This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."
Download it now to read this article plus other related content.
Enron and WorldCom were spectacular failures on so many levels. Executives, accountants, the board, analysts, credit rating agencies...all were complicit in facilitating an environment that fostered such book-cooking. Sarbanes-Oxley's unstated goal was to protect investors and return confidence in the markets.
"If the investor loses confidence in the capital markets, you have big problems on your hands. Part of what happened: a lot of companies just neglected their internal structure in terms of having a good command of what was happening in the company and reporting accurately," says Sarbanes (D-Md.). "IT is an important part of providing that."
Section 404 of the Sarbanes-Oxley Act is the stick information security professionals had been waiting for. Simultaneously, it was a godsend and an ungodly burden for CISOs, who were suddenly strapped with immovable deadlines for compliance. CISOs went from the server room to the board room, forced to facilitate the needs of external auditors, report to the board and guide corporate policy in order to assure internal control over financial reporting.
Spending was ratcheted up, and almost overnight, lax patching of systems, shoddy access controls and forgotten employee awareness programs
| were intolerable. Security companies responded too, spinning the marketing of products toward compliance and risk management. AMR Research reported in 2006 that the ongoing compliance required by SOX had spurred a $6 billion annual spurt in technology spending.
"There have been very few events like SOX that have actually caused particular technologies to blossom and practices to come to the fore," says Dick Mackey, VP of consulting at SystemExperts. "It's pretty amazing that one regulation has probably given rise to more technology deployment than any of the others."
The mandates of Section 404 were recently blunted some by the release of Auditing Standard No. 5. It requires publicly held companies to engage third-party auditors in a top-down risk assessment to assess design and operating effectiveness of internal controls, understand the flow of transactions, perform a fraud risk assessment and evaluate those controls designed to prevent or detect fraud. The new standard mirrors guidance issued by the Public Company Accounting Oversight Board (PCAOB), another offshoot of Sarbanes-Oxley, whose job is to oversee auditors of public companies.
This was first published in January 2008