In: Finance
Table 2-1 in the text provides a list of key U.S. laws of interest to information security professionals. Rather than have you comment on all 33 of them (you're welcome), let's pick one to discuss: Sarbanes-Oxley. Isn't this law about making sure companies have accurate financial statements? Why would compliance with this law be a concern for information security professionals?
The Sarbanes- Oxley Act commonly called SOX is a law passed in response to number of major corporate and accounting scandals. This act make sure about accurate presentation and disclosure of financial information.
Under Sarbanes- Oxley Act two separate certification sections came into effect- one civil and other criminal. Act mandate a set of internal procedure designed to ensure accurate financial disclosure. The signing officer must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such control to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.” The officers must “have evaluated the effectiveness of the company’s internal control as of a date within 90 days prior to the report” and “have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.”
The Act established corporate accountability and civil and criminal penalties for white collar crimes. This act has 11 titles which contain various provisions which are as under:-
S.No. |
Title |
Major provisions |
1 |
Public Company Accounting Oversight Board- |
Aim of establishment of this board is establishing public confidence in the Report of Independent Registered Public Accounting Firm and to protect the interest of investors. |
2 |
Auditor Independence |
Auditors to follow Provisions of this act and need to comply PCAOB rules and regulations. Further this title enhances the rights, duties and responsibilities of Audit Committee. |
3 |
Corporate Respnsibility |
i)Audit committee should be more independent. |
4 |
Enhanced Financial Disclosure |
i) Provide objective and transparency in disclosure of financial
results. |
5 |
Analyst Conflict of Interest |
Declaration about conflict of interest. |
6 |
Commission Resources and Authority |
To provide mote security exchange committee and federal courts to impose prohibition on various corporate persons. |
7 |
Studies and Reports |
Federal regulatory body can conduct study about various accounting & financial firms . |
8 |
Corporate and Criminal Fraud Accountability |
Tougher Civil and criminal penalties for fraud and accounting scandals & others. |
9 |
White Collar Crime Penalty Enhancement |
Tougher practice for Chief executive officers & Chief Financial Officer on wrong working and frauds. Impose penalties on CEO and CFO for carrying a misleading or fraudulent report. |
10 |
Corporate Tax Returns |
All federal returns should be signed by CEO |
11 |
Corporate Fraud and Accountability |
Various actions on civil and criminal proceedings. |
Concern for Information Security Professionals
Financial reporting processes of various companies are driven by IT systems. Therefore it is apparent that IT plays a vital role in internal control. Chief information officers are responsible for the security and reliability of the system that manage and report the financial data. Systems such as ERP are highly integrated in the all the process of financial data. As such they are linked to the overall financial reporting process and therefore need to be assessed along with other important process for compliance with Sarbanes Oxley Act. Therefore Chief information officers (CIO) play a significant role in the signoff of financial statement.
Committee of sponsoring Organizations of the trade way commission defines five areas and their impact for the IT departments. They are:-