Title of the Sarbanes Oxley Act addresses issues related to corporate responsibility

SOX Overview

Sarbanes-Oxley Act of 2002 act not only affects how public companies report financials, but significantly impacts IT as well.

Sarbanes-Oxley compliance requires more than documentation and/or establishment of financial controls, it also requires the assessment of a company's IT infrastructure, operations and personnel.

Requirements of the Sarbanes-Oxley Act of 2002 do not scale based on size or revenue of company.

Small to medium size companies (IT Dept) will face unique challenges, budgetary and personnel, in their effort to comply with Sarbanes-Oxley Act of 2002.

A vast majority of companies will view SOX compliance as a Finance initiative and may not involve IT, or limit IT's involvement to the projects periphery.

Limited perception of SOX compliance may make it difficult for CFOs, CIOs and IT Directors to position with Executive Management.

The SOX compliance process will provide CFOs, CIOs and IT Directors the opportunity to forge stronger alliances with the business units.

SOX Overview

The Sarbanes-Oxley Act of 2002 affects how public companies report financials and significantly impacts IT.

Sarbanes‐Oxley compliance requires more than documentation and/or establishment of financial controls; it also requires the assessment of a company's IT infrastructure, operations, and personnel.

Requirements of the Sarbanes-Oxley Act of 2002 do not scale based on the size or revenue of a company.

Small to medium-sized companies (IT department) will face unique challenges, both budgetary and with personnel, in their effort to comply with the Sarbanes-Oxley Act of 2002

A vast majority of companies will view SOX compliance as a Finance initiative and may not involve IT, or limit IT's involvement to the project’s periphery.

Limited perception of SOX compliance may make it difficult for CFOs, CIOs, and IT Directors to position SOC compliance with executive management

The SOX compliance process will provide CFOs, CIOs, and IT Directors the opportunity to forge stronger alliances with the business units.

The Sarbanes-Oxley Act

The Sarbanes-Oxley Act (SOX) revolves around the integrity of corporate financial statements. Senior executives are accountable for their accuracy and for the effectiveness of controls that guarantee this. Independent, external auditors must also review the controls periodically. They must check for areas where misstatements can occur and places where fraud can happen. From an information technology perspective, they are particularly concerned with monitoring privileged users such as database administrators.

Your activity monitoring solution must be able to detect changes to sensitive financial data as well as be able to detect all privileged users and privileged activity. The latter includes all Data Definition Language (DDL) statements, backups/restorations, and any significant configuration changes. The audit trail must identify the person who made the changes and a separate change management system should agree that those changes were permitted. Very often an internal auditor will attach to the audit trail an identifier defined by the change management system to indicate such permission.

Intrusion detection is also a key factor in protecting sensitive data and to this end, SOX explicitly requires fraud detection controls. Monitoring for attacks as described in this chapter goes a long way toward meeting this goal. Since SOX also requires reasonable measures to prevent fraud, look into getting a solution that combines activity monitoring and vulnerability assessment to yield a single SOX compliance report. The regulation goes on to say that management overrides of the controls (e.g., the administrator of the monitoring tool changing its configuration) must also be tracked.

Sarbanes–Oxley – 2002

The Sarbanes–Oxley Act (SOX) – Public Law 107-204, 116 Statute 745 – was passed in July 2002. This Act set in place the revised standards for risk, operations, accounting and reporting, compliance, and governance for all US public company boards of directors, management, and public accounting firms. The SOX was enacted as a result of several major corporate scandals during the late 1990s including Enron, Tyco, and WorldCom. As a result of SOX, top management must now individually certify the accuracy of financial information. Additionally, penalties for fraudulent financial activity are much more severe and there is now a requirement for increased oversight by the corporate boards of directors and the independence of the outside auditors who review the accuracy of corporate financial statements.

The SOX contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the law. The SOX also created a new, quasi-public agency, the Public Company Accounting Oversight Board (PCAOB), which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The SOX also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure as follows:

Addressed specific areas such as:

Top management must individually certify the accuracy of financial information.

Provided for penalties for fraudulent financial activity which are much more severe than previously listed and legalized.

Increased the independence of the outside auditors who review the accuracy of corporate financial statements.

Increased the oversight role of boards of directors.

SOX reporting criteria:

Assess both the design and the operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks.

Understand the flow of transactions, including IT aspects, in sufficient detail to identify points at which a misstatement could arise.

Evaluate company-level (entity-level) controls, which correspond to the components of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework.

Perform a fraud risk assessment.

Evaluate controls designed to prevent or detect fraud, including management override of controls.

Evaluate controls over the period-end financial reporting process.

Scale the assessment based on the size and complexity of the company.

Rely on management’s work based on factors such as competency, objectivity, and risk.

Conclude on the adequacy of internal control over financial reporting.

Sarbanes-Oxley Act

The Sarbanes-oxley act (SOX) became law in 2002.40 “The Act mandated a number of reforms to enhance corporate responsibility, enhance financial disclosures and combat corporate and accounting fraud, and created the ‘Public Company Accounting Oversight Board,’ also known as the PCAOB, to oversee the activities of the auditing profession.”41 Although SOX doesn’t use the term social media, it does have Section 409, which requires companies to “disclose to the public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer, in plain English, which may include trend and qualitative information and graphic presentations, as the Commission determines, by rule, is necessary or useful for the protection of investors and in the public interest.”42 For those who advocate the use of social media, it seems a no-brainer that disseminating information via Twitter would be a fast, if not, one of the fastest and most current ways to get the information out. But that also means your company should also use the social media channels to correct misinformation or inaccurate information. Also, using Twitter does not replace the requirements of a press release to be in compliance with SOX. Michelle Sherman of Sheppard, Mullin, Richter & Hampton, LLP, emphasizes that you should “make sure the social networking sites reflect the most current information including changes in your public financial reporting.”43 In her article reviewing the trouble Credit Suisse got into because information on its Website was not current (and they were fined $4.5 million), Sherman outlined some lessons learned:

Have an audit done of your Website and social media sites to make sure the information posted there is not arguably outdated, incorrect, or misleading.

Before acquiring a company, conduct a similar audit to identify any potential risks of your company being financially responsible for preacquisition violations of FINRA regulations or SOX on the target company’s respective websites or social media accounts.

Update your company compliance practices and safeguards to ensure that disclosures are being made to all disclosure venues including the less conventional ones such as Facebook and Twitter. This should ideally include coordination between legal, public relations, and finance.

Do not disclose financial information on Twitter or Facebook that is not available elsewhere.44

IT Manager Bob – The Nightmare

The SOX audit is much more in depth, costly, and resource intensive than any other audit you might have experienced before.

SOX will affect virtually every person in your organization.

Companies are compelled to comply if they are publicly held, regardless of size or revenue.

What This Book Is and Is Not

This book is a technical book at heart; however, much material on the business side is presented to place the technology into a frame of reference for SOX compliance.

The examples and technologies presented here are based on open source technologies to help you save time, resources, and money.

This book is not a road map on how to comply; that would be impossible, since every business is unique.

This book is not about financial compliance; it is strictly focused on the IT considerations for SOX. There are many other references for that particular aspect.

Who Should Read This Book

Non-IT Management Even though you may not be in the IT department directly, you will have an over-arching understanding of how open source can help.

IT Management This book demonstrates open source to assist and automate the task of documenting and tracking compliance and internal controls, independent of whether they are derived from proprietary or open source systems, and outlines the business reasons and benefits derived from such an environment.

IT/Financial Consultants The live CD provides a valuable toolset one can use to improve their client's IT processes, and hopefully lead their SOX compliance to be a less painful and costly experience.

Principals of Non-public Companies If you are considering an IPO, you should read this book to understand some of the implications SOX will bring to the table, together with an idea of how open source can offset some of the requirements.

The Open Source Model

The quality of open source tends to be very high because of the constant peer review of developers, users, and hackers that make up the project community.

The GPL is the most common open source license in use today, but there are many others.

The GPL's main features are that it compels one to make the source code and a copy of the license available when distributing copies of the software, and that all modifications to the original source and any source it is tied to be also be licensed under the GPL.

The LPGL requires the source code available for the LGPL-licensed project, but allows for binary-only linking to other applications and does not require that application to be licensed in any particular way.

The BSD license allows users to do whatever they like to the software with very little or no restrictions.

The Business Case for Open Source

Deploying open source can have costs associated, such as purchasing a support contract from distribution vendors, paying project developers for specific functionality that your organization requires, hiring in-house developers to work on a project, and leveraging community support. In addition, you might consider a donation to help defray project costs.

Open source can save money in many ways. There are no initial license fees to pay, deployment costs are not usually more expensive, and often are less since closed source deployments may require customizations. High reliability and security reduce costly down time.

Intangible benefits include freedom of choice and risk mitigation, since having access to the source ensures the continuation of a project regardless of whether a company goes out of business or decides to end-of-life a product.

VM Spotlight: CentOS GNU/Linux Distribution

CentOS is an Enterprise-class Linux Distribution derived from sources freely provided to the public by a prominent North American Enterprise Linux vendor. CentOS is developed by a team of core developers, which are backed by a large, active, and growing user community.

The two main criteria in choosing a Linux distribution are functionality and support. CentOS provides rock-solid reliability via the repackaging of the Red Hat Enterprise product line, including Xen virtualization and out-of-the-box clustering support. There are many avenues of freely available support in the form of mailing lists, robust user documentation, and user forums.

Case Study – NuStuff Electronics Inc.

NuStuff Electronics is our example company for the case study used throughout this book. Our fictional company is a successful semiconductor designer of baseband communication chips for OEM of digital telephones. Operations span the globe with offices in, India, Japan, Singapore, the United Kingdom, and two offices in the United States. NuStuff out-sources its manufacturing needs to contract electronics fabrication firms, and has approximately 800 employees worldwide. NuStuff has 60 million in assets and quarterly revenues averaging $20 million.

NuStuff has already embraced open source and Linux technologies to a great extent, and has consolidated its IT infrastructure by standardizing on Linux in the server room and eliminating as many Windows servers as possible, although it does have a few proprietary and legacy applications that run in only a Windows environment. It's desktop topology is a mixture of Linux and Windows clients.

The Sarbanes-Oxley Act

The Sarbanes-Oxley Act (or “The Public Company Accounting Reform and Investor Protection Act of 2002”) is typically called SOX or Sarbanes-Oxley. SOX was intended to offset a perceived decline in public trust after a series of accounting outrages. SOX establishes enhanced accounting and auditing standards for all publicly traded companies in the US and the affiliates of these companies. It mandates the evaluation and disclosure of the effectiveness of the internal controls implemented by a company. The chief executive officer and chief financial officer of the company are required to certify financial reports.

SOX requires company executives to be accountable for the security, accuracy, and reliability of all IT systems used in reporting financial information. This accountability must be reflected in the internal controls used to manage the companies’ information systems used for the processes of financial reporting.

Summary

The Sarbanes-Oxley Act of 2002 and COBIT have come to be synonymous with each other. Other standards exist, but COBIT has been most widely adopted by the PCAOB for audit firms. The COBIT guidelines are good standard operating procedures for IT organizations but they are not practical for company's to implement as written. Our fictitious company, NuStuff Electronics, demonstrated how–with planning and knowledge of their own operating environment–the COBIT guidelines could be culled down into something more manageable.

ITIL is another framework being used by IT organization's to achieve regulatory and/or act compliance. However, it too comes with certain problems. The updated ITILv3 serves as a model, showing that even when frameworks are modified they will not be able to fulfill everyone's needs. They will still require interpretation and customization. There is no panacea as far as frameworks are concerned.

Abstract

The Sarbanes–Oxley Act of 2002 specifies that corporations must publish a code of ethics for their senior officers, or disclose their reason for not having one. As in business, ethics are important in cyber warfare too. However, cyber operations do not have all of the same attributes that traditional warfare does. Therefore, when considering activities that might be classified as cyber warfare, it is important to realize that things that are clear in conventional warfare—determining whether an attack is taking place, who is attacking, who is being attacked, and consequences of an attack—may not be as they seem. With this in mind, this chapter covers ethics surrounding cyber warfare. Besides discussing the potential for cyber attacks to be misattributed, the chapter covers secrecy in attacks, noncombatant immunity, use of force, mistaking a technical problem for an attack, intent behind an attack, and collateral damage resulting from an attack.

Sarbanes-Oxley

The Sarbanes-Oxley Act of 2002, also known as SarbOx, SOX, and the Public Company Accounting Reform and Investor Protection Act, was passed in response to the corporate scandals involving Enron, Tyco International, and Worldcom (now MCI). These companies misrepresented the condition of their business to shareholders and to the Securities and Exchange Commission (SEC). In the case of Enron, the employees were seriously harmed, not only by the loss of employment, but also by devaluation of their 401(k) retirement plans to virtually zero worth. While executives of Enron were encouraging employees to load up their 401(k) accounts with Enron stock, they were quietly selling off their own stock. SEC rules allowed some types of this insider trading to go unreported for more than a year. Sarbanes-Oxley includes these provisions:

The chief executive officer and chief financial officer must certify financial reports

The company cannot make personal loans to executive officers and directors

Insider trading must be reported much sooner

Insiders (officers and directors) cannot trade during pension fund blackout periods, in which pension fund (e.g., 401(k) account) participants are prohibited from trading

There must be public disclosure of compensation for the chief executive and financial officers

An auditor cannot provide other services to the company. In the case of Enron, their auditor (Arthur Andersen) was also making money for the company, consulting on mergers and acquisitions and other services.

Longer jail sentences and bigger fines for executives knowingly misstating financial statements

Because IT systems are used by all major corporations to produce the information used in financial reporting processes, the chief information officer of a public company plays a large role in complying with Sarbanes-Oxley, even though the act primarily tasks the chief executive officer and the chief financial officer.