SOX and the General Control Environment

SOX AND THE GENERAL CONTROL ENVIRONMENT

Good corporate governance depends on the effective management of internal controls and on the availability, confidentiality and integrity of information. Corporate reputation, brand preservation and financial results all depend on the defence of business processes and on compliance with a growing array of legislation and regulation. For companies listed on US exchanges, the Sarbanes-Oxley Act of 2002 (‘SOX’) is of overriding importance and information security has a crucial role to play in achieving compliance.

SOX was passed to ensure that executives are held responsible for establishing, evaluating and monitoring the effectiveness of internal controls over their financial reporting. To ensure compliance, SOX legislation contains provisions that include both criminal and civil penalties for any violations.

SOX focuses specifically on the accuracy of financial records and the controls around these. Information security is a fundamental component of SOX compliance as a result of the Public Company Accounting Oversight Board (the PCAOB, which was created as a result of SOX to define auditing standards) creating Standard #2 (now replaced by Standard #5). This states that senior management is responsible not only for financial information but also for the way that information is generated, accessed, collected, stored, processed and transmitted. The general controls, and general control environment, inside an organisation determine the environment within which the specific controls operate. In other words, if an organisation’s general controls are weak, its specific controls will be undermined and, potentially, ineffective.

Traditional security models are inadequate for managing such financial control-related information security risks. Instead, companies need an end-to-end, system-based approach that is integrated, collaborative and adaptive, helping them better manage their network security risks while also meeting SOX requirements. While this is most obviously relevant to businesses quoted on US exchanges, SOX also applies to any non-US public multinational company doing business in the United States.

The current compliance environment contains many overlapping, inconsistent, sometimes untested and often contradictory laws and regulations. Organisations must therefore adopt best practice solutions that will simultaneously combat their real-world information threats while helping them meet SOX and other regulatory requirements. ISO 27001 is one such framework. In conjunction with ISO 27002 (the now-renumbered ISO 17799), it provides technology-neutral and best practice guidance on the management of information security risks.

Any solution that addresses the issues raised by SOX requires a layered, integrated approach to security. A controls framework, such as ISO 27001/ISO27002, or a process framework, such as CobiT, can provide an organization with a best-practice approach that underpins SOX compliance. It is also possible to combine these two frameworks, using CobiT for the overall governance structure and ISO 27001 to focus specifically on managing information security risk.

This approach helps organisations better manage their network security risk while readying them to meet regulatory compliance requirements.

Alan Calder is chief executive of IT Governance Limited (www.itgovernance.co.uk), the one-stop-shop for information security books, tools, training and consultancy. He is co-author of the definitive guide to ISO 27001 compliance, ‘IT Governance: A Manager’s Guide to Data Security and BS7799/ISO17799’.