The Sarbanes-Oxley Act was created as a result of a series of corporate financial failures caused by illegal corporate activities hidden behind financial misstatements and fraud. The Act makes executives personally liable for both the accuracy of financial statements and a statement that mechanisms and practices underlying the financial report are trustworthy.
The Act itself doesn't provide direct guidance on what it means to comply. Instead, it refers to an organization and an accompanying control framework as a method to achieve compliance. The organization, the Committee of Sponsoring Organizations (COSO) was founded by professional accounting associations and is dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance.
COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting. Its original chairman was SEC Chairman James C. Treadway, Jr. Hence, the popular name of the National Commission was The Treadway Commission.
COSO published its Internal Integrated Control Framework that defines what a control is and describes the various aspects of the process of control including the control environment, risk assessment, control activities, information and communication, and monitoring. It also discusses how corporate roles map to responsibilities in effecting internal control in these areas. The COSO framework is designed to provide a model that corporations can use to run an efficient and well controlled financial environment. Adherence to its principles can help with, but not guarantee, SOX compliance.
The COSO framework recognizes that IT requires a dedicated governance framework like COBIT (Control Objectives for IT). COBIT, a standard maintained by the IT Governance Institute, is internationally accepted as a set of control objectives (i.e. goals) for structuring and maintaining control over IT operations and security, in particular.
COBIT, like COSO, defines IT governance as a cyclical process that involves:
- Planning and organizing to maintain control
- Acquisition and implementation of control mechanisms (e.g., technology) and measures (e.g., policies and processes)
- Delivery and support of operations (including control activities)
- Monitoring and evaluation of controls
COBIT's detailed control objectives provide IT organizations with specific guidance on the goals they need to achieve in areas like change control, access control and monitoring in order to comply with SOX. However, not every control objective in COBIT is required for SOX. Furthermore, COBIT covers much more than security, with control objectives handling efficiency and cost effectiveness of designs and operations. The most critical SOX-related COBIT controls are found in the Delivery and Support, and Monitoring sections, and deal with change control, provisioning and monitoring.
ISO17799, an international security code of practice, provides examples of good security practices, many of which correspond to COBIT objectives. IT organizations can use COBIT as an overall governance framework and ISO as a guide to implementing policies and practices for security in general, and SOX required activities in particular.
Home: Introduction
Step 1: Understanding compliance -- Financial and technical standards
Step 2: Scope of compliance
Step 3: Establishing an IT Control Framework
Step 4: Detailed objectives and policies
Step 5: Measuring compliance
Step 6: Managing and tracking compliance
Step 7: The changing nature of compliance
