize problems internally. Real-time alerts can also be sent to administrators and specified users, which helps internal control. This is a critical element of SOX, as reporting on internal control measures and accurate reporting of deficiencies is a requirement.