When it comes to Sarbanes-Oxley compliance, one of the key elements is segregation of duties. The goal is to make it a little harder for those who work with a company's money or books to commit fraud. According to Internal Auditor:
The purpose of segregating responsibilities is to prevent occupational fraud in the form of asset misappropriation and intentional financial misstatement.
But how do you make sure the duties stay segregated? Here's a thought: Controlling the equipment, applications and data that each person can access via identity management, will help. Even better than that, though, according to SailPoint Technologies CEO Mark McClain, is identity governance. In a recent IT Business Edge guest opinion, McClain wrote:
The emergence of identity governance allows organizations to transform technical identity data from across the enterprise into business-friendly information that can be used to drive governance and compliance initiatives. This centralized visibility gives executive and business users the "intelligence" they need to define and enforce business policy, audit and report on the effectiveness of internal controls, and more effectively manage risk.
McClain says identity governance is especially necessary now that risk management is such a high priority among public companies, which are subject to Sarbanes-Oxley, among insurance companies, which are subject to the Model Audit Rule, and among health care providers and their business associates, who are subject to the HITECH Act.