Question

Table 2-1 in the text provides a list of key U.S. laws of interest to information security professionals. Rather than have you comment on all 33 of them (you're welcome), let's pick one to discuss: Sarbanes-Oxley. Isn't this law about making sure companies have accurate financial statements? Why would compliance with this law be a concern for information security professionals?

Answer 1

The Sarbanes- Oxley Act commonly called SOX is a law passed in response to number of major corporate and accounting scandals. This act make sure about accurate presentation and disclosure of financial information.

Under Sarbanes- Oxley Act two separate certification sections came into effect- one civil and other criminal. Act mandate a set of internal procedure designed to ensure accurate financial disclosure. The signing officer must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such control to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.” The officers must “have evaluated the effectiveness of the company’s internal control as of a date within 90 days prior to the report” and “have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.”

The Act established corporate accountability and civil and criminal penalties for white collar crimes. This act has 11 titles which contain various provisions which are as under:-

S.No.	Title	Major provisions
1	Public Company Accounting Oversight Board-	Aim of establishment of this board is establishing public confidence in the Report of Independent Registered Public Accounting Firm and to protect the interest of investors.
2	Auditor Independence	Auditors to follow Provisions of this act and need to comply PCAOB rules and regulations. Further this title enhances the rights, duties and responsibilities of Audit Committee.
3	Corporate Respnsibility	i)Audit committee should be more independent. Ii) One of the Audit Committee should be financial expert. Iii) CEO and CFO require issuing certification of quarterly financial results. Iv) Pension rules for management and their officers.
4	Enhanced Financial Disclosure	i) Provide objective and transparency in disclosure of financial results. II) Disclosure of Corporate mission Statement iii) Disclosure of holding of management in companies securities.
5	Analyst Conflict of Interest	Declaration about conflict of interest.
6	Commission Resources and Authority	To provide mote security exchange committee and federal courts to impose prohibition on various corporate persons.
7	Studies and Reports	Federal regulatory body can conduct study about various accounting & financial firms .
8	Corporate and Criminal Fraud Accountability	Tougher Civil and criminal penalties for fraud and accounting scandals & others.
9	White Collar Crime Penalty Enhancement	Tougher practice for Chief executive officers & Chief Financial Officer on wrong working and frauds. Impose penalties on CEO and CFO for carrying a misleading or fraudulent report.
10	Corporate Tax Returns	All federal returns should be signed by CEO
11	Corporate Fraud and Accountability	Various actions on civil and criminal proceedings.

Concern for Information Security Professionals

Financial reporting processes of various companies are driven by IT systems. Therefore it is apparent that IT plays a vital role in internal control. Chief information officers are responsible for the security and reliability of the system that manage and report the financial data. Systems such as ERP are highly integrated in the all the process of financial data. As such they are linked to the overall financial reporting process and therefore need to be assessed along with other important process for compliance with Sarbanes Oxley Act. Therefore Chief information officers (CIO) play a significant role in the signoff of financial statement.

Committee of sponsoring Organizations of the trade way commission defines five areas and their impact for the IT departments. They are:-

1. Risk Assessment:- IT personnel must assess and understand the areas of risk affecting the completeness and validity of the financial reports. They must check accuracy of systems and reports.
2. Control Environment: - Employees should train with design implementation and quality assurance and development team should understand the entire technology lifecycle.
3. Control Activities:- Organizations must frame document usage rule and create and audit trails for each system that contribute financial information. Written policies should define the specification, business requirements and other documents expected for each project.
4. Monitoring: - Auditing processes and schedules should be developed to address high risk areas with the IT organizations.
5. Information and Communication: - IT management must demonstrate to company management an understanding of what needs to be done to comply with Sarbanes Oxley.