For the last few years information security professionals have been reflecting about the possibility of a law that would require publicly traded companies to disclose the security status of their Security and Exchange Commission (SEC) filings. While that has yet to happen specifically, it appears to have occurred in effect through the passage of the Sarbanes-Oxley Act of 2002. With original deadlines set for late this year, the new law has CEOs, CFOs and auditors scrambling to ensure that their financial statements provide an accurate reflection of their businesses.
Restoring investor confidence
In the wake of corporate accounting scandals at Enron, WorldCom and others, Congress passed Sarbanes-Oxley as a measure to help restore investor confidence. Under the new law, CEOs, CFOs and auditors for organizations must attest to the truthfulness and accuracy of their financial statements, as well as the presence and effectiveness of internal controls to preserve the integrity of such financial information.
Companies found in violation face stiff penalties, including up to $1 million in fines and/or up to 10 years imprisonment for individual CEOs and CFOs who are found to have 'recklessly' violated certification of the company's financial statements. These have gotten the attention of senior management, inspiring investigation into policies, procedures and technologies to help guard against liability.
Although information security is never specifically mentioned in the text of Sarbanes-Oxley, it is clear that the effectiveness of internal controls cannot be addressed without looking at the security of the IT environment. Every corporation relies on databases, inventory systems and electronic data interchange (EDI) infrastructure to accomplish everyday business. Section 404 of the law requires that companies produce an "internal control report" stating the presence and effectiveness of the internal controls in place at the company.
Accountants typically attribute internal controls to policies and processes. For example, a person who has the authority to create a purchase order may not possess the authority to sign a check. Today's processes are typically embodied in the functions of various business applications, and auditors must be able to understand and document the ways systems are configured. They must also be able to verify that the current configuration is representative of good internal controls. For larger and more complex ERP systems, auditing to ensure these controls are in place becomes a monumental task.
The SEC recently extended the deadline for Sarbanes-Oxley compliance by nine months to June 15, 2004, while companies with a market cap less than $75 million must comply by April 15, 2005. Even with the extension, companies will have to work diligently to meet deadlines. And, with new rules in place prohibiting the audit firm from also being a consulting vendor, organizations will have to rush to do the work themselves, or find yet another outside vendor.
Creating internal controls
As it stands today, most organizations are looking at larger bills from their auditing firms for the work required to certify or 'attest' they have the appropriate internal controls in place. But that does not even begin to address the work required to upgrade and/or evolve systems to ensure auditors are comfortable signing off. Stiff penalties are in place
for auditors, and the reputation of their firm is at stake as well. Don't expect an automatic pass.
The first step for any IT department is to work with corporate management to understand the larger compliance effort, and to educate the compliance team about how IT systems must be included in the internal controls conversation. While business executives may not be aware of the need to include IT in these discussions, it is critical, given IT's ability to bring out additional areas of concern that they may not have addressed, including verified and proper access controls on the file server that houses the documents being prepared for the SEC filing.
After understanding internal efforts, a meeting with the company's public accounting firm must be conducted to ascertain their criteria for auditing internal IT controls. Most public accounting firms use the CobiT standards published by the Information Systems Audit and Control Association (www. isaca.org), although some teams have been known to use ISO 17799, SAS 70, or even their own methodology.
Compliance teams should push for the audit firm to employ a more generally accepted standard that travels well. Understanding how the auditor approaches the validation can help IT teams document systems in a consistent manner, effectively reducing validation time and costs associated with reaching attestation.
Due to the high profile of Sarbanes-Oxley in the press and public scrutiny of corporate blow-ups and slipping deadlines, management teams are taking the requirements very seriously. For publicly traded companies, it has become a top priority. Few doubt the SEC's real intent to enforce Sarbanes-Oxley.
Chris Mullins, CISSP, is director, policy and compliance products, BindView Corp. (www.bindview.com).