Impact of Sarbanes Oxley Act-on Information Security Governance

Vijay V Vijayakumar
Difference between IT Management and IT Governance
Internal Controls
Frameworks for Implementing SOX
 COSO - Committee of Sponsoring Organizations of
Treadway Commission
 COBIT - Control Objectives for Information and related
 Comparison of COSO and COBIT
◦ Wide Spread Malpractices in financial accounting of Public Corporations
e.g. Enron
◦ Cost investors billions of dollars
◦ Sarbanes-Oxley Act(SOX) was passed in 2002 to prevent such occurrences
◦ All public corporations have to comply with SOX
◦ To protect investors by improving the accuracy and reliability of corporate
disclosures made pursuant to the securities laws, and for other purposes.
◦ Create new standards for corporate accountability as well as new penalties
for acts of wrongdoing.
Impact: More focus on IT Governance(Internal Controls),
transparency in business practices, more responsibility and
accountability on Top Management.
6 Areas of Importance
Auditor Oversight
Auditor Independence
Corporate Responsibility
Financial Disclosures
Analyst conflicts of interest
civil and criminal penalties for fraud and document
Auditor Oversight
◦ common source of error.
◦ No getting away from errors whether done intentional or
unintentional by the auditor
Auditor Independence
◦ More independence to auditors
Corporate responsibility –
 requires CEOs and CFOs to certify that reports have been
reviewed and to the best of their knowledge.
 CEO’s must evaluate internal controls before every
Financial Disclosures:
All disclosures should be attested by top management.
All events that might have impact on financial conditions
must be reported as soon as 48 hrs
Analyst conflicts of interest :
Manipulation is under scrutiny of top management thereby
reducing analyst conflicts of interest.
Civil and criminal penalties :
fine of up to $1,000,000, or imprisonment for not more
than 10 years, or both
IT Governance can be helpful in placing internal controls and
thereby comply with SOX Act
IT Management:
◦ Narrow focus
◦ ensures supply of IT services for normal operation.
IT Governance:
◦ includes IT Management
◦ to plan how the organization could meet its goals through
optimal use of IT resources.
What are Internal Controls?
 policies, procedures, practices, and organizational
structures put in place to reduce risks
 Are put in place all through the organization to reduce risks
involved in various stages of operation
 economy and efficiency of operations
 reliability of financial and management reports
 compliance with laws and regulations
Unified approach for evaluation of Internal Control System
Focuses on processes and people
Has 5 control components that assures sound business
◦ Control Environment:
management defines and communicates policies and
procedures to employees
◦ Risk Management:
Should be able to identify and analyze risks involved in
◦ Control Activities:
Processes like approval, authorization, verification. Covers
entire organization.
◦ Information and Communication:
Information should be able to make its way to the appropriate
person in a timely way through proper communication channels.
◦ Monitoring:
Controls checked for proper functioning periodically . Remedies
made known to auditors and action taken.
Latest Version includes Objective setting, event identification
and risk response
Framework consistent with COSO.
Rich, robust and most widely used
4 domains , 34 control objectives
Latest version is 4.1
Aligns IT with business objectives, quality standards,
monetary controls and security needs
Planning and Organization : Assess how IT will be able to
meet business needs
Acquisition and Implementation : IT solutions have to be
developed or acquired to meet objectives
Delivery and Support : Continuous delivery and support of
Monitoring: monitors all IT process for quality and
compliance with control requirement
COSO is useful for management while COBIT is useful for IT
management, users, and auditors.
COSO is focused on effectiveness, efficiency of operations,
reliable financial reporting, and compliance with laws and
COBIT is used to support business requirements and the
associated IT resources and processes
COSO is the model of choice for The Security and Exchange
Cost of Compliance: Average industry spending per
year – $6 billion. Not suitable for small
Continuous checking of Internal Controls
Maintaining Data Integrity
Communication and Integrity