IT, SOX and the General Control Environment

Article for ComplianceExecutive.com

February 2007

Good corporate governance depends on the effective management of internal controls and on the availability, confidentiality, and integrity of information within the enterprise. Corporate reputation, brand preservation, and financial results all depend on the defense of business processes, and on compliance with a growing array of legislation and regulation. For companies listed on US exchanges, the Sarbanes-Oxley Act of 2002 (‘SOX’) is – even though it is currently subject to review – of overriding importance.

Information security has a fundamentally important role to play in SOX compliance, because information is fundamental to today’s business, and the technology within which it is stored touches every aspect of the extended organization and connects business processes.  Traditional security models are inadequate for managing financial control-related information security risks. Quoted companies need an end-to-end system-based approach that is integrated, collaborative, and adaptive, and that helps it better manage its network security risk while helping it to meet SOX requirements.

In a compliance environment that contains, in addition to SOX, other overlapping, inconsistent, sometimes untested and often contradictory laws and regulations, organizations must increasingly turn to best practice solutions that will simultaneously combat their real-world information threats while helping them meet SOX and other regulatory requirements. ISO 27001 is one such best practice framework. ISO 27001, in conjunction with ISO 17799, provides technology-neutral and best-practice guidance on the management of information security risks.

The Sarbanes-Oxley (SOX) Act of 2002 was passed to ensure that corporate executives are held responsible for establishing, evaluating and monitoring the effectiveness of internal controls over their financial reporting.  In order to ensure compliance, SOX legislation contains provisions that include both criminal and civil penalties for any violations. 

• Section 302 requires the CEO and CFO to certify that the financial reports are true and accurate, and that adequate controls exist over financial reporting and disclosure.
• Section 404 describes these controls, requires that certification be reasonable and that outside auditors certify the existence of adequate controls over financial reporting.
• Section 409 requires prompt reporting of any changes in financial condition that might be material to investors.
• Section 802 mandates the retention by companies and their auditors of accounting documents and work papers for a minimum of seven years.

SOX specifically focuses on the accuracy of a company's financial records and controls around these records related to income, expenses, accounting, liabilities, etc.  Information security is a fundamental component of SOX compliance as a result of the Public Company Accounting Oversight Board (the PCAOB, which was created as a result of SOX to define auditing standards) creating Standard #2. This states that senior management is responsible not only for financial information but also for the way that information is generated, accessed, collected, stored, processed, and transmitted. The general controls, and general control environment, inside an organization determines the environment within which the specific controls operate. In other words, if an organization’s general controls are weak, its specific controls will be undermined and, potentially, ineffective.

Any company that is publicly traded in the United States is subject to SOX, including all their divisions and wholly owned subsidiaries.  Also affected is any non-US public multi-national company doing business in the United States.  Finally, although not mandatory at this time, any new or any currently private firm may wish to comply with the SOX financial framework requirements in preparation for an initial public offering (IPOs), private funding or to achieve a “best practices” benchmark.

Any solution that addresses the issues raised by SOX requires a layered, integrated approach to security.  A controls framework, such as ISO 27001/ISO17799, or a process framework, such as CobiT, can provide an organization with a best-practice approach that underpins SOX compliance. It is also possible to combine these two frameworks, using CobiT for the overall governance structure and ISO 27001 to focus specifically on managing information security risk.

This approach helps organizations better manage their network security risk while readying them to meet regulatory compliance requirements.