The Sarbanes-Oxley Act of 2002
The Sarbanes-Oxley Act of 2002 is an Act of the United States Congress, To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.
The Sarbanes-Oxley Act of 2002 was enacted in response to public accounting scandals at Enron, WorldCom, Tyco and elsewhere. It introduces new measures, and amends existing measures to ensure that financial statements made by publically traded corporations are accurate, reliable and timely.
The Sarbanes-Oxley Act of 2002 includes the following broad provisions:
- Introduction of a board to oversee registered audit firms.
- Requirements for independence of auditors from other services provided to publically traded companies.
- Introduction of rules of corporate responsibility, and in particular responsibility for senior officers of public corporations.
- Improved financial disclosures.
- Prohibition of conflicts of interest affecting financial analysts.
- New resources and authority for the securities exchange commission.
- Rules and penalties regarding fraud.
- Rules and penalties regarding corporate taxes.
- Initiation of studies to further improve the corporate governance environment in the United States.
The Sarbanes-Oxley Act of 2002 was signed into law on July 30, 2002. Large corporations had to comply as of June 15, 2004. Smaller companies had to comply fully by April 15, 2005.
While the Sarbanes-Oxley Act of 2002 does not make specific mention of information security, they do make reference to sound internal controls, which in turn depend on information security. Please read some of the relevant highlights from the Act:
Among other things, section 201 prohibits financial auditors from also providing these services:
- Financial information systems design and implementation.
- Management functions or human resources.
IAM ImpactSince both financial systems and HR may be closely integrated with information security infrastructure, this effectively prevents auditors from becoming closely involved in the design and implementation of information security projects.
Section 302 stipulates that the principal executive officer (CEO) or officers and the principal financial officer (CFO) or officers, or persons performing similar functions, certify in each annual or quarterly report that:
- They are responsible for internal controls.
- They have designed internal controls to ensure that all material financial information is available to the appropriate persons to support preparation of these annual or quarterly reports.
- They have evaluated the effectiveness of the above internal controls in the last 90 days.
- They include in the annual or quarterly report information about their assessment of the effectiveness of internal controls.
The CEO and CFO (or equivalent) must also disclose to their auditors any significant deficiencies in their internal controls, and any fraud that has been discovered and that involves staff with a key role related to internal controls.
Finally, the CEO and CFO must disclose if there were any changes in internal controls, and corrective action taken to address previous problems with internal controls.
IAM ImpactThis section requires very strong internal controls, and management assurance that the controls are designed and implemented effectively. Internal controls in financial reporting systems require sound security, since these systems cannot be trusted without ensuring:
- Protection of data
- Authentication of users
- Authorization of user actions
- A capability to audit user actions and transactions, in order to create accountability
Section 404 requires that management include in their annual report:
- A statement of responsibility for internal controls.
- An assessment of the current state of internal controls.
This section also requires that registered public accounting firms must also attest to and report on the assessment of internal controls.
IAM ImpactThis section simply strengthens the requirement for strong internal controls, initially laid out in Section 302.
Section 409 introduces a requirement for public companies to provide "real time" (i.e., very timely) reporting on material changes in the condition and operations of the company.
IAM ImpactThis section implies that internal controls be so efficient and reliable as to support real-time publication of important business data from ERP and operational systems.