Intrusion Prevention Solutions Enable Sarbanes Oxley Compliance
A TopLayer Networks Whitepaper
A NEW FRAMEWORK OF CONTROLS
The Sarbanes Oxley Act of 2002 (SOX) is the most important securities legislation since the federal securities laws of the 1930s. It is a framework of acceptable corporate conduct to improve investor confidence in the integrity of corporate disclosures and financial reporting. SOX was enacted for the purpose of reforming the reporting, governance and disclosure of public company financial statements
and records. Companies affected by SOX include each publicly traded company, its divisions, and all of its wholly owned subsidiaries as well as public multinational companies engaging in business in America.
The U.S. Congress passed SOX in order to:
• Ensure better accuracy and restore trust in the financial statements given to the government and investors following high-profile accounting scandals.
• Provide new tools to combat and deter corporate fraud, punish corporate wrongdoers, improve corporate responsibility and protect America's investors.
• Provide new oversight powers and responsibilities to the Securities and Exchange Commission (SEC) and auditors for oversight of public companies.
• Create the Public Company Accounting Oversight Board (PCAOB).
A central focus of SOX is the mandate for formal assessments of the internal controls that stand behind the public companies' financial statements. Information technology is vital to internal control over financial reporting and retention of sensitive corporate information. Safe, sound and secure processes, systems, data and infrastructure are crucial for establishing a compliant financial reporting process.
New technology and information security mandates for publicly traded companies have been created in:
• Securities Exchange Commission compliance mandates.
• Supplemental auditing standards issued by the PCAOB.
• Industry best practices such as those found issued by The Committee of Sponsoring
Organizations (COSO).
EXECUTIVE CERTIFICATIONS
A critical purpose of SOX was to improve the "tone at the top." The tone set by top management is the most important factor contributing to the integrity of the financial reporting process. SOX contains two different executive certification provisions - Sections 302 and 906. Each of these sections requires CEOs and CFOs of reporting companies to certify the financial and other information in his or her reports filed
with the SEC. These certifications affirm senior executive responsibility for financial reporting.
The rules adopted by the SEC pursuant to Section 302 require a company's CEO and CFO each to certify that:
• They have reviewed the report.
• The report does not contain an untrue statement or fail to state a material fact.
• The financial statements fairly present in all material respect the financial condition and results
of operations of the company.
• They are responsible for establishing and maintaining disclosure controls and procedures and internal control over financial reporting for the company and have:
1. Designed such disclosure controls and procedures to ensure that material information relating to the company is made known to them.
2. Designed such internal control over financial reporting to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements.
3. Evaluated and reported on his or her company's disclosure controls and procedures.
4. Disclosed any material change in the company's internal control over financial reporting.
5. Disclosed to the auditors and audit committee:
− All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting.
THE AFFECT ON PRIVATE COMPANIES
While SOX is not mandated for private firms, such firms should explore how to comply with SOX if they wish to compete in a post SOX corporate environment. A public company’s ability to meet its compliance obligations and a private company’s ability to meet Sarbanes Oxley type standards will be evaluated in many aspects, long after the initial compliance effective dates. For example:
• Rating agencies will be reviewing compliance with SOX provisions, especially internal controls and corporate governance.
• Investment analysts will review corporate filings for SOX problems.
• The cost of credit will be priced in part on agency ratings on compliance.
• Directors’ and Officers’ liability insurance will in part be priced on compliance. • Privately held companies wishing to convert to publicly traded stock companies will be judged on standards, possibly for three years prior to an initial public offering.
• Vendors, suppliers, and joint venture partners will be interested in compliance before entering into contracts.
• Due diligence in connection with merger and acquisitions will focus on SOX.
• Restatements of financials resulting from SOX requirements will have negative results, i.e., stock price downward adjustments.
• Criminal penalties have been increased as the result of SOX.
• Negative publicity resulting from non-compliance with SOX may affect marketing, earnings, and stock price.
• CEOs and CFOs may be replaced for failure to comply.
CONTROL OF INFORMATION SYSTEMS INTEGRITY
IT departments will play a key role in enabling SOX compliance. Without the right technological solutions to record and monitor access to networks, financial systems, and sensitive data management will not be able to ensure integrity of the information in their financial reports. The need for technology that will help with SOX compliance and internal control management is imperative. SOX requires that public companies attest to the integrity of their financial controls. Most companies rely on computer based financial controls. These controls apply to many key activities such as
transaction handling, accounting ledgers, and other financial systems – including links with third party providers, such as corporate banks, trading exchanges and clearing systems. Since IT underlies the day- to-day business activities of recording and reporting all financial activity, a lack of control over IT security creates a lack of control over the organization’s financial reports – a violation of SOX section
404. Control of IT systems integrity is therefore required in order to maintain financial reporting integrity. From a security perspective, any breach in security can lead to compromising resources and information – including those covered by the standards implicit in the section 404 mandates. This section of SOX carries with it the mandate to properly secure IT enterprise-wide in an effort to satisfy independent auditors regarding the level of risk management applied to protecting corporate IT and
especially financial IT systems.
The enterprise-wide information technology infrastructure provides a conduit for financial and other business transactions and information to be carried across the corporate network and Internet. Left unprotected these vulnerabilities allow unauthorized remote users to:
• Steal confidential documents not intended for their eyes.
• Execute commands on the server host machine, allowing them to modify the system.
• Gain information about the specific server or database that will allow them to break into the system and alter damage or steal private information, such as financial records.
Get the complete whitepaper here (PDF)
|
