The Sarbanes-Oxley Act is named after sponsors Senator Paul Sarbanes (D-Maryland) and Representative Michael G. Oxley (R-Ohio). The act (Pub. L. No. 107-204, 116 Stat. 745, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox, July 30, 2002) is a controversial United States federal law passed in response to a number of major corporate and accounting scandals, including those affecting Enron, Tyco International, Peregrine Systems, and WorldCom (which was most recently MCI and is now part of Verizon Business).
These scandals resulted in a decline of public trust in accounting and reporting practices. The legislation is wide ranging and establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms.
In addition, outside auditors for companies must, for the first time, attest to managers' internal control assessment, pursuant to SEC rules, which currently require only large public companies comply with this part of SOX. This presents new challenges to businesses, specifically, documentation of control procedures related to information technology. The Public Company Accounting Oversight Board (PCAOB) has issued guidelines as to how auditors should provide their attestations. The PCAOB suggests considering the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework in management/auditor assessment of controls.
Auditors have also looked to the IT Governance Institute's "COBIT: Control Objectives of Information and Related Technology" for more appropriate standards of measure. This framework focuses on information technology (IT) processes while keeping in mind the big picture of COSO's "control activities" and "information and communication." However, these aspects of COBIT are outside the boundaries of Sarbanes-Oxley regulation.
The Key Sections of Sarbanes-Oxley
To understand how SOX affects information security, an examination of two specific sections of the act is helpful: section 302, titled “Corporate responsibility for financial reports," and section 404, titled “Management assessment of internal controls."
Section 302 states that the Chief Executive Officer (CEO) and Chief Financial Officer (CFO) must personally certify that financial reports are accurate and complete. They must also assess and report on the effectiveness of internal controls around financial reporting. This section clearly places responsibility for accurate financial reporting on the highest level of corporate management. CEOs and CFOs now face the potential for criminal fraud liability. It is noteworthy that section 302 does not specifically list which internal controls must be assessed.
Section 404 states that a corporation must assess the effectiveness of its internal controls and report this assessment annually to the SEC. The assessment must also be reviewed and judged by an outside auditing firm. The impact of section 404 is substantial in that a large amount of resources are needed for compliance. A comprehensive review of all internal controls related to financial reporting is a daunting task.
As with section 302, the wording of section 404 is broad and does not provide specific guidance as to which controls must be assessed.
While the topic of information security is not specifically discussed within the text of the act, the reality is that modern financial reporting systems are heavily dependant on technology and associated controls. Any review of internal controls would not be complete without addressing controls around information security. An insecure system would not be considered a source of reliable financial information because of the possibility of unauthorized transactions or manipulation of numbers. Sections 302 and 404 indirectly force the scrutiny of information security controls for SOX compliance.