Sarbanes-Oxley Act
The Sarbanes-Oxley Act of 2002 (SOX) is a complex set of U.S. laws and regulations intended to protect against financial irregularity in public companies. It was the major U.S. government response to major corporate failures that involved poor auditing, such as Enron and Worldcom, beginning in late 2001. [1] While it primarily deals with finance, it has significant involvement in information security.
Critics have suggested it was "unnecessary, harmful and inadequate", but it allowed officials to be seen as responsive. An argument that it was unnecessary included " the stock exchanges had already implemented most of the SOA changes in the rules of corporate governance in their new listing standards; the Securities and Exchange Commission (SEC) had full authority to approve and enforce accounting standards, the requirement that CEOs certify the financial statements of their firms, and the rules for corporate disclosure; and the Department of Justice had ample authority to prosecute executives for securities fraud. The expensive new Public Company Accounting Oversight Board (PCAOB) is especially unnecessary." Senator Paul Sarbanes (D-MD) and Representative Michael Oxley (R-OH) both chose not to run for reelection from Congress at the end of the 2006 term.[2] The Supreme Court of the United States agreed to hear a challenge in 2009; [3] in November 2009, the House Financial Services Committee passed an amendment, the Investor Protection Act of 2009, which, if enacted, would make many SOX provisions inoperative.[4]
Basic requirements
The Act, relatively speaking, tries to be neutral between the demands of regulation and the costs of additional internal control measures. There is a sense in the industry that the initial learning curve was steep and expensive, but costs drop considerably when affected firms continue to run with its regulations, especially Section 404, which covers Information and Communications Technology (ICT). Other sections that companies find challenging include 303 on debt and credit management, and 409 on prompt disclosure of changes to their financial positions.
The Securities and Exchange Commission (SEC), which administers SOX, requires several statements that must come from the management reporting system:[5]
- Management acknowledgement that it is responsible for internal control; Section 302 makes the CEO and CFO personally and criminally liable for inaccurate reporting
- Management identification of the framework that will be used to evaluate the efficacy of the internal controls over financial reporting,
- An assessment, by management, of how well the internal controls have worked in the most recent fiscal year, and a binary statement of whether it was effective or not. If it was not effective, the statement must identify any "material weaknesses" in the process. Management cannot state the controls were effective if there were any material weaknesses.
Identity
SOX requires that top managers certify that no one has tampered with their financial reports. Since the major financial scandals of recent years have come from trusted employees who should not have been trusted, classic information security requirements come into play:
- knowing who your people really are,
- intelligent use of the Principle of Least Privilege,
- establishing mechanisms by which they identify themselves to computer systems and the systems authenticate that claim of identity,
- giving authenticated users a set of credentials defining what they are allowed to access and do.
SOX requirements are a subset of the field of identity management. Section 802 specifies, "Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object … shall be fined under this title, imprisoned not more than 20 years, or both." Claiming a false identity is a rather elementary form of covering up. Over the years, financial institutions have developed other safeguards, such as insisting employees take vacation so that they cannot continue to cover embezzlements.
Not only is identification and authentication needed during operations, identity verification must be done on new hires, and on contractors in sensitive roles. The more sensitive the job in SOX terms, the tighter the verification needs to be.
Restrictions on Practice
Many enterprises had accounting systems provided or built by the consulting arm of large accounting firms, which indeed have much experience. As a result of scandals such as Enron, where the outside accounting firm made more revenue from management reporting and tax services as from its presumably neutral role as an external auditor, the American Instute of Certified Public Accountants (AICPA) and others have mandated, essentially, that the roles of external auditor and of a firm supplying other services are incompatible. Prior to the Act, major accounting firms were implementing large financial software systems and other procedures that their audit practice might then have to inspect. While, in principle, there was a "Chinese Wal]l between auditors and other employees, both auditors and consultants on an engagement tended to report to the same firm executive, who had profit and& loss responsibility for the account. Now, the issue may be to buy systems from a spinoff of the accounting firm, or build them in-house.
Besides the restrictions on obvious conflicts of interest, the accounting profession formalized procedures about best practice in internal reporting. The auditing firm would verify these controls are in effect. Do note that a different accounting firm, which has no audit responsibility, is free to set up controls and supporting software. With the storm of mergers and acquisitions in public accounting, what might be separate companies today could become a single one tomorrow, and the new firm would need to divest tasks that lead to the appearance of conflict of interest.
In like manner, there are restrictions on internal auditors, who cannot build or operate the systems whose output they monitor. They do have the responsibility of recommending improvements.
Designing Internal Control
The Act created the Public Company Accounting Oversight Board (PCAOB), which is quasi-public, in the sense that various financial regulators such as the FDIC are quasi-public. PCAOB actually oversees auditors of public companies, rather than the companies themselves, including regulation and discipline. SOX further creates requirements for strong internal financial control, independence of outside auditors, and greater top management responsibilities for financial disclosure. PCAOB oversees the integrity of the audit process, but the independent Financial Accounting Standards Board will continue to develop the standards for accounting.
Financial scandals in the 1970s led to the Foreign Corrupt Practices Act of 1977 (FCPA), and eventually to the 1985 creation of the National Commission on Fraudulent Financial Reporting, called the Treadway Commission after its first chair. Its first report, issued in 1987, recommended that the Committee of Sponsoring Organizations (COSO), made up of five professional associations concerned with auditing, create integrated guidance on internal control. They contracted with a major accounting firm and drafted the first framework for COSO-approved internal control, published in 1992 as Internal Control: Integrated Framework. Let us hope your customer works on faster timelines than these.
This report presented a common definition of internal control (IC) and provided a framework against which IC systems can be assessed and improved. This report is the standard that U.S. companies use to evaluate their compliance with FCPA. COSO's framework defines the IC program that underlies SOX. This program has four principles and five components. COSO In addition, COSO defines the three goals of internal control as:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
The Principles establish the expectations of IC, while the Components deal with how to execute IC. COSO recognizes real-world constraints, and, in its Principles, both accepts that no IC system is perfect, but also requires due diligence in attempting to find problems not covered by IC.
References
|