In response to the Enron, WorldCom, Arthur Anderson, and other financial scandals during the 1990’s, the 2002 federal Sarbanes-Oxley Act (“SOX”) was enacted primarily "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the security laws” (SOX preamble). The portions of the Act that affect information security are set forth primarily in two sections of the law, sections 302 and 404. Section 302, “Corporate responsibility for financial reports,” requires that the financial reports of public companies are personally certified by the firm’s CEO and CFO as being both accurate and complete. In particular, these officers are responsible for “establishing and maintaining internal controls” regarding the firm’s financial operations, reporting any “significant changes in internal controls,” and for carefully reviewing the firm’s financial reports to ensure that they “fairly present in all material respects the financial condition and results of operations of the [firm]“ § 302(a)(3), (a)(4)(A). Section 404, “Management assessment of internal controls,” authorized the Securities and Exchange Commission to promulgate rules regarding the responsibility placed on managers of public firms to institute, maintain, and assess any required internal controls and required public accounting firms preparing audit report to verify the internal controls assessment made by the firm’s managers, § 404 (a)(1-2), (b).

​

The Act further created the Public Company Accounting Oversight Board (PCAOB) to oversee and ensure the compliance of public accounting firms with these internal controls assessments required under the Act § 101(a). Among other directives, the auditing standards issued by the PCAOB require auditors of public firms to evaluate “[t]he nature and complexity of the [firm’s] systems, including the use of information technology by which the company processes and control information supporting the assertion[s in its financial statements”, and point out that “information technology general controls over program development, program changes, computer operations, and access to programs and data help ensure that specific controls over the processing of transactions are operating effectively” (PCAOB, §§ 50, 69).

​

Of particular with regard to a firm's information systems, though § 404 of the Act makes no specific mention of information technology, let alone any specific internal control standards or measures with regard to IT processes that support financial reporting-related activity in a firm, the control measures required by SOX impliedly include both the accuracy and integrity of the computers, software, data-management, and other technology that affect the financial reporting of public firms. Since inappropriate or unauthorized manipulation of the firm’s IT processes can directly affect both the accuracy and integrity of financial data, the firm’s IT security measures must also satisfy the requirements of the Act.

​

In addition to the broad guidelines for internal control issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the standard guidelines used to assess the compliance of IT processes with SOX are the comprehensive IT security and internal controls standards included in the “Control Objectives for Information and related Technology” (COBIT) issued by the Information Systems Audit and Control Association. Although the first iteration of the COBIT standards predates and was unrelated to SOX, the latest version of COBIT, COBIT 5, includes a precise framework for information security and has become the de facto standard for IT compliance with the Act.

​

In broad outlines, COBIT 5 rests on 5 principles governing the integrity and security of IT that are intended to help firms “create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use”: (1) Meeting Stakeholder Needs, (2) Covering the Enterprise End-to-end, (3) Applying a Single, Integrated Framework, (4) Enabling a Holistic Approach, and (5) Separating Governance From Management (ISACA. . . Preview, 7; ISACA . . . Introduction, 6). Among other things, COBIT 5 sets forth precise guidelines regarding: “[i]nformation security policies, principles, and frameworks; [p]rocesses, including information security-specific details and activities; [i]nformation security-specific organizational structures; [i]n terms of culture, ethics and behavior, factors determining the success of information security governance and management; [i]nformation security-specific information types’ [s]ervice capabilities required to provide information security functions to an enterprise; and [p]eople, skills and competencies specific for information security (ISACA . . . Introduction, 18).

​

Sources::

​

ISACA (2014). COBIT 5 for Information Security—Introduction. Retrieved from http://www.isaca.org/ COBIT/Documents/COBIT5-and-InfoSec.ppt.

​

ISACA (2014). COBIT 5 for Information Security—Preview Version. Retrieved from http://www.isaca.org/ COBIT/Documents/COBIT-5-for-Information-Security-Introduction.pdf.

​

PCAOB (2014). Auditing Standard No. 2—An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements. Retrieved from http://pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_2.aspx.

 

 

​

​