Job Roles and Responsibilities – SOX Audit
Depending on the size of an organization, responsibility may be divided into the following defined
roles. It is important that responsibility is apparent and is supported by management. To achieve
this, the accountable persons must actually assume their accountabilities (i.e. they have powers
necessary to make corresponding decisions and the experience/knowledge to make the right
decisions).
Management and Human Resources should ensure that the necessary roles are correctly
implemented.
- Board and Executives The Board of Directors and the managing director or CEO
(or equivalent) are ultimately responsible for security strategy and must make the necessary
resources available to combat business threats. This group is ultimately responsible for
disseminating strategy and establishing security-aware customs within the organization.
They have the mandate to protect and insure for continuity of the corporation and to
protect and insure for profitability of the corporation. Information Security plays a crucial
role in both of these aspects of senior management’s roles. - Business process / data / operation owner This person is directly responsible for a
particular process or business unit’s data and reports directly to top management. He/she
analyzes the impact of security failures and specifies classification and guidelines/processes
to ensure the security of the data for which he/she is responsible. There should not be any
influence on auditing. - Process Owner The process owner is responsible for the process design, not for the
performance of the process itself. The process owner is additionally responsible for the
metrics linked to the process feedback systems, the documentation of the process, and the
education of the process performers in its structure and performance. The process owner is
accountable for sustaining the development of the process and for identifying opportunities
to improve the process. The process owner is the individual ultimately accountable for
improving a process. - IT Security manager/director This person is responsible for the overall security
within the organization. The IT security manager(s) defines IT security guidelines
together with the process owner. He/she is also responsible for security awareness and
advising management correctly on security issues. He/she may also carry out risk analyses.
It is important that this person be up-to-date on the latest security problems/risks/
solutions. Coordination with partner companies, security organizations, and industry
groups is also important. - System supplier The system supplier installs and maintains systems. A service level
agreement should exist defining the customer/supplier roles and responsibilities. The
supplier may be, for example, an external contracting company or the internal datacenter
or System/Security administrator. This person is responsible for the correct use of security
mechanisms. - System designer The persons who develop a system have a key role in ensuring that
a system can be used securely. New development projects must consider security
requirements at an early stage. - Project Leaders These people ensure that Security guidelines are adhered to in projects.
- Line Managers These managers ensure that their personnel are fully aware of security
policies and do not provide objectives that conflict with policy. He/she enforces policy
and checks actual progress. - Users Users, or “information processors/operators,” are responsible for their actions.
They are aware of company security policy, understand what the consequences of their
actions are, and act accordingly. They have effective mechanisms at their disposal so that
they can operate with the desired level of security. Should users receive confidential
information that is not classified, they are responsible for the classifying and distribution
of this information. - Auditor The auditor is an independent person, within or outside the company, who
checks the status of IT security, much in the same way as a Financial Auditor verifies the
validity of accounting records. It is important that the Auditor be independent, not being
involved in security administration. Often external consultants fulfill this role, since they
can offer a more objective view of policies, processes, organizations, and mechanisms.
