Publicly traded companies have been struggling with SOX (Sarbanes-Oxley) since its legislation in 2002. While SOX does not directly address IT, it does put a new emphasis on the source of financial information. Applications and systems obviously are involved in manipulating and housing that financial information. SOX provisions indirectly address IT responsibilities in three areas: document retention requirements, mandatory reporting of events like security breaches, and the vague Section 404’s “internal controls over financial reporting”. This last area has resulted in significant speculation and controversy primarily due to its lack of detail.
In the absence of clarification, organizations have fallen back on standards which predated SOX, including that from the SEC (Securities and Exchange Commission), COSO (the Committee of the Sponsoring Organizations of the Treadway Commission), and ISACA. In later clarifications on 404, the SEC has stated that IT controls should ensure the following.
- Records and data are maintained with reasonable detail and accuracy
- Transactions are recorded in accordance with Generally Accepted Accounting Principles (GAAP), and are authorized by management.
- Reasonable assurance that financial data is protected from unauthorized use.
Because of the lack of specificity in Section 404, IT managers have little direction in determining both the breadth and depth of scope. Underestimating scope can result in failure to meet regulatory obligations, while overestimating can result in signficantly increasing the cost of the compliance burden. The IT manager must determine the scope by performing an analysis and assessment of risks associated with SOX requirements.