Audit Logs & Sarbanes-Oxley Compliance for SaaS: Part 2 of Compliance Essentials in the SaaS Era

In the first part of our month-long series on compliance essentials, we looked at content scanning. And here in our second part, we look at the importance of audit logs and how they help organizations comply with critical standards, regulations, and laws. In particular, we look at:

• Sarbanes-Oxley (SOX) compliance for SaaS,
• Provisions that apply to IT and SaaSOps professionals,
• The importance of audit logs, and
• How BetterCloud audit logs help

Sarbanes-Oxley (SOX) compliance for SaaS

The Sarbanes-Oxley Act (SOX) Public Accounting Reform and Investor Protection Act was passed in 2002. It is a United States federal law that sets requirements for all U.S. public company boards, management, and public accounting firms.

Meant to protect investors and the public against corporate financial fraud and mismanagement, SOX increases transparency in financial reporting and corporate governance. Specifically, the law:

• closes accounting loopholes that allowed misrepresentation of company value
• builds in accountability for top management, officers, boards, and public accounting firms that work with and audit public companies
• ensures higher standards of governance by establishing and complying with internal controls on financial reporting. These controls protect data integrity that become the basis of financial records and reporting.

But first, a few important points:

While public companies must generally comply with SOX, some provisions also apply to privately held companies. For example, privately held companies can be held responsible for willful destruction of evidence to impede a federal investigation.

In the intersection of SaaS operations and compliance, the requirement to keep evidence is related to both data retention and audit logging. Both functions are included in a SaaSOps platform, making it easier to comply and prove it.

So let’s back up and talk about SOX provisions that are important to SaaS operations.

Provisions that apply to IT and SaaS operations

The following four sections apply to SaaS operations. They are:

SOX Section 302: This requires that IT deliver real-time reporting on SOX-related internal controls. To do this, it means automating tasks like evidence gathering, testing, and reporting on breaches and remediation efforts.

SOX Section 404: All businesses must have internal controls for accurate and transparent financial reporting. An external auditor reviews them every year, and evaluates how well a company documents, tests, and maintains internal controls.

The goal for IT and SaaSOps is to make sure processes support accurate and complete transmission of financial data while keeping asset-bearing accounts secure from unauthorized access. So they must determine the IT systems—including mission-critical SaaS apps—and processes involved in the financial information lifecycle. They’ll include security, application testing, the verification of software integrations, and automated process testing.

SOX Section 409: Events with a material financial impact on the business—like data breaches, mergers and acquisitions, or bankruptcy—must be disclosed in a timely fashion.

IT can use SOX compliance software like Workiva or SOXHUB. These tools provide alerts to inform the business of the need to comply with the “timely disclosure” SOX requirement. In addition, such software might be used for informing stakeholders of changes.

SOX Section 802: Public companies are required to keep sensitive data related to financial transactions for at least five years. So IT must store it with internal automated backup processes and ensure systems are functioning. IT professionals must also have the organizational control to maintain data availability at all times, even during technology upgrades.

This is where data retention policies, along with automated offboarding workflows, help companies with SOX compliance for SaaS.

The importance of audit logs

Many laws, regulations, and standards—including SOX—require organizations to prove that they comply with the law. In particular, it requires timeline tracking to log changes to financial records. Of course, this includes when changes were made and who made them.

So audit logs and reporting are a necessity.

In addition, audit logs show a complete picture of everything that happens within your domain. This way, they verify controls required by SOX as well as many other standards, laws, and regulations.

For example, they give visibility into:

• Exact action or event
• Date and time the action happened
• User or entity that took an action
• Integrations and third-party app data
• Status of the action or event

While audit logs help you know, manage, and secure your IT environment, they also verify adherence with compliance policies.

How BetterCloud helps

With a SaaSOps platform, all actions within your SaaS environment are aggregated into one place. It’s one centralized view for real-time SaaS operations across:

• Users
• Files
• Groups
• Settings

A SaaSOps platform has huge operational value.

Instead of alert overload that so many other tools produce, a SaaSOps platform uses log data to provide operational context on users or files. And it notifies IT only when an incident is a concern. Together with a workflow engine that can take action across multiple SaaS applications when issues do occur, concerns are remediated more quickly.

And its byproduct? An audit log that makes it easier and faster to prove compliance.

BetterCloud logs are your system of record showing all actions taken in BetterCloud. They also capture how the system responded and whether an action was successfully executed.

An auditor can:

• View the date and time an action occurred
• View the name of the user or entity who took the action
• View the integration (app) the action occurred in
• View the status of each action
• View the exact action taken
• View the full text, or records, of actions taken in BetterCloud
• Search, sort, filter, and export audit logs

With BetterCloud, audit logs with operational data prove that you follow your security policy—thus simplifying SOX compliance with SaaS operations.