Since the U.S. government's adoption of the Sarbanes-Oxley Act, security practitioners have been asking themselves what it means to "establish and maintain adequate internal controls over financial reporting.*" The confusion