Pull your SOX up!

Without doubt, the Sarbanes-Oxley Act 2002 is the most important piece of financial legislation to have emerged in the past 30 years. US President George W Bush signed the Act into law on 30 July that year in direct response to the major accounting scandals thrown up by Enron, WorldCom and Global Crossing in 2001-2002. Debacles resulting in billions of lost dollars across the US economy.

Designed to protect investors by improving the accuracy and reliability of corporate disclosures, Sarbanes-Oxley introduces highly significant legislative changes to financial practice and corporate governance by demanding increased regulatory compliance and accountability of public companies and their financial health. The basic intent of this law is to reinforce corporate integrity (and enhance investor confidence) by requiring chief executive certification of all financial statements, mandating the real-time disclosure of any details important to investors.

Larger public companies and foreign-owned concerns in the United States must meet the designated mandates for financial reporting and certification for any statements filed after 15 November last year. All other public and foreign-owned organisations must meet the mandates for any statements filed after 15 July. Originally, the date for this was 15 April 2004.

The fact that the latter compliance date was put back doesn’t mean any let up, which some companies may have expected in the wake of recent plans by the Securities and Exchange Commission (SEC) – the controller of the US National Institute of Standards and Sarbanes-Oxley compliance – to relax reporting requirements relating to the legislation. The time for companies to file annual and quarterly reports is now extended from 60 to 75 days.

As part of the Act, the Public Company Accounting Oversight Board (PCAOB) has been created to oversee public company auditors in order to protect the interests of investors while furthering the public’s own interest in the preparation of informative, fair and independent audits. In everyday terms, the PCAOB provides more specific guidelines for compliance with Sarbanes-Oxley and regulation of the previously unregulated accounting firms. According to many in the US, this process was long overdue.

Exactly who is affected?

Although strictly speaking a US piece of legislation, UK and other European firms currently listed in America are most certainly caught by the requirements of Sarbanes-Oxley. All publicly-traded corporations falling under the jurisdiction of the SEC – the most powerful financial regulator in the US – are subject to the requirements, including those UK firms who have operations across the Pond or who trade with US companies.

At this point, it’s worth noting that private sector organisations interested in going public – or those that may be the target of acquisition or merger plans by a public firm – will also fall under the Sarbanes-Oxley mandate. Those concerns need to prepare themselves to be compliant should either outcome occur.

Public companies and their auditors must now assume total responsibility for their internal controls (specifically those relating to financial reporting). Rule 13a-15(f) of the SEC Rules defines internal control over financial reporting as: “A process designed by, or under the supervision of, the issuer’s principal executive and principal financial officers – or persons performing similar functions – and effected by the issuer’s Board of Directors, management and other personnel, to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.”

There are some important points to note here. In particular, the fact that SEC Rule 13a-15(f) continues to policies and procedures which “pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer”. In essence, this relates to the use for which assets are intended.

Companies must also “provide reasonable assurances that transactions are recorded as necessary to allow the preparation of financial statements in accordance with generally accepted accounting principles, and that expenditures and receipts of the issuer are being made only in accordance with authorisations of management directors of the issuer”. Put simply, internal controls must exist to prevent the chief executive from saying: “I know nothing!”

Further, companies have to “provide reasonable assurances regarding the prevention or timely detection of unauthorised acquisition, or the use of disposition of the issuer's asset that could have a material effect on the financial statements.”

What we are talking about in this instance focuses on controls to prevent either managers or staff from buying, selling or using company assets unwisely.

Sarbanes-Oxley and security

From a security perspective, Sarbanes-Oxley is vague in many areas – in particular as the Act relates to the specifics of ‘How To Comply’ – because it doesn’t provide exact information on security procedures or processes that companies must put in place in order to comply (the necessary activities including the management of records, monitoring general business activity and checking on corporate performance). Nor does Sarbanes-Oxley recommend any specific IT solution in line with compliance procedures.

On the other hand, there are sections of the legislation that are very specific and have a direct impact on IT budgets. For example, the law states that all business records – including electronic records and electronic messages – must be saved for “not less than five years”. Given this data storage requirement, it is clear that Sarbanes-Oxley has already had – and will continue to exert – a noticeable effect on corporate IT and security departments.

UK security managers in the finance sector are doing their best to cope with the new legislation, but it represents a constant struggle. “Sarbanes-Oxley is nothing if not onerous,” suggests Chris Smith, head of regional security for EMEA at HSBC Bank plc. “We have had to employ and deploy something in the region of 150 staff just to look after this one Act. That’s a pretty significant commitment of manpower.” It’s the same story for Smith’s colleagues in the States. Joseph Antonellis, the chief information officer at Boston’s renowned State Street Corporation, comments: “The time, costs and diverted resources needed to comply create massive obstacles for our organisation. It has definitely made life harder for the IT and security staff to meet end user needs. We have been forced to wade through massive amounts of documentation and complete testing phases to validate what we already knew – that the existing IT control infrastructures and corporate audit activities in place here comply with Sarbanes-Oxley.”

The Act contains no less than 65 pages alluding to security or security-related topics. All well and good, but resentment is brewing among managers because of duplication with elements of Basle II. “It’s not just that, either,” adds Chris Smith. “At the same time we also have to take into account the Financial Services Authority’s regulations and certain elements of the Turnbull Report.”

Certainly, the IT managers who have recently spoken to SMT on this subject claim that documenting controls is almost akin to copying words out of a dictionary as a punishment! Some comfort can be drawn in the fact that, once the procedures have been tackled for the first time, checking processes and making them repeatable in future years should be much easier.

An off-the-shelf solution?

It is hard to sign-off on the validity of data if those systems maintaining it are not secure. With IT ‘keeping the books’ these days, if such systems are not secure then internal controls cannot possibly be that clever. If, for example, someone can easily access those systems because there is only a four-character password in place, that would have to be seen as a sign of non-compliance.

What Sarbanes-Oxley has done is open up lines of communication between upper level management and their security staff as to what is required in ensuring that proper – and auditable – security measures are in place. Given that some companies have traditionally spent more on coffee than security, this will mean a fundamental change in mindset.

The bad news for corporate security professionals is that they cannot buy specific systems guaranteeing compliance with Sarbanes-Oxley. Nonetheless, an important factor in creating internal controls is making sure that any ‘home grown’ applications are secure. Most companies will have perimeter defences in place, intrusion detection and anti-virus software. However, it would be fair to say that far too many do not espouse proper controls for their web-based applications.

Teaching systems developers to code more securely and then properly test their solutions for security purposes would be a relatively low cost project, and one that should reap huge dividends in relation to compliance.

What Sarbanes-Oxley has done is open up lines of communication between upper level management and their security staff as to what is required in ensuring that proper – and auditable – security measures are in place

It appears to make perfect sense that companies would look to automate as much of the process as possible with software and hardware platforms that quickly address their dilemma. Again, it is important to stress that the vehicle (software, hardware, methodology) for compliance is left to the organisation and its individuals… leading to another array of potential issues on the road to compliance.

Important sections of the Act

While it may seem like a new law, in reality some of the key components of Sarbanes-Oxley are newly-edited laws that previously existed. In many cases, the only difference between the older versions of the law and Sarbanes-Oxley as the Act currently stands are increased penalties and longer jail terms for chief executives and financial officers who knowingly approve misleading financial statements or otherwise misreport them.

Another key difference is that independent auditors must attest to the accuracy of internal financial controls every year (as stipulated in Section 404 of the legislation).

The Act itself is organised into 11 titles. In addition to Section 404, Sections 302 and 802 are the most significant with respect to compliance and internal control. These sections impact on internal controls over the functions and logic of the financial applications that feed information into financial reports. This can include data validity (eg credit limit checks), calculations (such as tax calculations), interfaces (feeds from central billing into the general ledger) and reports (for instance customer billing statements).

Section 302 is listed under Title III of the Act, and pertains directly to the corporate responsibility for financial reports. All periodic statutory financial reports are to include certifications signed by officers to state that they have reviewed the report. Reports must not contain any materially untrue statements or material omissions, or be considered misleading in any way. The financial statements and related information must fairly present the financial condition and the results in all material respects.

Section 404 of Sarbanes-Oxley is listed under Title IV of the Act (enhanced financial disclosures) and relates to the ‘management assessment of internal controls’.

Issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structures and procedures for financial reporting. This statement must also assess the effectiveness of such internal controls and procedures. In the same report, the registered accounting firm is required to attest to – and comment upon – the assessment of how effective control structures and procedures for financial reporting are in the real world.

Compliance with Section 404 has been far more burdensome than anyone expected. In fact, compliance with this part of the Act is the major reason why the US Government has twice extended the deadlines.

Unlike Y2K, which represented a one-off, one time ‘fix’, Section 404 will require continual monitoring and compliance. The bottom line is that if companies wish to comply with the law, the control of IT systems’ integrity is a ‘must’. The major worry for all companies, it seems, is security, closely followed by data storage, process control applications, records management and planning solutions.

Listed within Title VIII of the Act relating to corporate and criminal fraud accountability, Section 802 is concerned with criminal penalties for altering documents.

Public companies and their public accounting firms are required to retain records – including those in electronic format – that impact on either the given company’s assets or performance. This can include e-mail, instant messages and any spreadsheets that may be used to analyse financial results.

Compliance with Sarbanes-Oxley

The following high level processes will assist IT and security managers to judge what stage they have reached in the ‘compliance dance’, and what further actions may need to be taken.

The PCAOB recommends the Committee of Sponsoring Organisations (COSO) integrated framework on internal controls for managing compliance in relation to financial reporting.

Using COSO as a guide, many companies look at the risk assessment framework as a standard from which to begin. Several of the Best Practice approaches that help ensure good corporate governance apply to Sarbanes-Oxley (eg policy-based security assessment and management packages, managed security services, intrusion protection products and early warning systems).

There are five key components for compliance: a controlled environment, the risk assessment, controlled activities, information and communication and monitoring.

A controlled environment encompasses the ethics, direction and philosophy of an organisation. The risk assessment is a little more involved. In terms of definition, an audit is performed to determine where changes need to be made for compliance with Sarbanes-Oxley. The focus here is very much on business applications, processes and procedures that directly (and indirectly) impact on financial reporting systems. IT and security managers should expect to participate extensively here as members of the Compliance Committee.

Following the audit, managers will be able to determine whether their position is relevant to Sarbanes-Oxley requirements. This ‘gap analysis’ will lead to a requirements document identifying those areas in need of remediation.

Driver for enhanced security

While Sarbanes-Oxley does not specifically regulate IT or IT security, it does have a massive effect on it.

With an understanding of the business processes and technologies that you currently have in place, what new systems or processes are needed for compliance – and what security measures will be implemented to ensure protection of the data and policies required for compliance – security and IT managers will be well on the way to meeting Sarbanes-Oxley.