Q

Defining "internal controls" under Sarbanes-Oxley

Sarbanes-Oxley discusses internal controls, but what exactly does that mean in regards to infrastructure? What type of internal documentation/reporting is needed for our IT infrastructure? Would we be well served by documenting the configuration for all our servers? Is this mandatory? Sarbanes-Oxley (SOX) is mandatory for most public corporations and focuses on regulating corporate behavior to protect financial audit records. There...

are three main areas of SOX that affect IT:

  • Section 302 – Corporate Responsibility for Financial Reports: This section requires executives to certify the accuracy of financial reports.
  • Section 404 – Management Assessment of Internal Controls: This section requires executives/auditors to confirm the effectiveness of internal controls.
  • Section 802 – Criminal Penalties for Altering Documents: This section mandates the protection/retention of financial audit records.

The verbiage in these sections is very vague and not IT-specific. In a nutshell, your IT and security infrastructure is affected in that there needs to be various "controls" in place -- firewalls, authentication mechanisms, access controls, ongoing vulnerability assessments, etc. -- to help ensure that financial audit records are adequately protected. A wise IT/security manager working for a public company would implement as many security best practices as possible such as those found on SearchSecurity.com as well as from NIST, the NSA Gold Standard, the ISO 17799 framework, etc. These actions will help minimize the gray area within the larger gray area called SOX. I would suggest getting your legal counsel involved to determine what the best fit is for your organization.


For more info on this topic, please visit these SearchSecurity.com resources:
  • Article: Security and Sarbanes-Oxley
  • Best Web Links: Law, public policy and standards
  • This was first published in February 2004

    Dig deeper on Sarbanes-Oxley Act

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close