Sarbanes-Oxley Act: The Impact on IT Security
You may have heard or read discussions about the Sarbanes-Oxley Act of 2002. The Sarbanes-Oxley Act of 2002, officially the U.S. Public Company Accounting Reform and Investor Protection Act of 2002, also referred to as SOA or SOX, is having an impact on organizations’ IT, especially security systems, practices and controls. SOX governs how public companies handle financial reporting. In the long term, SOX will affect virtually every aspect of information security. Security practitioners will be well served by gaining knowledge about this legislation and its impact on security requirements for the enterprise infrastructure.
SOX will require two important departments or groups to collaborate. The first is the group that includes security and IT architects with practical experience in identity and access management (IAM) processes and technologies. The second group includes audit, finance, legal and compliance professionals who are responsible for defining, planning, executing and testing for SOX compliance.
What Exactly Is SOX?
SOX is important legislation created by the U.S. Congress during the time the industry was witnessing significant scandals such as Enron, Worldcom and Tyco. The core objective of the legislation is to restore investor confidence and to improve corporate governance and, most critically, to establish financial transparency. This legislation was enacted on July 30, 2002 and was signed into law by President George W. Bush.
Who Does SOX Impact?
The primary impact of SOX is on U.S. public companies registered with the Securities and Exchange Commission (SEC). The SOX legislation directly impacts how public organizations and accounting firms deal with corporate governance, financial disclosure and the practice of public accounting. This legislation is a mandate that is bringing new attention to security as a critical part of the risk management framework for the dual purposes of certifying internal controls and attesting to the accuracy of financial information.
The legislation has specific impact in several areas of security, including:
- Designing and implementing security controls such as those in the area of IAM.
- Documenting security policies.
- Auditing systems that process sensitive information.
- Security awareness training.
Major Sections of SOX
Section 302 of the SOX legislation is the certification of financial reports on a quarterly and annual basis by the organization’s CEO and CFO. This section recommends the use of “sub-certification.” Sub-certification implies that middle managers may also be vulnerable to certification penalties if high-ranking executives are penalized. Thus financial professionals who provide information used in their companies’ reports to the SEC may be asked to “sub-certify” the documents by signing an affidavit.
Section 404 is about an annual certification of internal controls, an independent accountant attesting to the report and quarterly reviews for updates and changes required. This requires the production of a new report that validates the internal controls over the financial reporting process.
Section 409 is about material event reporting as well as “real-time” implications. What this implies is improved notification of material events to the marketplace that may impact the financial results of the business. This will require businesses to bring further focus to the recognition, analysis and communication of material business events.
Section 906 imposes criminal penalties for false declarations relating to certifications, such as those required in Section 302. Today, about 250 investigations have resulted in 25 CEO convictions.
Our focus in this article is on Section 404 as it is emerging as the largest driver of SOX projects and has direct implications for IT and security departments within organizations.
Section 404: Management Assessment of Internal Controls
Many in the industry consider Section 404 to be the most critical part of SOX. Section 404 requires an internal control report. This internal control report must:
- State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.
- Contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
- Drive projects and initiatives within organizations to implement controls and procedures for managing the financial reporting process.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO, www.coso.org) is a standardized framework that an organization may follow to conduct a risk assessment of the internal controls that the organization has around its financial reporting process. Section 404 compliance rules are largely based on the definition of internal control developed in 1992 by COSO. COSO defines internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with applicable laws and regulations.”
The COSO framework consists of three dimensions:
- The nature of control objectives, such as operations, financial reporting and compliance.
- The organizational breadth of the company.
- The five components of effective internal control.
The five components of effective internal control are: control environment, risk assessment, control activities, information and communication, and monitoring. For example, the result of a COSO framework-based risk assessment would be an identification of the gaps in compliance as well as any associated risks. The risk assessment will also result in recommendations about controls that will need to be implemented to meet all compliance requirements.
From a technology perspective, the business processes that are of relevance to Section 404 compliance include:
- Data submission, financial consolidation and financial statement generation.
- Purchase requisition to vendor payment.
- Sales order to customer remittance.
- Asset acquisition to disposal/write-off.
- Project initiation to revenue recognition.
- Inter-company transaction processing.
- Currency translation in financial reporting.
This will result in technology solutions that provide information, such as:
- Source of data for information that is presented in reports.
- Identification information that binds an individual who changed, entered or modified the financial report data.
- The original classification of information.
- Assurance that tampering has not occurred.
- Processes the information has gone through to reach the report.
- Roles and authorities of individuals who have had access to the information.
The material events that Section 409 is focused on will impact the deployment of technologies to address areas such as exceptional financial variances, winning or losing of major projects, revenue recognition events, initiation or termination of significant agreements or customer relationships, new investments or termination of funding and large deferred expense or revenue items.
Security Vendor Solutions