Information Security and the Sarbanes-Oxley Act

25 03 2013

After taking my time to search for a valuable topic towards contribution to the blog, I remembered a financial accounting class that I had taken during the earlier part of my MSIT program. The course had small component on discussing the Sarbanes Oxley Act (SOX) and discussed financial controls and risk for publicly traded companies. It also briefly touched upon the impact of SOX on IT and how companies needed to transform their systems controls and reporting capabilities to stay compliant. For the purposes of this blog I decided to examine the subject in a little more detail by examining its requirements, related security frameworks and results from a study of organizations that implemented SOX. I will attempt to do this by answering some key questions.

What is SOX and how did it come into being?

SOX is a legislation reform introduced in 2002 to improve accuracy and integrity/reliability of the various financial statements of a publicly traded company. Its primary purpose is to ensure that the appropriate controls within an organization are implemented so that the creation and documentation of the information provided in the financial reports are governed according to a standard ( This purpose serves various objectives, not the least of which is to build confidence among the company’s investors, encourage independence between auditors and clients and assign more accountability and ownership to the company’s management (CFOs and CEOs) in relation to the disclosed financial information. The two sections that often quoted in IT security related discussions related to SOX are SECTION 404 (CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS) and SECTION 302 (MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS) ( – S302/S404.htm)

The reason why SOX came into being is due to a wave of accounting/audit malpractices and frauds by the executive of large corporations and their auditors such as Enron, Worldcom, Arthur Anderson (Wikipedia) that resulted in losses of hundreds of millions of dollars in investments as they collapsed during the turn of the millennium. In order to prevent this from happening, SOX was introduced and brought itself an a set of requirements that required an organizations information security landscape to change significantly if it was to stay in business.

Why did IT need to change?

The SOX act brought with it various bi-products such as regulatory authorities and governance frameworks. Among these were the Public Company Accounting Oversight Board (PCAOB). Its purpose was to provide guidance to the auditing firms that were assessing the compliance of the company with SOX through auditing standards. Among these standards was a clause that discussed the management of internal controls. It stated:

“Determining which controls should be tested, including overall relevant assertions related to all significant accounts and disclosures in the financial statements. Generally, such controls include: Controls, including information technology general controls on which other controls are dependent”(Stults, 2004, p4)

How was information Security impacted?

COBIT (Control Objects for Information and Related Technology) was a framework that was introduced to provide details on creation and assessment of various IT controls was introduced to allow information security teams to essentially implement the various requirements of SOX inside an organization. COBIT had detailed guidance on various IT related processes that were categorized into various domains including Planning & organization, Acquisition and Implementation, Delivery & Support and Monitoring (Stults, 2004, p6)

An organization created to help companies with their IT governance known as ITGI (Information Technology Governance Institute) used COBIT and COSO (another SOX related controls framework) and published guidelines on various information security topics. Amongst the key areas it provided details on Security Policy, Security Standards, Access and Authentication, Network Security, Monitoring, Segregation of Duties and Physical Security: (Stults, 2004, p7)

A lot of what forms the basis of a company’s security processes and infrastructure was being defined and enforced legally through the adoption of these frameworks. Organizations would have undergone information security transformation projects at all the above levels to become and retain compliant status.

A study by Dr. Janine L. Spears (DePaul University)  analyzes the impact of SOX on information security. The study was carried out around 2009 – seven years after the introduction of SOX. It is interesting to note the conclusions that were drawn from the study (Spears, 2009, p.1-4)

  1. Increased business collaboration and awareness of managing security risks within the organizations
  2. Greater maturity of security Risk management processes
  3. Increase in effectiveness of access control application
  4. Greater investments in information security to maintain compliance
  5. Building security programs around compliance requirements
  6. Improved overall information security in the organization (Spears, 2009, p.1-4)

Although all the above conclusions of the study indicate a positive sign and suggest improved impact on information security, the 5th point above is a little discourages. The discussion in the study points to the fact that organizations are limiting their security initiatives to the extent of only implementing controls that are required by SOX. They are not evolving to improve beyond that level which is cause for concern as these organization feel that it is not necessary.

What to conclude?

I think one needs to be able to appreciate the fact that the last 10 years have seen a greater awareness of information security as a whole in large organizations. Having said that, a lot of this can be attributed to the SOX legislation and the indirect effect of its requirements for enforcements of the controls and auditability of the information stored in a modern IT enabled business.


Wikipedia – Accounting Scandals :

SOX 302:

SOX 404 :


Greg Stults, May 9, 2004 , SANS Institute:An overview of Sarbanes-Oxley for the Information Security -(

ProfessionalDr. Janine L.Spears , ISACA Journal Volume 6, 2009 How has Sarbanes-Oxley compliance Affected Information Security  -(




One response

12 04 2013
Kevin Reasor

I work for PwC in our IT organization and understand what you are describing in great detail. I can tell you there continues to be significant focus on the reviews conducted by the PCAOB and what can be done to improve audit quality overall which includes security controls. We have had projects where we had to set up new processes to ensure data for key clients cannot be accessed by IT vendors that are viewed as competitors of those clients. I would agree that there is still more to do fr a security perspective.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: