SOX
Sarbanes-Oxley Act - SOX
The Sarbanes-Oxley Act of 2002 (SOX) was designed to reform the reporting, governance, and disclosure of public company financial statements. Issued in response to accounting scandals such as those at Enron, Tyco International and WorldCom, and establishes controls around the integrity of financial reporting by public companies. Because technology is so commonly used for financial management, SOX has some significant implications for information security.
SOX mandates that public companies demonstrate due diligence in the disclosure of financial information and maintain internal controls and procedures for the communication, storage, and protection of that data. Control frameworks outlined in sections 302 and 404 require an internal control framework and reporting procedure to ensure accurate financial disclosures, periodic review of control effectiveness and management signoff of the security around financial reporting processes.
Formalized systems for implementing and measuring IT procedures can provide organizations with specific standards for meeting the complex regulatory requirements of standards like SOX. One such framework, the Control Objectives for Information and Related Technology (COBIT) framework, has been readily adopted by many corporations and auditors to help establish and maintain SOX controls.
While not explicitly mentioned in the legislation, IT security is a central requirement of SOX compliance and requires companies to assess any risk associated with information technology or the internal process that may impact the accurate and timely reporting of financial information. Specific requirements include:
Section 302:Establishes the responsibilities of the CEO and CFO for establishing and maintaining internal controls.
Section 404: Requires management to assess the effectiveness of internal controls, obtain external validation of those controls, and provide assurances that financial/accounting processes are protected from unauthorized usage.
Section 409: Requires real-time disclosures of material events.