Gary Audin wrote a good post on VoIP and SOX, very unique view point and insight. Gary reviewed the goal and criticized the maturity and operationality of SOX and even predicted the modification in the near future.
The SOX goal is to insure the reliability of publicly reported financial information. Corporate boards, enterprise executives and directors, attorneys, auditors, small business owners, rank and file employees and security analysts have expanded duties as well as penalties as result of the SOX act. The legislation was not thoroughly debated. The result is being questioned, delayed and will probably be modified. It is a moving target where auditors may develop new policies and requirements in the future. My initial comments on SOX will found in the previous Blog, “Putting up with SOX”.
Further, Gary discussed what IP telephony (IPT) / VoIP systems might bring to SOX compliance.
IP Telephony systems will have IP phones that may access the Internet and softphones that are compromised. These could be the man-in-the-middle for attacks or malicious behavior. The call server could be hijacked to create denial of service for the VoIP service. Trojan break-ins could access financial information from an IPT device. Even when there are security personnel and procedures in place, if they are handled poorly and the CEO and CFO falsely report that they are diligent in their control, penalties may occur.
Do not wait for the audit. The results can be costly. Be proactive as you move to VoIP/IPT.
IMHO, because SOX is a financial oriented act, so if VoIP/IPT is not your business, ie. revenue generator, you might not cover VoIP auditing in your SOX compliancy audit, because in general they are not used to process and control those financial numbers. However, it's different to those VoIP operators, where security control of VoIP billing directly impact the final financial results and morever the shareholders' benefit.