Comments
yourfanat wrote: I am using another tool for Oracle developers - dbForge Studio for Oracle. This IDE has lots of usefull features, among them: oracle designer, code competion and formatter, query builder, debugger, profiler, erxport/import, reports and many others. The latest version supports Oracle 12C. More information here.
Cloud Computing
Conference & Expo
November 2-4, 2009 NYC
Register Today and SAVE !..

2008 West
DIAMOND SPONSOR:
Data Direct
SOA, WOA and Cloud Computing: The New Frontier for Data Services
PLATINUM SPONSORS:
Red Hat
The Opening of Virtualization
GOLD SPONSORS:
Appsense
User Environment Management – The Third Layer of the Desktop
Cordys
Cloud Computing for Business Agility
EMC
CMIS: A Multi-Vendor Proposal for a Service-Based Content Management Interoperability Standard
Freedom OSS
Practical SOA” Max Yankelevich
Intel
Architecting an Enterprise Service Router (ESR) – A Cost-Effective Way to Scale SOA Across the Enterprise
Sensedia
Return on Assests: Bringing Visibility to your SOA Strategy
Symantec
Managing Hybrid Endpoint Environments
VMWare
Game-Changing Technology for Enterprise Clouds and Applications
Click For 2008 West
Event Webcasts

2008 West
PLATINUM SPONSORS:
Appcelerator
Get ‘Rich’ Quick: Rapid Prototyping for RIA with ZERO Server Code
Keynote Systems
Designing for and Managing Performance in the New Frontier of Rich Internet Applications
GOLD SPONSORS:
ICEsoft
How Can AJAX Improve Homeland Security?
Isomorphic
Beyond Widgets: What a RIA Platform Should Offer
Oracle
REAs: Rich Enterprise Applications
Click For 2008 Event Webcasts
In many cases, the end of the year gives you time to step back and take stock of the last 12 months. This is when many of us take a hard look at what worked and what did not, complete performance reviews, and formulate plans for the coming year. For me, it is all of those things plus a time when I u...
SYS-CON.TV
Managing SOX in the Age of SOA
Rethinking internal controls

A New Level of Openness
Because an SOA is built on open standards, it can expose critical data and application functionality to a vast new array of users. Any effective set of internal controls over financial reporting that relate to applications in an SOA must take this new level of openness into account. In the example shown in Figure 2, the internal controls must consider the risks inherent in exposing the data in the warehouse system, general ledger, and customer hub to unauthorized access. For example, a SOX auditor may want to test the controls over the integrity of inventory documents that support the inventory asset figures in the company's balance sheet. To certify that the control is effective, the auditor will probably want to see documented evidence that access to the software that generates these inventory reports is restricted to authorized personnel. The open nature of SOA creates the added challenge of establishing and testing this kind of internal control.

Machine-to-Machine Security
The fact that Web Services, the fundamental building blocks of most SOAs, are based on machine-to-machine interactions creates another internal control hurdle for IT professionals involved in SOX compliance. While not a revolutionary shift, the machine-to-machine nature of SOA changes the nature of many existing internal controls that assume that the user of a given application is a person.

Many standard internal controls in place today involve the authorization and authentication of specific individuals and their right to access financial applications and modify the data in those applications. In the age of SOA, the focus has to change to accommodate the reality that many of the new "users" of financial applications are in fact other applications that can't be authenticated or authorized using a traditional identity store or access management system.

In the example shown in Figure 2, the shift to SOA has changed the nature of the customer's interactions with the company. Before, specific individuals could log onto the customer portal and transact business with the company. Internal controls related to revenue recognition, as depicted in Table 1, were based on a process of authenticating and authorizing those individual users against an identity store that was under the company's control. In the new SOA, the "users" of the customer hub are actually the customers' ERP systems. There are people using those ERP systems, of course, but there has to be a way for the company to authenticate and authorize those users before granting access to financial applications that have been exposed as Web Services. If there is no such authentication or authorization going on, then the open access to financial systems by unknown persons working through an ERP system at another company would probably result in an internal control deficiency.

Segregation of Roles
Segregation of roles is a core technique of internal controls over financial reporting. Continuing with the machine-to-machine authorization issue described in the previous section, note that it may be impossible to establish clear role segregation in an SOA. Why? If the "user" of a Web Service-exposed financial application is actually another application, but the internal controls use role-based authorization for a human user, then the control will be deficient.

For example, in Figure 2 a sales rep shouldn't be able to access the general ledger and create a sale that would give him a bonus or access the warehouse system and move inventory around. The potential results of such role-based control lapses are error and fraud. If the sales rep can access those systems using a Web Service-consuming application on the SOA that doesn't authorize him directly, then there can be trouble. In the transition to SOA, those responsible for internal controls involving financial systems need to evaluate whether or not they are addressing the potential for deficient control over authorization and role segregation.

No Perimeter Emphasizes Application Controls
Overall, the move to SOA puts greater emphasis on application level controls than may have been required in a conventional IT architecture. While many of the IT general controls focus on the perimeter - firewalls, network access, passwords, baseline standards, and so on - the SOA renders much of perimeter security irrelevant. If access to critical financial applications is open to direct use by virtually any application in the world, then the perimeter is necessarily less significant as a component of an internal control practice.

Conclusion
Service Oriented Architecture requires some rethinking of internal controls over financial reporting. In terms of IT general controls, SOA changes some of the underlying assumptions that exist today, including the importance of the perimeter and the role of individual users versus machine users of critical applications. For IT systems that support non-technological internal controls, the transition to SOA should stimulate analysis regarding access rights, segregation of roles, and integrity of data.

The good news is that SOA represents an incremental shift in the IT aspects of internal controls and Sarbanes-Oxley compliance. SOA is not a categorical revolution in technology that shatters previously understood notions of internal controls.

However, one thing should be clear: A poorly governed SOA could easily result in deficient internal controls and problems with Sarbanes-Oxley compliance.

About Hugh Taylor
Hugh Taylor is the co-author of Understanding Enterprise SOA and Event-Driven Architecture: How SOA Enables the Real-Time Enterprise and the author of The Joy of SOX: Why Sarbanes Oxley and Service-Oriented Architecture May be the Best Thing that Ever Happened to You. He serves as Senior Director of Marketing at Mitratech, a Los Angeles based enterprise software company.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

In talking about control frameworks like COBIT or COSO, people often ignore or pay less attention to the monitoring component of their controls. Companies are now integrating continuous monitoring as both a control and an automated control test. For more information check out this Forrester webcast: http://www.oversightsystems.com/knowledge/view_Controls_Automation_webca...

Webcast with Forrester Research: Controls Automation & Continuous Monitoring

Date: Tuesday, Sept. 26

Time: 1 p.m. EDT/10 a.m. PDT

Duration: 45 minutes ngoing

Sarbanes-Oxley compliance demands controls optimization and continuous monitoring. In the first years of internal control audits, companies labored to satisfy their auditors with manual controls that were costly to implement and then required intensive testing. Forrester Research analyst Paul Hamerman will lead a 45-minute discussion on how companies can take their SOX compliance programs to the next level with controls automation and continuous monitoring. Specifically, Paul will discuss:

* Risk-based controls (and how to implement them)

* Automating compliance processes

* The role of continuous monitoring as a control and control testing

* Business benefits from compliance

In talking about control frameworks like COBIT or COSO, people often ignore or pay less attention to the monitoring component of their controls. Companies are now integrating continuous monitoring as both a control and an automated control test. For more information check out this Forrester webcast: http://www.oversightsystems.com/knowledge/view_Controls_Automation_webca...

Webcast with Forrester Research: Controls Automation & Continuous Monitoring

Date: Tuesday, Sept. 26

Time: 1 p.m. EDT/10 a.m. PDT

Duration: 45 minutes ngoing

Sarbanes-Oxley compliance demands controls optimization and continuous monitoring. In the first years of internal control audits, companies labored to satisfy their auditors with manual controls that were costly to implement and then required intensive testing. Forrester Research analyst Paul Hamerman will lead a 45-minute discussion on how companies can take their SOX compliance programs to the next level with controls automation and continuous monitoring. Specifically, Paul will discuss:

* Risk-based controls (and how to implement them)

* Automating compliance processes

* The role of continuous monitoring as a control and control testing

* Business benefits from compliance

Service Oriented Architecture (SOA) is at the heart of many major IT initiatives and vendor offerings. However, while SOA has the potential to deliver business value through streamlined application integration, as well as integration with partners and suppliers, the open nature of SOA has the potential to cause problems with Sarbanes-Oxley compliance. This article will look at compliance issues inherent in developing an SOA. Using a practical example, we'll examine COSO Control Objectives, Risks, and their supporting IT systems from the perspective of Sarbanes-Oxley compliance.


Your Feedback
bmoran wrote: In talking about control frameworks like COBIT or COSO, people often ignore or pay less attention to the monitoring component of their controls. Companies are now integrating continuous monitoring as both a control and an automated control test. For more information check out this Forrester webcast: http://www.oversightsystems.com/knowledge/view_Controls_Automation_webca... Webcast with Forrester Research: Controls Automation & Continuous Monitoring Date: Tuesday, Sept. 26 Time: 1 p.m. EDT/10 a.m. PDT Duration: 45 minutes ngoing Sarbanes-Oxley compliance demands controls optimization and continuous monitoring. In the first years of internal control audits, companies labored to satisfy their auditors with manual controls that were costly to implement and then required intensive testing. Forrester Research analyst Paul Hamerman will lead a 45-minute discussion on how comp...
bmoran wrote: In talking about control frameworks like COBIT or COSO, people often ignore or pay less attention to the monitoring component of their controls. Companies are now integrating continuous monitoring as both a control and an automated control test. For more information check out this Forrester webcast: http://www.oversightsystems.com/knowledge/view_Controls_Automation_webca... Webcast with Forrester Research: Controls Automation & Continuous Monitoring Date: Tuesday, Sept. 26 Time: 1 p.m. EDT/10 a.m. PDT Duration: 45 minutes ngoing Sarbanes-Oxley compliance demands controls optimization and continuous monitoring. In the first years of internal control audits, companies labored to satisfy their auditors with manual controls that were costly to implement and then required intensive testing. Forrester Research analyst Paul Hamerman will lead a 45-minute discussion on how comp...
SOA News Desk wrote: Service Oriented Architecture (SOA) is at the heart of many major IT initiatives and vendor offerings. However, while SOA has the potential to deliver business value through streamlined application integration, as well as integration with partners and suppliers, the open nature of SOA has the potential to cause problems with Sarbanes-Oxley compliance. This article will look at compliance issues inherent in developing an SOA. Using a practical example, we'll examine COSO Control Objectives, Risks, and their supporting IT systems from the perspective of Sarbanes-Oxley compliance.
SOA World Latest Stories
In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, discussed how to use Kubernetes to set up a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, dep...
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publ...
Most DevOps journeys involve several phases of maturity. Research shows that the inflection point where organizations begin to see maximum value is when they implement tight integration deploying their code to their infrastructure. Success at this level is the last barrier to at-will d...
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus ...
"We do one of the best file systems in the world. We learned how to deal with Big Data many years ago and we implemented this knowledge into our software," explained Jakub Ratajczak, Business Development Manager at MooseFS, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8...
Adding public cloud resources to an existing application can be a daunting process. The tools that you currently use to manage the software and hardware outside the cloud aren’t always the best tools to efficiently grow into the cloud. All of the major configuration management tools ha...
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021


SYS-CON Featured Whitepapers
ADS BY GOOGLE