Sadly, SOX like many other regulations was created because some companies were not doing what they were supposed to when it came to disclosing information on the company's financial standing. Some CEOs and CFOs of the past figured out that if they made their company's stock prices go up, then they personally made more money through bonuses, selling their own stocks, and demanding higher salaries.

Companies got very creative in hiding their company losses, expressing expenses as profits, various forms of "cooking the books", and convincing other entities that were to keep them in check to "look the other way". While these activities helped the company officers obtain more wealth, they deeply undermined a major component that keeps the U.S. economy going - investors. Investors are not just the fat cats that run Wall Street, we are all investors if we participate in 401ks, pension funds, money markets, and of course if we buy and sell stocks. The shady ways of a handful of company officers hurt us all directly or indirectly and the U.S. government needed to make sure that this type of activity did not continue and threaten our economy.

• Other Names = SOX, SARBOX, U.S. Public Company Accounting Reform and Investor Protection Act of 2002

• Main Regulatory Agency = Securities and Exchange Commission (SEC)

• Industry = All

• Who Must Comply = All publicly-traded companies in the United States, including all wholly-owned subsidiaries, and all publicly-traded non-US companies doing business in the US.

• Some major sections IS auditors may deal with;

  • Section 302 - Corporate responsibility for financial reports: Company officers must sign annual and quarterly financial statements attesting to their accuracy. Changes to controls and reporting systems must be reported.

  • Section 404 - Management assessment of internal controls: Company officers must assess and attest to the company's Internal Control Over Financial Reporting (ICOFR) effectiveness. An external auditor will evaluate the company's internal control system and management's attestation. (This is the section where most IS auditors spend their time and efforts.)

  • Section 409 - Real time issuer disclosures: Any material changes to operations that could affect the company's financial standing must be disclosed in a timely manner.
    

Note: A material change would be a change that could introduce a material weakness. A material weakness is a significant deficiency or combination of significant deficiencies that result in more than a remote likelihood that a material misstatement will not be prevented or detected. Examples of materials of change are; change in the nature of the business, a change in the Board of Directors or the executive officers, a change in the share ownership of the company that could affect control, or the acquisition or disposition of any securities in another company. These changes must be reported to the regulation oversight body.

The following items were identified which allowed for such corporate scandals to take place;

• Decline in morals by executive management trusted to oversee publicly traded companies

• Executive management's compensation structure allowed for high compensation as the company stock prices increased

• Research analysts, whom investors depended upon, participating in conflicts of interest activities

• Lack of effective internal and external controls to identify fraudulent activities

• Lack of independence by auditing firms. Auditors and others either received a "piece of the action" for "looking the other way" or were intimidated

• A regulatory infrastructure was not structured enough to identify and address these issues

• It was basically a self-regulating industry until enough people started to play unfairly
  

Note: Attest means to confirm that something is true. This is more than just 'giving your word', it is a legal term that indicates that if you are lying someone within a government agency will be looking for you and he will not be happy.

SOX was created to reform corporate governance, reporting, and disclosure of financial statements by public companies. It requires publicly held companies to demonstrate due diligence and due care pertaining to the protection and disclosure of financial data. This requires companies to maintain internal controls and procedures for the storage, protection, and communication of financial information.

SOX focus on the integrity of financial data through the use of accountability. This law holds the CEO, CFO, and potentially others accountable for mistakes or fraud. Many times the best control is to have a big stick and a head to hit it with. The accountability stretches to include the retention of documentation by auditing firms, mainly because when Enron imploded large paper shredding parties were taking place to cover up evidence and accountability. Now auditors have to retain all documentation that pertains to their reports for seven years. This makes the storage vendors very happy.

SOX provides for new or extended legislation in three primary areas:

• Corporate governance

• Accountability and responsibility

• Enhanced financial disclosure and reporting

Some of the core components of these areas are listed below;

• Audit committees must be made up of solely independent directors and at least one financial expert

• Company loans cannot be made to directors or executive officers of publicly owned companies

• CEOs and CFOs must attest and certify their internal controls over financial reporting

• Executive management compensation must be returned if financial statements are restated due to material noncompliance

• External auditors must attest to internal controls

• CEOs and CFOs must attest that their financial statements properly represent the company's financial standing

• Company must disclose if a code of ethics has been adopted

Now, we as an industry have had many rules, laws, and regulations that we were supposed to have been following already which some corporations ignored. In fact, most components of SOX are not new and companies were already supposed to be doing these things as dictated by the following legislation;

• Securities Act of 1933

• Securities Exchange Act of 1934

• Trust Indenture Act of 1939

• Investment Company Act of 1940

• Investment Advisors Act of 1940
  

So why does SOX get so much attention while many of us have not heard of the previously listed laws that said a lot of the same stuff? And why does almost every product in the market promise SOX compliancy? Because the CEO, CFO, Board of Directors (and possibly others) can go to jail and\or be personally fined. The other regulations fined the company, not an individual. This personal liability has made senior executives and board members sit up and take notice to this piece of legislation, which means that funds were made available to ensure that the companies were in step with the laws. When more funds are available, more products will be developed to promise compliancy, keep executives out of jail, or whatever other utopia the industry is after.

A corporate officer who does not comply with this legislation, or submits an inaccurate financial certification, is subject to a fine up to $1 million and ten years in prison, even if done by mistake. If a wrong financial certification was submitted purposely, the fine can be up to $5 million and twenty years in prison. Since this law is now important to all of the CEOs in the U.S. it is now important to all of us.

Now, SOX states that the company should follow a corporate governance model and since the Committee of Sponsoring Organizations (COSO) model was already developed just for this purpose, companies usually implement this framework and auditors look for the components of this framework when testing for compliance. The COSO framework is made up of the following five internal control components:

1. Control Environment

   • Management's philosophy and operating style

   • "Tone of the top" expresses ethical behavior and not "succeed by any means necessary"

   • Management is setting a good example and enforces "doing the right thing"

2. Risk Assessment

   • Company setup a risk management program and carry out formal risk assessments

   • Establishment of organizational risk objectives

   • Ability to manage internal and external change and still obtain set risk objectives

3. Control Activities

   • Policies, procedures, and practices that ensure management objectives are achieved and risk is properly mitigated

   • Mechanisms used to prevent or detect errors or fraud that could result in material misstatement in the accounts and disclosures and related assertions of the financial statements

4. Information and Communication

   • Relevant information is identified, captured, and communicated to enable people to carry out their responsibilities

   • Communication processes pertaining to the authorization of transactions and the maintenance of records

5. Monitoring

   • Detecting and responding to control deficiencies

   • Ensuring that controls are allowing all previously mentioned activities to take place properly

COSO Model
To say it more simply.

1. Control Environment

   • Executive management needs to be ethical and ensure everything that goes on in her company is ethical - no corruption and lying about finances are allowed

2. Risk Assessment

   • Identify what threats can cause a misstatement of financial earnings and get rid of them - and constantly watch out for new threats

3. Control Activities

   • Have the safeguards in place to make sure fraud cannot creep in

4. Information and Communication

   • Make sure that the right people are being informed with the right information at the right time

5. Monitoring

   • Keep watching for new threats so that they can be swashed properly
     

It should be noted that while COSO is one of the recommended Control Frameworks to use as a foundation for SOX compliance, it is not required as part as the SOX regulation. An organization can implement a proprietary control framework and still be SOX compliant. Your job as auditor, if you decide to accept it, is to ensure that the objectives within the SOX regulations are achieved.

One cause of confusion for the information security industry is the use of the word "control" within the SOX literature. This is a word that the security industry has used for ages and when ever these individuals read (or hear) this word they usually think of some type of administrative, physical, or technical safeguard that is put into place to provide confidentiality, integrity, or availability. This confusion is what caused many companies to try and implement a full enterprise wide security program when this law first came out, when in fact SOX only deals with protecting financial data.

We in information security must remember that there are other parts to the world, not just security, and that each of these parts also has their own controls. In the financial world controls involve generally accepted accounting principles (GAAP), independence of auditors, keeping financial information in trust worthy constructs and not Excel spreadsheets, and so on.

But while IT security is not specifically mentioned in SOX, it is a central requirement of SOX since hardly anything takes place within companies today that does not rely upon technology. The responsibility of the IT security group and auditors is to assess any risks that are associated with IT or processes that may impact the accuracy and timely reporting of financial information, specifically in relation to the financial reporting cycle within the company.

This lack of understanding (between business functionality and technology integration) is why many companies put the responsibility of being SOX compliant within the realm of the CFO and that team. The financial team will review accounting processes, but does not understand that the financial data is at risk of being corrupted, modified, or stolen in different instances throughout the enterprise. So, to be SOX compliant the company must approach issues from the CFO and the IT security perspective to make sure that all the necessary ground is covered.

CobiT is the leading framework used to carry out IT governance. COSO is the leading framework used to carry out corporate governance.

To be compliant with sections 302 and 404 of SOX, a company needs to implement both frameworks and understand how they support each other. COSO is a corporate governance model and is made up of internal controls. These internal controls include IT General Controls (program development, computer operations, access to data, etc.), Entity-Level Controls (policies and procedures, quality assurance, risk assessments, etc.), and Application Controls (completeness and accuracy of transactions and data, etc.).

As an auditor you will most likely be required to assess an organization's compliancy with Section 404, which outlines management's responsibility to develop and maintain an internal control structure for adequate financial reporting. An external and independent auditor must attest to management's report on the adequacy of this control structure. Also, if you are part of the internal audit department, you might be asked to evaluate the organization compliance to SOX in behalf of management to provide for the required assertion of internal controls.

A large portion of auditing for SOX compliancy is to trace the paths that financial information takes within the company enterprise and ensure that this data cannot be altered or viewed by unauthorized individuals and must be available to authorized individuals when needed. Any material changes to the IT infrastructure that would affect requirements must be documented and presented to management immediately.

SOX requires the organization to have an independent auditing committee. The members of this auditing committee will be drawn from the organization's Board of Directors and will report to them as a whole.

SOX has been around for a few years and most of the larger corporations have spent millions of dollars to be compliant. Smaller organizations are currently working on compliancy and even non-traded companies are working to become compliant because it helps in obtaining funds, loans, partners, and allows the companies to be more competitive. Other countries are implementing SOX-like regulations.

The CISSP exam covers where regulations fit into the overall security program and enterprise security architecture. We offer different formats of material to allow you to study for the CISSP exam in a way that fits you best. Please review the following pages: