JOnline: Identity and Access Management—Its Role in Sarbanes-Oxley Compliance 

Download Article

An identity and access management (IAM) process plays a critical role in any security effort. As today’s business climate demands greater efficiency, security and regulatory compliance, the need for an effective IAM process has never been more pressing. IAM aids organizations in automating IT tasks, reducing the cost and effort of providing services, and increasing productivity. Additionally, by being able to ensure that individuals can access only the resources to which they are entitled by placing controls so that assets are not compromised or tampered with, security is increased. Remember that there are significant threats from inside, as well as outside, the organization.

The US Sarbanes-Oxley Act of 2002 is a federal law that sets new or enhanced standards for all US public company boards and management and for all international companies that have registered equity or debt securities with the US Securities and Exchange Commission and accounting firms (both US and international) that provide auditing services to them. The need to comply with the Sarbanes-Oxley Act has exposed many weaknesses in information systems processes over the last few years and has highlighted the need for improvement in the implementation of and adherence to controls.

This article discusses the benefit of implementing an IAM process based on Sarbanes-Oxley, maps Sarbanes-Oxley section 404 “Management Assessment of Internal Controls” to the COBIT framework, provides common pain areas found in adhering to the controls and describes the process to be followed to remediate these pain areas. The article aims at simplifying the IAM process and uncovering how it plays a role in Sarbanes-Oxley 404 compliance.

What Is Sarbanes-Oxley 404?

Sarbanes-Oxley 404 defines the management assessment of the internal business controls and states that each report must include an “internal control report” that certifies management’s responsibility for creating and maintaining internal controls and processes for financial reporting.1 In addition, management must assess the effectiveness of the internal control structure and procedures on an annual basis.

Sarbanes-Oxley does not list specific controls or provide insight into how internal controls are to be followed for IT security. There is no specific information in section 404 regarding what needs to be done to comply with the Sarbanes-Oxley Act. Hence, information security professionals take guidance from standards and frameworks such as the IT Infrastructure Library (ITIL), COBIT, Six Sigma and ISO/IEC 27001:2005 Information technology—Security techniques— Information security management systems— Requirements. COBIT, for example, provides entity- and activity-level objectives along with associated controls and, hence, is widely used by organizations for Sarbanes-Oxley compliance.

How COBIT Fits

Sarbanes-Oxley 404 mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test and maintain those controls and procedures to ensure their effectiveness. The purpose of Sarbanes-Oxley is to reduce the possibilities of corporate fraud by increasing the stringency of procedures and requirements for financial reporting. To ensure this, an IT control framework should be in place. Therefore, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed “Guidance on Monitoring Internal Control Systems” from its Internal Control—Integrated Framework.2 This guidance is a de facto standard for Sarbanes-Oxley; however “Guidance on Monitoring Internal Control Systems” addresses IT controls at a high level and is more in line with a financial control and reporting framework.

The COBIT framework was built out of a need to address IT governance and control requirements; the framework is used by enterprises worldwide for Sarbanes-Oxley compliance. COBIT sets the IT control objectives/goals that should be achieved to ensure that business objectives are met. COBIT touches on all aspects of IT, including security. To achieve COBIT security control objectives, security controls need to be set in the framework. These security controls can be taken from security standards such as ISO/IEC 27001:2005.3

IAM and Its Role in Sarbanes-Oxley 404

IAM can play a significant part in IT’s larger role in Sarbanes-Oxley compliance. Proper monitoring helps reduce the risk of unauthorized and inappropriate access to systems. Protection must be provided to safeguard against internal and external threats. Access to applications and other functions must be restricted to authorized users only—users who must have this access to perform their jobs.

When it comes to system security and the control of access to systems and applications, the Sarbanes-Oxley Act does not describe what controls need to be followed. It does not articulate what “adequate internal controls” means or how the controls should be implemented in an organization.

COBIT controls for IAM that are significant to financial reporting have been used to develop the Sarbanes-Oxley control objectives listed in figure 1. Each control objective was challenged to ensure its relevance and importance to the financial reporting requirements of the Sarbanes-Oxley Act. This process resulted in some COBIT control objectives being excluded or combined into a single objective for applicability to financial reporting purposes.4

Figure 1

Figure 1 presents the control objectives for IAM based on the COBIT framework.

IAM—Stages, Major Gaps Identified and Corresponding Recommendations

There are three basic stages for an identity to pass through to become part of the IAM system of an organization (figure 2):

  1. Provision
  2. Administration
  3. Enforcement

Figure 2

Figure 3 identifies the major gaps and corresponding best practices/recommendations. These have been segregated based on the key stages of IAM in an organization.

Figure 3


Effective implementation of IAM controls that are specific to Sarbanes-Oxley 404 will lead to compliance with this portion of the Act and, similarly, address other regulations. COBIT is used as a governance framework for implementing Sarbanes-Oxley 404. Using the COBIT framework, management is assured that the IAM capability exists in the organization and that it addresses the control requirements of Sarbanes-Oxley. As a control framework, COBIT is a method to ensure that the identity, as it moves through the various stages of IAM, has controls implemented for all the stages. A sound implementation of IAM that addresses the items identified in figure 3 will help provide favorable compliance results for organizations. Being aware of probable gaps and recommendations will help organizations obtain a better security posture. A more effective IAM system will result in clarity in individual roles, owners and custodians and in granting access, which creates opportunities for efficiencies in user administration, auditing and reporting activities.


1 Sarbanes, Paul; Michael G. Oxley; US Sarbanes-Oxley Act, Public Company Accounting Reform and Corporate Responsibility, USA, 2002,
2 See
3 IT Governance Institute, IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting, 2nd Edition, USA, 2006
4 Ibid.

Harmeet Kaur, CEH
has more than four years of IT consulting experience in the areas of IT service management, process assessment and information security assessments based on industry best practices, standards and frameworks such as ISO 27001:2005, ITIL, COBIT, and the US Sarbanes-Oxley Act. Kaur is certified in COBIT 4.1 and ITIL V3.

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.