Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act of 2002 (SOX) (also known as the Corporate and Criminal Fraud Accountability Act of 2002), Pub. L. No. 107-204, 116 Stat. 745 (July 30, 2002) (full-text), codified at 15 U.S.C. §7262.
The Act was enacted to ensure the accuracy of and restore investor confidence in the financial statements provided by corporations to government regulators, such as the Securities and Exchange Commission (SEC). It was enacted in response to several high-profile accounting scandals involving Enron, Worldcom (MCI), Global Crossings and Tyco International that resulted in billions of dollars in corporate and investor losses.
SOX applies to both U.S. publicly-owned corporations (and their wholly-owned subsidiaries) and all foreign publicly-owned corporations whose shares are registered with the SEC. The SEC enforces the Act. The Act requires that CEOs and CFOs certify that reports periodically filed with the SEC fairly present the company’s financial condition.
SOX does not specify the processes or systems a public company must undertake to comply with the Act. In general, the company needs to install multiple security technologies, including firewalls, intrusion detection systems, anti-virus software and so forth. But more is required. SOX “is subject to such broad interpretation as to make its implementation and enforcement in the IT world a nightmare.”
Public Company Accounting Oversight Board Edit
Pursuant to the Act, the SEC created the Public Company Accounting Oversight Board (PCAOB) to oversee public company auditors, protect investors, and insure that auditors conduct informative, fair, and independent audits. The PCAOB was given the task of developing corporate compliance requirements. It developed and issued its Proposed Accounting Standards, which provides additional guidance for assessing compliance with SOX.
Important provisions for IT sector Edit
The Act has many sections, but those that most directly impact software and system security issues are Section 302 (making corporate officers and directors personally liable for misreporting financial information) and Section 404 (requiring corporate officers and directors and independent auditors to attest annually to the accuracy of the internal financial controls).
The cost of compliance with the Act is enormous. It is estimated that U.S. public companies spent about $5.5 billion in 2004 to comply with the Act, and an additional $5.8 billion in 2005.
Section 302 Edit
Section 302 of the Act states that the CEO and CFO are directly responsible for maintaining the company’s internal control structure and for the accuracy, documentation and submission of all financial reports to the SEC. They must personally certify that the financial reports are accurate and complete.
Internal control is not “one-size-fits-all,” and the nature and extent of controls that are necessary depend, to a great extent, on the size and complexity of the company. Large, complex, multi-national companies, for example, are likely to need extensive and sophisticated internal control systems.
The company’s financial reports cannot contain any misrepresentations and the information in the report must be “fairly present[ed].” The CEO and CFO must report any deficiencies in the company’s internal accounting controls, or any fraud involving the management of the audit committee, and must indicate any material changes in internal accounting controls.
Section 404 Edit
Section 404 of the Act requires that the management of public companies assess the effectiveness of the company’s internal controls over financial reporting and certify in the annual report that those controls operate effectively and comply with the requirements of the Act and its related rules and regulations. The assessment also must be reviewed and approved by an outside auditing firm.
Basically, it means that management must look closely and regularly at all the steps taken to ensure the integrity and reliability of the company’s financial statements and tell the public if there is any “material weakness” in the design or operation of these steps—thereby hopefully avoiding another Enron-like surprise.
This section “seems to have caused the biggest headaches, and it’s the one that deal with information security.”
The Act requires the SEC to issue rules requiring publicly held companies to include in their annual reports an internal control report containing:
- a statement of management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and
- an assessment by management at the end of the company’s most recent fiscal year of the effectiveness of the company’s internal control structure and procedures for financial reporting.
The SEC has issued rules to implement section 404. These rules provide that the internal controls subject to assessment by management include, but are not limited to :
- controls over initiating, recording, processing, and reconciling account balances;
- controls over classes of transactions and disclosure and related assertions included in the financial statements;
- controls related to the initiation and processing of non-routine and non-systematic transactions;
- controls related to the selection and application of appropriate accounting policies; and
- controls related to the prevention, identification, and detection of fraud.
Section 404 also requires that every registered public accounting firm that prepares or issues an audit report on a company’s annual financial statement attest to, and report on, the assessment made by management. The Act requires independent auditors to attest to the integrity of a public company’s financial controls.
Virtually all financial controls in use today are computer-based and software-controlled. These controls include internal control systems, such as transaction handling and accounting ledgers, and systems linked to third parties such as banks, trading exchanges and clearinghouses. Any software security breach constitutes a risk to the company’s internal financial systems, which could prevent compliance with the requirements of section 404. Even if the security breach does not directly involve the financial systems, any compromise to the company’s IT system could allow an outsider to access the financial system. As such, section 404 requires the company to sufficiently secure its IT on an enterprise-wide basis so that the independent auditors and corporate executives are willing to attest to the security of the financial systems.
COBIT (an acronym for “Control Objectives for Information and related Technology”) was developed by the Information Systems Audit Control Association (ISACA) to provide more specific guidance to companies in developing and assessing IT controls. COBIT addresses internal controls for thirty-four separate IT processes.
Auditing Standards No. 2 Edit
In March 2004, the PCAOB published its Auditing Standards No. 2, which specifies the “Internal Control – Integrated Framework (1992),” a document prepared by the Committee of Sponsoring Organizations for the Commission on Fraudulent Financial Reporting (COSO) (the "Treadway Commission"), as the control framework for financial reporting. Although not required by SOX, COSO has quickly becoming the international standard for managing compliance with the Act.
Auditing Standard No. 2 instructs auditors to focus on two interrelated questions:
- Was management’s assessment of the internal controls “fairly stated in all material respects”? and
- Did the company, in fact, “maintain, in all material respects, effective internal control over financial reporting”?
An attestation engagement to examine management’s assessment of internal controls requires the same level of work as an audit of internal controls over financial reporting. [The auditor] also needs to test the effectiveness of internal control to be satisfied that management’s conclusion is correct, and therefore, fairly stated.