The Impact of Sarbanes-Oxley (SOX)
Act on Information Security Governance
Gurpreet Dhillon & Sushma Mishra
References
[1] W. Borden, “HealthSouth scandal the latest in health care ills”,
http://www.forbes.com/newswire/2003/11/04/rtr1135443.html, Reuters News Service, November, 2003.
[2] D. Callahan, “WorldCom”, In the cheating culture: Why More Americans Are DOING WRONG to Get Ahead,
http://www.cheatingculture.com/worldcom.htm, (current 12 Feb 2007), Harcourt, January, 2004.
[3] The Committee of Sponsoring Organizations (COSO) of the Treadway Commission, http://www.coso.org/, (current 12 Feb 2007).
[4] G. Dhillon & S. Mishra, “The Impact of Sarbanes-Oxley (SOX) Act on Information Security Governance,” Chapter V In
Enterprise Information Systems Assurance and System Security: Managerial and Technical Issues, M. Warkentin & R.B. Vaughn, eds., Idea Group Publishing, 2006, pp. 62-79.
[5] The Institute of Internal Auditors, “Applying COSO’s Enterprise Risk Management – Integrated Framework,”
http://www.tamus.edu/offices/iaudit/presentations/ERM%20COSO%20Presentation.ppt#258,1,Applying COSO’s Enterprise Risk Management — Integrated Framework, September, 2004.
[6] Lerach Goughlin Stoia Geller Rudman & Robbins LLP, “THE ENRON FRAUD,”
http://www.enronfraud.com/, (current 12 Feb 2007).
[7] SOX-online, COSO & COBIT Center, http://www.sox-online.com/coso_cobit.html, (current 12 Feb 2007).
[8] Tyco Fraud InfoCenter, “Tyco Fraud Information,” http://www.tycofraudinfocenter.com/index.php, (current 12 Feb 2007). [9] Wikipedia: The Free Encyclopedia, “Control Objectives for Information and related Technology (COBIT),”
The Impact of SOX Act on Information
Security Governance
Jeopardy Question
Corporate & Information Technology (IT) Governance Industry Internal Control Assessment Frameworks
Fundamental Business Objectives
Committee of Sponsoring Organizations (COSO) of the Treadway
Commission
Control Objectives for Information and related Technology (COBIT) Sarbanes-Oxley Act (SOX)
The Importance of Information Technology Governance to
SOX
Let’s Play Jeopardy – Corporations for $1000
Enron
HealthSouth
Tyco
And the Question Is?
Who are:
Corporations that were victims of outrageous
accounting fraud and corporate governance failures.
Enron: Filed for Chapter 11 bankruptcy in December, 2001;
Executives accused of insider trading ($1.19 billion), Overstated net income by $591 million. [6]
HealthSouth: Executives indicted November, 2003; Conspired to
inflate earnings by $2.7 billion;. [1]
Tyco: Executives charged with civil fraud and theft in September,
2002; Accused of stealing $600 million. [8]
WorldCom: Filed for bankruptcy in November, 2002 – largest in
Corporate & IT Governance
Corporate Governance: “is ethical corporate
behavior by directors or others charged with
governance in the creation and presentation of
wealth of all stakeholders.”
IT Governance: “is a structure of relationships
and processes to direct and control the
Industry Internal Control
Assessment Framework
Internal Controls: A set of policies,
procedures, and organizational structures
implemented to reduce risk and assure
business objectives are achieved.
Fundamental Business Objectives
COSO
Fundamental Business Objectives
Economy and Efficiency of operations
Reliability of financial and operational data
and management reports
Well-guided compliance efforts directed to all
Committee of Sponsoring Organizations
(COSO)
of the Treadway Commission Framework
Original control evaluation components
1) Control environment: Are policies and procedures defined and followed that promote ethical behavior?
2) Risk assessment: Are potential threats identified?
3) Control activities: Are control procedures implemented -- checks and balances?
4) Information and communication: Is related internal and external data consulted to make informed decisions? 5) Monitoring: Are control systems evaluated to ensure
COSO cont.
Additional control evaluation components [D]
6) Objective setting: Is risk strategy considered when setting objectives?
7) Event identification: Are internal and external events that may influence the risk profile identified?
Control Objectives for Information and
Related Technology (COBIT)
Planning and organization: Must understand the strategic
importance of IT and how to best utilize IT to meet business objectives.
Acquisition and implementation: Focuses on development
and/or acquisition and implementation of tools to meet business objectives.
Delivery and support: Considers the delivery of system
support services; definition of support processes.
Monitoring: focuses on monitoring all IT processes for
Figure 1. Relationship between COSO components and COBIT objectives (excerpt)
COBIT Control Objectives
COSO Component C on tro l E nv iro nm en t R isk A ss es sm en t C on tro l A cti vit ie s In fo rm ati on a nd C om m un ic ati on M on ito rin g
Deliver and Support (DS)
Define and manage service levels x x x
Manage third-party services x x x x
Manage performance and capacity x
The Impact of SOX Act on Information
Security Governance
Jeopardy Question
Corporate & Information Technology (IT) Governance Industry Internal Control Assessment Frameworks
Fundamental Business Objectives
Committee of Sponsoring Organizations (COSO) of the Treadway
Commission
Control Objectives for Information and related Technology (COBIT) Sarbanes-Oxley Act (SOX)
The Importance of Information Technology Governance to
SOX
Sarbanes-Oxley Act (SOX)
The Public Company Accounting Reform and
Investor Protection Act
Law passed by U.S. Congress in July, 2002
(131 pages)
Requires companies to use stringent policies
SOX cont.
Mandates auditor involvement at every stage of
assessment of business effectiveness.
Oversight is provided by the powerful
Public
Company Accounting Oversight Board (PCAOB).
Violation of any U.S.
Security and Exchange
Commission (SEC) rule issued under SOX
The Importance of IT Governance to SOX
(SOX Control Examples)
Title IX – White Collar Crime Penalty
enhancements: Section 906. Corporate
Responsibility for Financial Reports:
The Importance of IT Governance to SOX
(SOX Control Examples
cont.)
Title VIII – Corporate and Criminal Fraud
Accountability: Section 802. Criminal
Penalties for Altering Documents:
Establishes new criminal penalties for altering
and destroying “corporate audit documents
The Importance of IT Governance to SOX
(SOX Control Examples
cont.)
Title IV – Enhanced Financial Disclosures:
Section 404. Management Assessment of
Internal Controls:
Requires CEOs and CFOs to certify the
effectiveness of the financial controls they
IT Challenges
SOX became law in July, 2002. “SOX came into effect in
2004.” Corporations were required to comply by November, 2004.
Reliable and verifiable data integrity and electronic records
retention policy
Integrity of communications Process/work flows
Disaster recovery practices and security policies Improve anti-fraud techniques across industries
Conclusion
To comply with the SOX:
companies will need to improve information
quality.
Technology improvements are required to provide
cost-efficient, online, real-time reporting.
SOX can’t legislate ethics and integrity into
Presentation Use Authorization
Permission is granted to share this
presentation with the public.
Permission is granted to use this presentation
at Mississippi State University.
________________