Sarbanes-Oxley Reports

The “Public Company Accounting Reform and Investor Protection Act” is better known as "The Sarbanes-Oxley Act" (SOX). The Sarbanes-Oxley Act is named after the two senators who sponsored the bill, and applies to publicly traded companies in the U.S. that are regulated by the Securities and Exchange Commission (SEC).

The U.S. government passed the Sarbanes-Oxley Act in 2002 in response to several high profile corporate accounting scandals at several companies including Enron, MCI WorldCom, and Tyco. The intent was to restore public confidence in both public companies and public accounting firms by requiring increased levels of executive awareness and accountability.

However, the U.S. Congress did not explicitly address information security issues in passing the Sarbanes-Oxley Act. In fact, information security was never even mentioned in the Act. Instead, the main emphasis was on complex accounting issues.

Impact on Information Technology

Nevertheless, the Sarbanes-Oxley Act has had a tremendous impact on the day to day operations of Information Technology departments in the U.S. Many IT professionals grumble that a law that was originally passed to prevent fraud by corporate CEOs and CFOs has instead resulted in a tremendous burden of documentation and process improvement for IT departments.

A full copy of the act can be found online, but the core provisions of the SOX Act that affect the IT department are summarized below:

Section 201

No internal audit or system consulting services can be provided to audit clients by public accounting firms.

Section 302

CEOs and CFOs need to certify the financial results each quarter and certify that there are no material weaknesses or significant deficiencies in the financial reporting process.

Section 404(a)

Senior management is required to establish and maintain adequate internal controls for financial reporting and annually assess effectiveness of those controls. Documentation is mandatory - insufficient controls documentation is deemed as a material weakness in the external auditor’s report.

Section 404(b)

Public accounting firms are required to assess management’s certification of the effectiveness of internal controls over financial reporting and issue an attestation report.

Section 802

Establishes penalties for corporate fraud.

Find reports to aid in Sarbanes-Oxley compliance in the Regulatory Recommendations Report Group (see Reports and Regulatory Recommendations).

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
4.4 | 202410080134 | October 2024