Corporate Fraud Trigger for Identity Management

The Sarbanes-Oxley Act was enacted as a reaction to a number of major corporate and accounting scandals, including those affecting, for example, Enron, Tyco International, and WorldCom. These scandals, which cost investors billions of dollars when the share prices of the affected companies collapsed, shook public confidence in the nation's securities markets. The legislation came into force in 2002 and introduced major changes to the regulation of financial practices and corporate governance. The main purpose of SOX was to prevent financial fraud with the help of corporate information systems. Corporate fraud mainly succeeds because of a lack of internal control.

Due to the SOX requirements, organizations must know:

• When systems login and logoff has been performed. 
• Who has or has had access to the systems.
• The activities that have been performed in the systems.
• The changes that have been executed.
• What systems users can access and with what privileges.
• Who has approved and granted access rights.  

SOX Requirements a Cornerstone of Propentus' Integrated IAM Solution

The first version of the Propentus United Identity system was established in co-operation with our globally operating customer. Due to the global nature of business activities they had to fulfill the SOX requirements. Therefore, the starting point for product development was the system's ability to support the organizations predefined business processes. As a short summary, the requirements were as follows:

• The corporation must have a comprehensive process to manage and control its information systems' access rights. In addition, access rights must be audited regularly. 
• The corporation must have efficient and secured processes for granting and removing identity access rights.
• The corporation must be able to ensure that access controls limit an employee's access to sensitive information to only that information that he or she has access rights.

Sarbanes–Oxley contains 11 titles that describe specific mandates and requirements for financial reporting, management responsibilities, and obligations as well as criminal penalties for violation of SOX. Furthermore, management is required to establish and maintain an adequate internal control which will directly affect and improve information systems' access rights management.