Page History

A statement of management's responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and management's assessment, as of the end of the company's most recent fiscal year of the effectiveness of the company's internal control structure and procedures for financial reporting, Section 404 requires the company's auditor to attest to, and report on management's assessment of the effectiveness of the company's internal controls and procedures for financial reporting in accordance with standards established by the Public Company Accounting Oversight Board. (Source: Securities and Exchange Commission.)

What does this mean from an Information Technology standpoint?

The key is the reliability of financial reporting.
Financial information resides in the database and it is the responsibility of IT to ensure the right personnel have access to that data at the right time. Any changes to the permissions must be tracked. Additionally, all access to that data (select, insert, update, and delete operations, plus before and after changes) must be audited down to the actual user and stored. If the need arises to determine where an individual has violated the accuracy of the financial data, an audit trail of activity will help to prove that the user:

• Accessed the data
• Changed permissions
• Changed the data

• Logins
• Logouts
• Failed Logins
• Security Changes
• DDL
• Privileged User activity

Database Events:

• Security changes
• Administrative activities
• DML
• SQL statements
• SELECT statements on all DB objects
• SELECT statements on specific tables
• Before-After Data auditing
• Sensitive Columns
• Alerting

404

CDC

• None

Database Events:

• Sensitive columns
• Before-After data change