Sarbanes-Oxley (SOX) compliance for financial software like cloud-based Enterprise Resource Planning (ERP) requires process management, documentation and high levels of service and system availability. Use this checklist to better understand cloud accounting SOX requirements when reviewing your current financial systems or to evaluate new providers of cloud- based financial software for SOX. SOX CLOUD ERP COMPLIANCE CHECKLIST www.roseasp.com [email protected] www.RoseASP.com 858-794-9403 RoseASP’s customers look to RoseASP as their trusted data custodians. Our robust array of controls and written policies allow RoseASP to provide secure hosted Microsoft Dynamics AX, GP, NAV and SL solutions for SOX ERP compliance. Our commitment to service allows regulated customers to go cloud with confidence. ABOUT ROSEASP: How much does a SOX compliant enterprise cloud solution cost? Click for Pricing Change Control Checklist “As changes occur... we evaluate the impact of those changes on internal controls, and revise or add new written policies as needed.” Glen Medwid, Chief Compliance Officer, RoseASP » ERP Change Requirements: Wrien policies regarding how changes to the system and the soſtware are approved, documented and tracked Controls in place for adding system users or changing exisng user passwords and access levels Controls in place regarding changes within the applicaon itself, such as upgrades and new modules Control policies establishing a process for change requests and tracking who is authorized to make change requests Why Cloud ERP for SOX? 65%-70% of SOX compliant businesses are spending an increased amount of time on SOX compliance processes. Cloud ERP from the right provider can streamline your SOX accounting and reporting practices. ERP Change Management for SOX Compliance 60% of business are moving to more modern technology to free up IT resources and work more on strategic tasks. 4 Characteristics of ModernBiz » Logical Access Control Checklist Strict controls and advanced hardware & soſtware tools used to restrict access and prevent breaches Policies and procedures in place to ensure any user access changes are authorized and processed in a mely manner Controls to ensure system security regarding user passwords, firewalls and encrypon Policies establishing controls for the maintenance of user level access restricons Physical Security Control Checklist Mul-factor security infrastructure at data center sites including video surveillance, alarmed access and egress points, Kevlar impregnated drywall, bulletproof glass and NOC security personnel on-site 24/7/365 Data centers which regularly undergo independent audits to verify security is working effecvely Documentaon available to verify recent SOC 1 Type II Cerficaon of the data center in a mely manner Data physically separated on servers with secured ports IT Operations Control Checklist 24/7/365 Customer service for applicaon availability & cloud support Strict controls around accessing customer data, audit traceability and documentaon System monitoring, intrusion detecon and customer noficaon of security events Standardized policy for tracking and responding to service requests Controls in place to ensure systems are maintained in accordance with SOX policies Backup & Recovery Control Checklist Strict daily, weekly, monthly and annual backup schedule Tailored backup and recovery plan to fit your company’s needs and schedule Regular “test” restores to validate backup plan Recovery policies ensuring data integrity during Force Majeure events Redundant power and fire suppression systems at data centers to protect against disaster events. Redundant backup sites with a copy of the backup retained offsite from the data center ERP Access Requirements: “I t is important that a cloud services provider offers the highest levels of IT monitoring, firewall protection and encryption, but they must also follow strict policies around password naming schemes and password resets to ensure the authenticity of data.” ERP Logical Access for SOX Compliance ERP Security Requirements: “C loud based accounting requires a full- service cloud hosting partner. While many cloud providers can offer server environments with SSAE 16 Type 2 compliance, few cloud providers offer ongoing support for application availability, upgrades and compliance. ” ERP Physical Security for SOX Compliance Additional Benefits of SOX Compliance: SOX guidelines are a set of accounting best practices. 78% of businesses that adhere to SOX guidelines experience improvement of all business processes that impact financial reporting. ERP Cloud IT Operations for SOX Compliance ERP Cloud Requirements: ERP Backup Requirements: “T he hoster should provide adequate documentation of successful backups along with periodic restore data from the backup media to allow you and your auditors to test and verify it. This allows your business to check that restore data is accurate and consistent with live data.” ERP Backup & Recovery for SOX Compliance Public companies need to produce SOC 1 Type II certification from the hosting provider with adequate data security, availability, processing integrity, confidentiality and privacy. SOX Cloud Requirements eBook » 58% of large company’s say they spend more than $1 million on SOX compliance annually. Protiviti 2016 SOX Compliance Survey » “Governance is about protecting the organization without disrupting business... A great hosting provider will work to build a cloud solution that helps align information security processes with business requirements.” Linda Rose, CEO-Founder, RoseASP » Is the cloud meeting your requirements for SOX financials? © 2016 by RoseASP, Inc.