Michael Oxley and Paul Sarbanes names are behind the Sarbanes-Oxley Act of 2002 (SOX). This law enforces order on publicly traded companies. The US Congress enacted the Sarbanes-Oxley Act in 2002, following a chain of scandals by organizations such as WorldCom, Tyco International PLC, and Enron Corporation leading to a plummet in the capital market a few months to the 2002 elections. The legislation targeted on repressing the public fear of corporate malpractices and demand more answerability by the Board of Directors and management during financial data reporting. However, contrary to the initial plan, the Sarbanes-Oxley become a greater and complex legislation.
Sarbanes-Oxley vital provisions
The 2002 Sarbanes-Oxley Act introduced five important provisions. First, it was the creation of the Public Company Accounting Oversight Board (PCAOB) and an imposition of limitations on public accounting company auditors inclusive of independence standards. Second, the establishment of corporate governance prerequisites creating the audit committee precautions. Third, the addition of disclosure requisites by the legislation on press releases and financial reports. Forth, it established criminal sanctions for public firms, CFOs, and CEOs in case of untrue endorsed financial statements. The fifth provision was the establishment of punishments of between 20 and 25 years for securities fraud and justice obstruction aimed at discouraging the type of activities behind the 2001 and 2002 disrepute.
Sarbanes-Oxley prerequisites are under some different areas. The focus of the majority of these areas is on corporate responsibility and governance. Among those, however, they include information security specific issues. SOX compliance overwhelms many people, but like any other legislation, the actuality lies in paying attention to individual firms instead of the overall law.
SOX Section 302
Section 302 pays attention to Disclosure procedures and control. This means that SOX 302 are unaudited but are reviewed by the quarterly reports, independent auditors that highlight the entire processes and controls on behalf of public disclosures. Signing offers personal accountability also a focus of this legislation. The 2002 Sarbanes-Oxley Act direct excerpt notes:
“The signing officer based on his knowledge has reviewed the report, and it does not contain false information of a material fact or omission of a material fact required to make the statement. Focusing on the position under which the statement was made; not unfounded based on the officer’s know-how, the financial statements and more financial data included in the report available in all material approves the financial conduction and operations results for and as of the durations indicated in the report.”
For a more natural understanding of terms, it means that executive officers take personal responsibility when they sign a document terming it true and comprehensively disclosing all the critical procedures with precise details on any changes that occurred in the course of the report.
SOX Section 401
This section includes two sections. One, focus on preparation of financial disclosure under defined account standards ensuring investor confidence. Two, this section requires off-balance sheet disclosure reporting, ensuring that the transactions meet the necessary accounting rules. 401 reports relate specifically to the quarterly and annual public financial reporting misrepresented during the WorldCom and Enron scandals. These disclosures are formally audited.
SOX Section 404
Sarbanes-Oxley Act section 404 at its primary level focuses on adequacy and scope of the internal procedures and controls for financial reporting. Most firms struggle to meet the compliance requirements for this section as it has far-reaching impacts than any other division. The SEC’s brochure indicates the steps to evaluate and document internal controls. To begin with, the organization must look into its reporting threat; they may be externally or internally innate to the business. They may be from record, process and authorization transactions mirrored in financial statements. United States Securities and Exchange Commission (SEC) recommends a firm to ask these questions during evaluation:
The relationship between financial reporting elements and entity level controls? The level of precision under which they operate? Does more than one control the same financial risk report? If so, which offers the most efficient method to analyze how well it functions? Is control automated? In this case, how strong are the necessary IT control? Is control manual? In this the risk of human error. The only control that requires identification is those focused on financial reporting threats.
Secondly, is the determination of whether the controls function and the threat in case of controls fail. Increased level of risk calls for greater evidence supporting effective controls. The third step is reporting the widespread deficiencies and effectiveness. The controls are considered ineffective if a firm identifies a material weakness.
The SEC guidance describes a material weakness as “one or multiple control inadequacies creating a logical possibility of a material inaccuracy in the organization’s interim or annual financial statements. SOX 404 need the management to maintain objective evidence of its assessment to include a method of gathering evidence and evaluation, control design, and the assessment basis of controls operating effectiveness.
SOX Section 409
This is the “Real Time Issuer Disclosures” section. The Sarbanes-Oxley Act calls on Issuers disclosing to the public on an emergency basis, data on material changes of financial operations and condition. The presentation of these disclosures needs to be easily understood with support from qualitative and trend data of graphics presentations appropriately.
SOX Section 806
This section focuses on informant protections. Sarbanes-Oxley act offered the US department of labor safety control to employees in need of doing the right thing. The Department of justice can charge on the criminal basis the responsible parties in case a firm punishes an employee for giving out violation information.
SOX Section 906
This forces large organizations with the filling of financial reports responsibility. Standard documents in the course of time have been drafted for CFOs and CEOs to present their periodic SEC financial statement reports.
Sarbanes-Oxley and Information Security
For data security professionals the overrun of SOX 302 and SOX 404 generates the most threat on SOX compliance. 302 handles the personal affirmation of financial reporting control the CFO and CEO. 404 pays attention to internal controls. A proper definition of control is not specified by either of these sections creating broad interpretation by all inclusion of those in information systems.
PCAOB created by Sarbanes-Oxley for auditor guidance on best practices give little enlighten in IT controls. SAN S 2004 white paper offers detailed data on the combination of IT controls and Sarbanes-Oxley. PCAOB selected COSO (Committee of Sponsoring Organizations framework to develop internal control structuring guidelines. The COSO framework handles compliance areas such as information and monitoring, security controls, risk assessment control tasks, control environment, and monitoring; which are important in today’s corporate and government IT systems.
COBIT (Control Objectives for Information and related Technology) framework aims at closing the compliance last gap. It arranges 34 IT processes into groups of delivery and support, monitoring, planning and organization, and acquisition and implementation.
A company will need to put an ideal Sarbanes-Oxley compliance program to ensure they have security policy and standards, authentication and access procedures, monitoring, network security details, physical security and segregation of duties.
Appropriate access is the primary challenge facing IT security departments. One of the prerequisites involves observing user access to information. For user provisioning, privileges access, data administering data system mature procedures. Sarbanes-Oxley needs IT personnel and auditors to regularly review of practices.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.