Managing SOX in the Age of SOA
Rethinking internal controls
By: Hugh Taylor
Jul. 28, 2006 09:45 AM
A New Level of Openness
Many standard internal controls in place today involve the authorization and authentication of specific individuals and their right to access financial applications and modify the data in those applications. In the age of SOA, the focus has to change to accommodate the reality that many of the new "users" of financial applications are in fact other applications that can't be authenticated or authorized using a traditional identity store or access management system.
In the example shown in Figure 2, the shift to SOA has changed the nature of the customer's interactions with the company. Before, specific individuals could log onto the customer portal and transact business with the company. Internal controls related to revenue recognition, as depicted in Table 1, were based on a process of authenticating and authorizing those individual users against an identity store that was under the company's control. In the new SOA, the "users" of the customer hub are actually the customers' ERP systems. There are people using those ERP systems, of course, but there has to be a way for the company to authenticate and authorize those users before granting access to financial applications that have been exposed as Web Services. If there is no such authentication or authorization going on, then the open access to financial systems by unknown persons working through an ERP system at another company would probably result in an internal control deficiency.
Segregation of Roles
For example, in Figure 2 a sales rep shouldn't be able to access the general ledger and create a sale that would give him a bonus or access the warehouse system and move inventory around. The potential results of such role-based control lapses are error and fraud. If the sales rep can access those systems using a Web Service-consuming application on the SOA that doesn't authorize him directly, then there can be trouble. In the transition to SOA, those responsible for internal controls involving financial systems need to evaluate whether or not they are addressing the potential for deficient control over authorization and role segregation.
No Perimeter Emphasizes Application Controls
The good news is that SOA represents an incremental shift in the IT aspects of internal controls and Sarbanes-Oxley compliance. SOA is not a categorical revolution in technology that shatters previously understood notions of internal controls.
However, one thing should be clear: A poorly governed SOA could easily result in deficient internal controls and problems with Sarbanes-Oxley compliance.
Reader Feedback: Page 1 of 1
SOA World Latest Stories
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
SYS-CON Featured Whitepapers
Most Read This Week