SlideShare a Scribd company logo

SOX Cloud Criteria Cloud Hosted Accounting

RoseASP
RoseASP

Sarbnes-Oxley in the cloud. Requirements for achieving cloud SOX compliance. While each enterprise has its own unique SOX compliance requirements, this eBook gives a frame work for selecting an accounting system cloud services provider for audit-ready cloud.

1 of 18
Download to read offline
R O S E A S P M I C R O S O F T D Y N A M I C S H O S T I N G CONSIDERATIONS FOR AUDIT-READY CLOUD ACCOUNTING SOX REQUIREMENTS CLOUD www.roseasp.com info@roseasp.com
Contents: Change Management Logical Access Physical Security IT Operations Backup and Recovery 4 6 8 11 14 © 2016 by RoseASP. Reproduction in whole or part without the expressed permission of RoseASP is prohibited. www.roseasp.com
I f your organization is a publicly-traded company or preparing for an initial public offering, you have substantial considerations to address before deploying financial data in the cloud. When evaluating cloud ERP solutions and hosting environments, it’s important to verify that the provider delivers cloud services with the necessary security and internal controls to satisfy the Sarbanes-Oxley Act (SOX) of 2002. This will ensure the integrity of the financial system and help your organization avoid noncompliance issues. Although some cloud providers can ensure the necessary SOC 1 Type II security where data storage is concerned, their response to SOX compliance often falls short in meeting the process management and support requirements of publicly traded companies. At RoseASP, we are dedicated to SOX compliance and can produce documentation to substantiate that the system and data are securely maintained, so stakeholders can feel confident in the integrity of the reporting. This eBook identifies five critical components of SOX compliance that need to be addressed to ensure your ERP cloud provider delivers an audit-ready accounting solution. It also shares how RoseASP’s internal controls respond to each of these components to help streamline your audit process and reduce the risk of noncompliance. SOX in the Cloud © 2016 RoseASP
CHANGE MANAGEMENT 1 All changes, including adding and removing users, to a SOX compliant data system must be properly approved and then documented. Changes within the application like applying upgrades, patches or adding new modules need to be performed in a “test” environment before moving into a live production environment. Comprehensive testing ensures the system is operating as designed when changes are made. “ “Choosing a cloud provider that could satisfy SOX and FDA compliance requirements was key to our operations. We chose RoseASPbecause their ability to work with regulated companies gave us a comfort level other providers could not match.” Tony Brew Head of IT and Senior Director Hyperion Therapeutics » © 2016 RoseASP
Audit-Readiness Considerations CHANGE MANAGEMENT Is a test environment provided with sufficient time to perform tests before changes are made in production? How are changes to the system and the software approved, documented and tracked? What controls are in place when adding users or changing existing user passwords or access levels? What controls are in place regarding changes within the application itself, such as upgrades and new modules? Who can request changes and how is this controlled? Audit-ready standards for creating or changing user accounts and system access levels Upgrades or new module implementations performed in a controlled test environment Standardized change request practices Change management policies strictly maintained, regularly reviewed Change control documentation available upon request RoseASP’s Written Change Management Policies: © 2016 RoseASP
LOGICAL ACCESS 2 Protecting and maintaining logical access to the system ensures that only the approved users are accessing the system and helps to protect data and reporting integrity. It is the responsibility of your hosting provider to protect your cloud system against hacking, viruses and other unauthorized access through strict user access controls, firewalls, encryption and current anti-virus protection. Did you know that a cloud provider’s Service Level Agreement guarantees more than uptime? A cloud hosting SLA is a critical legal document with direct impact on your GRC practices. Learn more about cloud SLAs from RoseASP » © 2016 RoseASP
Audit-Readiness Considerations LOGICAL ACCESS What controls and software tools does the cloud provider use to restrict access and prevent breaches? How do you document that all changes for user access are authorized and processed in a timely manner? What controls and monitoring policies are in place to maintain the integrity of user passwords, firewalls and encryption? How are controls maintained around user level access restrictions? Does the application offer user authentication and audit traceability? Highest levels of IT monitoring, firewall protection, 256 bit encryption, 90-day password resets and intrusion detection Standardized user naming schemes and authentication restrictions Regular review of firewall system logs and database administrators Security policies exceeding industry requirements RoseASP’s Written Logical Access Policies: © 2016 RoseASP
PHYSICAL SECURITY 3 Did you know you that your existing Microsoft Dynamics ERP system can be moved to a secure and audit-ready cloud environment in 3 steps. Learn more about ERP cloud migrations » Public companies and startups that plan to go public need to produce SOC 1 Type II certification from the hosting provider to assure that financial data is stored in an audit- ready environment with adequate data security, availability, processing integrity, confidentiality and privacy. © 2016 RoseASP
Audit-Readiness Considerations PHYSICAL SECURITY Can the hosting organization provide documentation to verify SOC 1 Type II Certification of the data center? Is data stored and backed up in state-of-the-art data centers with multiple co-location centers? Do physical security measures meet or exceed industry standards? All data centers are regularly audited and meet SSAE 16 SOC 1 Type II requirements Physically separated data and intrusion free ports on boxes Multi-factor security infrastructure, video surveillance, alarmed access/egress points, Kevlar impregnated drywall and bulletproof glass, on site NOC staffing 24/7/365, biometric identification with dual factor authentication. RoseASP’s Written Physical Security Policies: © 2016 RoseASP
“ “Better, consistent fulfillment of compliance obligations is essential, but so are objectives such as customer service, revenue growth, and improved agility in oh-so competitive markets. (Information Governance) is not just about getting rid of junk content, it is more importantly about instilling trust in the data and communication we use to run our businesses.” Forrester Analyst - Cheryl McKinnon © 2016 RoseASP
IT OPERATIONS 4 Internal control policies and procedures ensure that the provider’s IT staff is maintaining the appropriate documentation for SOX compliance and undergoing regular training to stay current with IT trends and developments. Hosting providers that are committed to SOX compliance will have their internal controls documented in policies which are accessible to customers and auditors for review. These controls should be frequently tested by the hosting provider to ensure compliance. “New markets and product lines mean additional regulations and compliance requirements. You need a solution that provides audit trails and formal business processes that a growing business needs to manage and control risk.” © 2016 RoseASP Make Technology Your Business Advantage - eBook »
Audit-Readiness Considerations IT OPERATIONS What controls are in place internally among staff to assure that application maintenance remains current and SOX policies are upheld? Who has access to the system and how is access tracked, documented and reviewed? How is accountability for customer support requests tracked among the hosting firm’s internal IT staff? What are the hosting firm’s policies around scheduled downtime and notification? 24/7/365 Customer support Strict controls around accessing customer data System monitoring, intrusion detection and notification Standardized policy for tracking and responding to service requests Ongoing training of IT team members and unmatched standards of expertise in cloud, accounting and compliance RoseASP’s Written IT Policies: © 2016 RoseASP
“Compliance is a collaborative effort of all IT team members.” RoseASP Chief Compliance Officer, Glen Medwid explains what is required of a cloud provider to support SOX compliance. © 2016 RoseASP Go to SOX compliance video »
BACKUP AND RECOVERY 5 Along with SSAE 16 SOC 1 Type II certification, a SOX data center must employ redundant power and fire suppression systems to protect against disaster events. Your software hoster should provide adequate documentation of successful backups as well as periodically providing restore data from the backup media. This allows you and your auditors to test and verify that restore data is accurate and consistent with data in the production database and to verify all backups are occurring according to the terms of your Service Level Agreement. “Inmycase,Ihavebankinginformationfromallourfranchisees and other data for which I could have serious liability. I trust RoseASP and Microsoft to encrypt the data and host it in a secure way. Quite frankly, that’s a main reason I’m planning to stay in a hosted environment.” Michael Jensrud, CFO, BRIX Holdings » © 2016 RoseASP
Audit-Readiness Considerations BACKUP AND RECOVERY How frequently are test restores performed? How are backups scheduled? What are data ownership policies? What is included in backup procedures? Are redundant backups performed in separate locations to protect your data against disaster events? Is a copy of the backup retained off site from the data center? Strict daily, weekly, monthly and annual backup schedule Tailorable backup plan to fit customer needs Regular “test” restores to validate backup plan Recovery policies ensuring data integrity and standardizing ownership and responsibility during force majeure events RoseASP’s Written Backup & Recovery Policies: © 2016 RoseASP
W ith sufficient due diligence, leveraging a cloud based accounting system does not mean an organization has to risk the integrity of the financial data and reporting. If you are a CFO or CIO considering cloud based accounting for a public company, it is important that a hosting provider is able to work closely with auditors to provide documentation on internal controls and the operational effectiveness of those controls. If any control issues or exceptions are noted during preliminary audit procedures SOX compliant hosting providers will remediate those exceptions quickly so controls can be retested prior to year-end. Whether your organization is already publicly traded, preparing for an initial public offering or a start-up with an eye on the future, you can save time and avoid problems down the road by deploying an ERP cloud solution through a hosting firm that supports all compliance needs and responds quickly to requests for audit support and SOX documentation. Takeaways A growing company uses the cloud to support SOX compliance. Read a SOX Cloud Story » Everything you need to know about SLAs for cloud based accounting software. Learn What’s in an SLA? » © 2016 RoseASP
How much does a SOX audit-ready cloud solution cost? Get a Quote
SOX Compliant Microsoft Dynamics Cloud RoseASP works closely with clients to provide a comprehensive service level agreement that meets the needs of your business and provides assurance that compliance, performance and system availability requirements will be met. RoseASP has a proven record of helping customers streamline auditing and reporting procedures to reduce the cost and risks associated with SOX. We offer highly secure, audit-ready environments and services for Microsoft Dynamics AX, GP, NAV, SL and CRM. With 24/7/365 support for any connectivity, backup, restore, password reset or other application readiness issues, RoseASP is committed to personalized service and responds quickly to any documentation requests. We work closely with customers and Dynamics Partners to ensure that Dynamics ERP customers get the application support they need with internal controls and backstops to support requirements for SOX, HIPAA and FDA compliance. About RoseASP 8 5 8 - 7 9 4 - 9 4 0 3 s a l e s @ r o s e a s p . c o m w w w . R o s e A S P . c o m

Recommended

Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?
VISTA InfoSec
 
Soc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-convertedSoc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-converted
VISTA InfoSec
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
ControlCase
 
Agiliance Wp Key Steps
Agiliance Wp Key StepsAgiliance Wp Key Steps
Agiliance Wp Key Stepsagiliancecommunity
 
GDPR
GDPRGDPR
GDPR
Rajivarnan R
 
Sample SOC2 report of a security audit firm
Sample SOC2 report of a security audit firmSample SOC2 report of a security audit firm
Sample SOC2 report of a security audit firmJosephKirkpatrickCPA
 
SOC 2 | SOC 2 Compliance
SOC 2 | SOC 2 ComplianceSOC 2 | SOC 2 Compliance
SOC 2 | SOC 2 Compliance
himalya sharma
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar final
ControlCase
 

Recommended

Why should I do SOC2?
Why should I do SOC2?Why should I do SOC2?
Why should I do SOC2?
VISTA InfoSec
 
Soc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-convertedSoc 2 vs iso 27001 certification withh links converted-converted
Soc 2 vs iso 27001 certification withh links converted-converted
VISTA InfoSec
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
ControlCase
 
Agiliance Wp Key Steps
Agiliance Wp Key StepsAgiliance Wp Key Steps
Agiliance Wp Key Stepsagiliancecommunity
 
GDPR
GDPRGDPR
GDPR
Rajivarnan R
 
Sample SOC2 report of a security audit firm
Sample SOC2 report of a security audit firmSample SOC2 report of a security audit firm
Sample SOC2 report of a security audit firmJosephKirkpatrickCPA
 
SOC 2 | SOC 2 Compliance
SOC 2 | SOC 2 ComplianceSOC 2 | SOC 2 Compliance
SOC 2 | SOC 2 Compliance
himalya sharma
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar final
ControlCase
 
Roadmap to SAP® Security and Compliance | Symmetry
Roadmap to SAP® Security and Compliance | SymmetryRoadmap to SAP® Security and Compliance | Symmetry
Roadmap to SAP® Security and Compliance | Symmetry
Symmetry™
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust Principles
ControlCase
 
SOC 2/SOC 3 Whitepaper
SOC 2/SOC 3 WhitepaperSOC 2/SOC 3 Whitepaper
SOC 2/SOC 3 WhitepaperDTIMMERMAN
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1
ControlCase
 
PracticeLeague Compliance Management Platform
PracticeLeague Compliance Management PlatformPracticeLeague Compliance Management Platform
PracticeLeague Compliance Management Platform
Parimal Chanchani
 
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide! SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
VISTA InfoSec
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related Updates
ControlCase
 
Docker and Container Compliance
Docker and Container ComplianceDocker and Container Compliance
Docker and Container Compliance
ControlCase
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
ControlCase
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
ControlCase
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
ControlCase
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management Compliance
ControlCase
 
Pega_0625_Pega_Cloud_Security_Reliability_19
Pega_0625_Pega_Cloud_Security_Reliability_19Pega_0625_Pega_Cloud_Security_Reliability_19
Pega_0625_Pega_Cloud_Security_Reliability_19Douglas Kim
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
ControlCase
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
ControlCase
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to Many
ControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
ControlCase
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to Many
ControlCase
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase
 
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated EnvironmentsDevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
Cognizant
 
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
retheauditors
 
Learning in the Cloud for Regulated Industries
Learning in the Cloud for Regulated IndustriesLearning in the Cloud for Regulated Industries
Learning in the Cloud for Regulated Industries
Bhupesh Chaurasia
 

More Related Content

What's hot

Roadmap to SAP® Security and Compliance | Symmetry
Roadmap to SAP® Security and Compliance | SymmetryRoadmap to SAP® Security and Compliance | Symmetry
Roadmap to SAP® Security and Compliance | Symmetry
Symmetry™
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust Principles
ControlCase
 
SOC 2/SOC 3 Whitepaper
SOC 2/SOC 3 WhitepaperSOC 2/SOC 3 Whitepaper
SOC 2/SOC 3 WhitepaperDTIMMERMAN
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1
ControlCase
 
PracticeLeague Compliance Management Platform
PracticeLeague Compliance Management PlatformPracticeLeague Compliance Management Platform
PracticeLeague Compliance Management Platform
Parimal Chanchani
 
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide! SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
VISTA InfoSec
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related Updates
ControlCase
 
Docker and Container Compliance
Docker and Container ComplianceDocker and Container Compliance
Docker and Container Compliance
ControlCase
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
ControlCase
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
ControlCase
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
ControlCase
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management Compliance
ControlCase
 
Pega_0625_Pega_Cloud_Security_Reliability_19
Pega_0625_Pega_Cloud_Security_Reliability_19Pega_0625_Pega_Cloud_Security_Reliability_19
Pega_0625_Pega_Cloud_Security_Reliability_19Douglas Kim
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
ControlCase
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
ControlCase
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to Many
ControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
ControlCase
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to Many
ControlCase
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase
 
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated EnvironmentsDevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
Cognizant
 

What's hot (20)

Roadmap to SAP® Security and Compliance | Symmetry
Roadmap to SAP® Security and Compliance | SymmetryRoadmap to SAP® Security and Compliance | Symmetry
Roadmap to SAP® Security and Compliance | Symmetry
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust Principles
 
SOC 2/SOC 3 Whitepaper
SOC 2/SOC 3 WhitepaperSOC 2/SOC 3 Whitepaper
SOC 2/SOC 3 Whitepaper
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1
 
PracticeLeague Compliance Management Platform
PracticeLeague Compliance Management PlatformPracticeLeague Compliance Management Platform
PracticeLeague Compliance Management Platform
 
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide! SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide!
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related Updates
 
Docker and Container Compliance
Docker and Container ComplianceDocker and Container Compliance
Docker and Container Compliance
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management Compliance
 
Pega_0625_Pega_Cloud_Security_Reliability_19
Pega_0625_Pega_Cloud_Security_Reliability_19Pega_0625_Pega_Cloud_Security_Reliability_19
Pega_0625_Pega_Cloud_Security_Reliability_19
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to Many
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to Many
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
 
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated EnvironmentsDevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
DevOps & Blockchain: Powering Rapid Software Delivery in Regulated Environments
 

Similar to SOX Cloud Criteria Cloud Hosted Accounting

SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
retheauditors
 
Learning in the Cloud for Regulated Industries
Learning in the Cloud for Regulated IndustriesLearning in the Cloud for Regulated Industries
Learning in the Cloud for Regulated Industries
Bhupesh Chaurasia
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelinesamburyj3c9
 
Compliance in the Cloud
Compliance in the CloudCompliance in the Cloud
Compliance in the Cloud
RapidScale
 
Unified ERP HCM Presentation-23Feb16
Unified ERP HCM Presentation-23Feb16Unified ERP HCM Presentation-23Feb16
Unified ERP HCM Presentation-23Feb16Ahmed Sayed
 
Migrating to cloud based ERP Solution .pdf
Migrating to cloud based ERP Solution .pdfMigrating to cloud based ERP Solution .pdf
Migrating to cloud based ERP Solution .pdf
PalakAggarwal50
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Happiest Minds Technologies
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsOracle
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...
Oracle
 
Practical Guide to Hybrid Cloud Computing
Practical Guide to Hybrid Cloud ComputingPractical Guide to Hybrid Cloud Computing
Practical Guide to Hybrid Cloud Computing
Cloud Standards Customer Council
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Happiest Minds Technologies
 
IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet Systems
Visionet Systems, Inc.
 
Embracing SaaS - A Blueprint for IT Succcess.PDF
Embracing SaaS - A Blueprint for IT Succcess.PDFEmbracing SaaS - A Blueprint for IT Succcess.PDF
Embracing SaaS - A Blueprint for IT Succcess.PDFKenneth Hardy, CMIIB
 
Adaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_studyAdaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_study
Rob Johnston, MBA
 
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
D. Scott Clark
 
Better technology for better cloud
Better technology for better cloudBetter technology for better cloud
Better technology for better cloud
Julien Quester-Séméon
 
Securing the Office of Finance in the Cloud -- Separating Fact from Fiction
Securing the Office of Finance in the Cloud -- Separating Fact from FictionSecuring the Office of Finance in the Cloud -- Separating Fact from Fiction
Securing the Office of Finance in the Cloud -- Separating Fact from Fiction
Workday
 
EHS Software Buyer Checklist
EHS Software Buyer ChecklistEHS Software Buyer Checklist
EHS Software Buyer ChecklistAnita Amelia
 
Enterprise Governance Risk and Compliance (GRC) Management Solution in India
Enterprise Governance Risk and Compliance (GRC) Management Solution in IndiaEnterprise Governance Risk and Compliance (GRC) Management Solution in India
Enterprise Governance Risk and Compliance (GRC) Management Solution in India
LexComply
 
Enterprise Risk Management Solutions
Enterprise Risk Management SolutionsEnterprise Risk Management Solutions
Enterprise Risk Management Solutions
LexComply
 

Similar to SOX Cloud Criteria Cloud Hosted Accounting (20)

SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
 
Learning in the Cloud for Regulated Industries
Learning in the Cloud for Regulated IndustriesLearning in the Cloud for Regulated Industries
Learning in the Cloud for Regulated Industries
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
 
Compliance in the Cloud
Compliance in the CloudCompliance in the Cloud
Compliance in the Cloud
 
Unified ERP HCM Presentation-23Feb16
Unified ERP HCM Presentation-23Feb16Unified ERP HCM Presentation-23Feb16
Unified ERP HCM Presentation-23Feb16
 
Migrating to cloud based ERP Solution .pdf
Migrating to cloud based ERP Solution .pdfMigrating to cloud based ERP Solution .pdf
Migrating to cloud based ERP Solution .pdf
 
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The CloudSimplify Your Approach To_Assess The Risks Of Moving Into The Cloud
Simplify Your Approach To_Assess The Risks Of Moving Into The Cloud
 
Con8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controlsCon8154 controlling for multiple erp systems with oracle advanced controls
Con8154 controlling for multiple erp systems with oracle advanced controls
 
Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...Customers talk about controlling access for multiple erp systems with oracle ...
Customers talk about controlling access for multiple erp systems with oracle ...
 
Practical Guide to Hybrid Cloud Computing
Practical Guide to Hybrid Cloud ComputingPractical Guide to Hybrid Cloud Computing
Practical Guide to Hybrid Cloud Computing
 
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
Whitepaper: Moving to Clouds? Simplify your approach to understand the risks ...
 
IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet Systems
 
Embracing SaaS - A Blueprint for IT Succcess.PDF
Embracing SaaS - A Blueprint for IT Succcess.PDFEmbracing SaaS - A Blueprint for IT Succcess.PDF
Embracing SaaS - A Blueprint for IT Succcess.PDF
 
Adaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_studyAdaptive grc life_sciences_case_study
Adaptive grc life_sciences_case_study
 
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
GLOBAL LIFE SCIENCES COMPANY USES ADAPTIVEGRC SUITE TO MANAGE RISK & COMPLI...
 
Better technology for better cloud
Better technology for better cloudBetter technology for better cloud
Better technology for better cloud
 
Securing the Office of Finance in the Cloud -- Separating Fact from Fiction
Securing the Office of Finance in the Cloud -- Separating Fact from FictionSecuring the Office of Finance in the Cloud -- Separating Fact from Fiction
Securing the Office of Finance in the Cloud -- Separating Fact from Fiction
 
EHS Software Buyer Checklist
EHS Software Buyer ChecklistEHS Software Buyer Checklist
EHS Software Buyer Checklist
 
Enterprise Governance Risk and Compliance (GRC) Management Solution in India
Enterprise Governance Risk and Compliance (GRC) Management Solution in IndiaEnterprise Governance Risk and Compliance (GRC) Management Solution in India
Enterprise Governance Risk and Compliance (GRC) Management Solution in India
 
Enterprise Risk Management Solutions
Enterprise Risk Management SolutionsEnterprise Risk Management Solutions
Enterprise Risk Management Solutions
 

Recently uploaded

Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 

Recently uploaded (20)

Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 

SOX Cloud Criteria Cloud Hosted Accounting

  • 1. R O S E A S P M I C R O S O F T D Y N A M I C S H O S T I N G CONSIDERATIONS FOR AUDIT-READY CLOUD ACCOUNTING SOX REQUIREMENTS CLOUD www.roseasp.com info@roseasp.com
  • 2. Contents: Change Management Logical Access Physical Security IT Operations Backup and Recovery 4 6 8 11 14 © 2016 by RoseASP. Reproduction in whole or part without the expressed permission of RoseASP is prohibited. www.roseasp.com
  • 3. I f your organization is a publicly-traded company or preparing for an initial public offering, you have substantial considerations to address before deploying financial data in the cloud. When evaluating cloud ERP solutions and hosting environments, it’s important to verify that the provider delivers cloud services with the necessary security and internal controls to satisfy the Sarbanes-Oxley Act (SOX) of 2002. This will ensure the integrity of the financial system and help your organization avoid noncompliance issues. Although some cloud providers can ensure the necessary SOC 1 Type II security where data storage is concerned, their response to SOX compliance often falls short in meeting the process management and support requirements of publicly traded companies. At RoseASP, we are dedicated to SOX compliance and can produce documentation to substantiate that the system and data are securely maintained, so stakeholders can feel confident in the integrity of the reporting. This eBook identifies five critical components of SOX compliance that need to be addressed to ensure your ERP cloud provider delivers an audit-ready accounting solution. It also shares how RoseASP’s internal controls respond to each of these components to help streamline your audit process and reduce the risk of noncompliance. SOX in the Cloud © 2016 RoseASP
  • 4. CHANGE MANAGEMENT 1 All changes, including adding and removing users, to a SOX compliant data system must be properly approved and then documented. Changes within the application like applying upgrades, patches or adding new modules need to be performed in a “test” environment before moving into a live production environment. Comprehensive testing ensures the system is operating as designed when changes are made. “ “Choosing a cloud provider that could satisfy SOX and FDA compliance requirements was key to our operations. We chose RoseASPbecause their ability to work with regulated companies gave us a comfort level other providers could not match.” Tony Brew Head of IT and Senior Director Hyperion Therapeutics » © 2016 RoseASP
  • 5. Audit-Readiness Considerations CHANGE MANAGEMENT Is a test environment provided with sufficient time to perform tests before changes are made in production? How are changes to the system and the software approved, documented and tracked? What controls are in place when adding users or changing existing user passwords or access levels? What controls are in place regarding changes within the application itself, such as upgrades and new modules? Who can request changes and how is this controlled? Audit-ready standards for creating or changing user accounts and system access levels Upgrades or new module implementations performed in a controlled test environment Standardized change request practices Change management policies strictly maintained, regularly reviewed Change control documentation available upon request RoseASP’s Written Change Management Policies: © 2016 RoseASP
  • 6. LOGICAL ACCESS 2 Protecting and maintaining logical access to the system ensures that only the approved users are accessing the system and helps to protect data and reporting integrity. It is the responsibility of your hosting provider to protect your cloud system against hacking, viruses and other unauthorized access through strict user access controls, firewalls, encryption and current anti-virus protection. Did you know that a cloud provider’s Service Level Agreement guarantees more than uptime? A cloud hosting SLA is a critical legal document with direct impact on your GRC practices. Learn more about cloud SLAs from RoseASP » © 2016 RoseASP
  • 7. Audit-Readiness Considerations LOGICAL ACCESS What controls and software tools does the cloud provider use to restrict access and prevent breaches? How do you document that all changes for user access are authorized and processed in a timely manner? What controls and monitoring policies are in place to maintain the integrity of user passwords, firewalls and encryption? How are controls maintained around user level access restrictions? Does the application offer user authentication and audit traceability? Highest levels of IT monitoring, firewall protection, 256 bit encryption, 90-day password resets and intrusion detection Standardized user naming schemes and authentication restrictions Regular review of firewall system logs and database administrators Security policies exceeding industry requirements RoseASP’s Written Logical Access Policies: © 2016 RoseASP
  • 8. PHYSICAL SECURITY 3 Did you know you that your existing Microsoft Dynamics ERP system can be moved to a secure and audit-ready cloud environment in 3 steps. Learn more about ERP cloud migrations » Public companies and startups that plan to go public need to produce SOC 1 Type II certification from the hosting provider to assure that financial data is stored in an audit- ready environment with adequate data security, availability, processing integrity, confidentiality and privacy. © 2016 RoseASP
  • 9. Audit-Readiness Considerations PHYSICAL SECURITY Can the hosting organization provide documentation to verify SOC 1 Type II Certification of the data center? Is data stored and backed up in state-of-the-art data centers with multiple co-location centers? Do physical security measures meet or exceed industry standards? All data centers are regularly audited and meet SSAE 16 SOC 1 Type II requirements Physically separated data and intrusion free ports on boxes Multi-factor security infrastructure, video surveillance, alarmed access/egress points, Kevlar impregnated drywall and bulletproof glass, on site NOC staffing 24/7/365, biometric identification with dual factor authentication. RoseASP’s Written Physical Security Policies: © 2016 RoseASP
  • 10. “ “Better, consistent fulfillment of compliance obligations is essential, but so are objectives such as customer service, revenue growth, and improved agility in oh-so competitive markets. (Information Governance) is not just about getting rid of junk content, it is more importantly about instilling trust in the data and communication we use to run our businesses.” Forrester Analyst - Cheryl McKinnon © 2016 RoseASP
  • 11. IT OPERATIONS 4 Internal control policies and procedures ensure that the provider’s IT staff is maintaining the appropriate documentation for SOX compliance and undergoing regular training to stay current with IT trends and developments. Hosting providers that are committed to SOX compliance will have their internal controls documented in policies which are accessible to customers and auditors for review. These controls should be frequently tested by the hosting provider to ensure compliance. “New markets and product lines mean additional regulations and compliance requirements. You need a solution that provides audit trails and formal business processes that a growing business needs to manage and control risk.” © 2016 RoseASP Make Technology Your Business Advantage - eBook »
  • 12. Audit-Readiness Considerations IT OPERATIONS What controls are in place internally among staff to assure that application maintenance remains current and SOX policies are upheld? Who has access to the system and how is access tracked, documented and reviewed? How is accountability for customer support requests tracked among the hosting firm’s internal IT staff? What are the hosting firm’s policies around scheduled downtime and notification? 24/7/365 Customer support Strict controls around accessing customer data System monitoring, intrusion detection and notification Standardized policy for tracking and responding to service requests Ongoing training of IT team members and unmatched standards of expertise in cloud, accounting and compliance RoseASP’s Written IT Policies: © 2016 RoseASP
  • 13. “Compliance is a collaborative effort of all IT team members.” RoseASP Chief Compliance Officer, Glen Medwid explains what is required of a cloud provider to support SOX compliance. © 2016 RoseASP Go to SOX compliance video »
  • 14. BACKUP AND RECOVERY 5 Along with SSAE 16 SOC 1 Type II certification, a SOX data center must employ redundant power and fire suppression systems to protect against disaster events. Your software hoster should provide adequate documentation of successful backups as well as periodically providing restore data from the backup media. This allows you and your auditors to test and verify that restore data is accurate and consistent with data in the production database and to verify all backups are occurring according to the terms of your Service Level Agreement. “Inmycase,Ihavebankinginformationfromallourfranchisees and other data for which I could have serious liability. I trust RoseASP and Microsoft to encrypt the data and host it in a secure way. Quite frankly, that’s a main reason I’m planning to stay in a hosted environment.” Michael Jensrud, CFO, BRIX Holdings » © 2016 RoseASP
  • 15. Audit-Readiness Considerations BACKUP AND RECOVERY How frequently are test restores performed? How are backups scheduled? What are data ownership policies? What is included in backup procedures? Are redundant backups performed in separate locations to protect your data against disaster events? Is a copy of the backup retained off site from the data center? Strict daily, weekly, monthly and annual backup schedule Tailorable backup plan to fit customer needs Regular “test” restores to validate backup plan Recovery policies ensuring data integrity and standardizing ownership and responsibility during force majeure events RoseASP’s Written Backup & Recovery Policies: © 2016 RoseASP
  • 16. W ith sufficient due diligence, leveraging a cloud based accounting system does not mean an organization has to risk the integrity of the financial data and reporting. If you are a CFO or CIO considering cloud based accounting for a public company, it is important that a hosting provider is able to work closely with auditors to provide documentation on internal controls and the operational effectiveness of those controls. If any control issues or exceptions are noted during preliminary audit procedures SOX compliant hosting providers will remediate those exceptions quickly so controls can be retested prior to year-end. Whether your organization is already publicly traded, preparing for an initial public offering or a start-up with an eye on the future, you can save time and avoid problems down the road by deploying an ERP cloud solution through a hosting firm that supports all compliance needs and responds quickly to requests for audit support and SOX documentation. Takeaways A growing company uses the cloud to support SOX compliance. Read a SOX Cloud Story » Everything you need to know about SLAs for cloud based accounting software. Learn What’s in an SLA? » © 2016 RoseASP
  • 17. How much does a SOX audit-ready cloud solution cost? Get a Quote
  • 18. SOX Compliant Microsoft Dynamics Cloud RoseASP works closely with clients to provide a comprehensive service level agreement that meets the needs of your business and provides assurance that compliance, performance and system availability requirements will be met. RoseASP has a proven record of helping customers streamline auditing and reporting procedures to reduce the cost and risks associated with SOX. We offer highly secure, audit-ready environments and services for Microsoft Dynamics AX, GP, NAV, SL and CRM. With 24/7/365 support for any connectivity, backup, restore, password reset or other application readiness issues, RoseASP is committed to personalized service and responds quickly to any documentation requests. We work closely with customers and Dynamics Partners to ensure that Dynamics ERP customers get the application support they need with internal controls and backstops to support requirements for SOX, HIPAA and FDA compliance. About RoseASP 8 5 8 - 7 9 4 - 9 4 0 3 s a l e s @ r o s e a s p . c o m w w w . R o s e A S P . c o m