Audit Information systems & IT Security
Audit Information systems & IT Security

Audit Information systems & and IT Security

Information System audit and IT Security

Sarbanes-Oxley Act

SOX Overview

Obtaining SOX

Auditing for SOX compliance

SOX Links

SOX Overview

The Sarbanes-Oxley Act was passed in 2002 to strengthen Corporate governance and restore investor confidence. The act was sponsored by US Senator Paul Sarbanes and US Representative Michael Oxley. The act was passed in response to a number of major corporate and accounting scandals, of which the most known is Enron, in the United States. The legislation is wide ranging and establishes new or enhanced standards for all US public company Boards, Management, and public accounting firms. SOX contains eleven sections, ranging from additional Corporate Board responsibilities to criminal penalties.

SOX does not directly regulate Information Technology. However, IT is the backbone of the financial processes that the law regulates. Section 302 requires that the CEO, CFO and an attesting public accounting firm certify the accuracy of financial statements and must certify that statements fairly present the operations and financial condition of the issuer. It also requires that material information that is used to generate reports be retained and made available to the public. This directly affects the IT and security departments because it is primarily IT systems that generate these periodic reports and which control e-mail, the main method of communication within most organizations. These systems must remain secure and reliable.

Section 404 is the most pertinent section within Sarbanes-Oxley to issues surrounding information security. It addresses the necessity of corporate management to be fully accountable for the integrity of all data associated with their financials. It states that management teams of public companies must establish and maintain adequate "Internal Controls" over their financial reporting systems to safeguard against unauthorized and improper use of financial information. Internal Controls are defined as "all control methods a company uses to prevent, detect and correct errors and frauds that might get into financial statements".

The act requires that companies undergo a risk assessment related to their financial systems and that they provide an Internal Control report annually that outlines the effectiveness of the Internal Control structure in place.

Additionally, Sarbanes-Oxley requires that companies keep detailed records related to its financial systems. This includes electronic records as well as paper records. Information Technology's role in logging these records and making them available will be critical.

There are discrepancies in the interpretation of Internal Controls within Sarbanes-Oxley. SEC Regulations focus strictly on the financials themselves and the immediate security of those financials. The Federal Reserve Board, on the other hand, is pushing for a more broad interpretation that would include all operational risk.

Along those lines, a report published by the Committee of Sponsoring Organizations (COSO), Internal Control - Integrated Framework is an effort to more clearly define and describe the vague terms within the legislation. It has been publicly accepted by many related organizations such as the American Institute of Certified Public Accountants (AICPA) and the Auditing Standards Board (ASB). Many analysts and auditors agree that any company that wants to ensure compliance with SOX should follow COSO as a best practice, even though it is not formally blessed by the PCAOB or its governing body, the SEC.

The COSO report, entitled Internal Control - Integrated Framework, states that there are five components associated with creating, maintaining and verifying Internal Controls. These components are:

  • Control Environment - This represents the foundation of all Internal Controls within the enterprise through corporate discipline, integrity and structure. It requires full cooperation and participation of management and the board of directors.

  • Risk Assessment - This is the identification and analysis by management of relevant risks to achieving business objectives and a determination of how they should be managed.

  • Control Activities - These are the policies, procedures and practices that ensure management objectives are achieved and risk mitigation strategies are carried out. Control activities occur at all levels and functions within an organization and include the following: approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

  • Information and Communication - This requires the identification and capture of critical information in the form of reports that enable management to run and control the business. It also requires that effective communication about control responsibilities flows to all employees throughout the organization, both up, down and across.

  • Monitoring - Internal control systems need to be monitored to assess the quality of the system's performance over time. Monitoring can be done ongoing in the course of operations or through separate evaluations.

Obtaining SOX

The whole act can be downloaded in PDF from this link.

Auditing for SOX compliance

IT Governance Institute has published: IT Control Objectives for Sarbanes-Oxley. Free for anyone to download.

Implementing SOX 404 -- Auditor's Attestation, short page from McGladrey & Pullen.

SOX Links

U.S. Securities and Exchange Commission (SEC)


SOX institute

Taking Control: A Guide to Compliance with Section 404 of the Sarbanes-Oxley Act of 2002 from Deloitte

SOX discussion forums

Much SOX related links can be found here


Auditing Security and IT Systems
Copyright 2006-2008. All Rights Reserved. Something missing on this page? Let us know