Accounting controls for Publicly traded companies – SOX
The Public Company Accounting Reform and Investor Protection Act of 2002, commonly
known as “Sarbanes-Oxley” or “SOX”, was enacted in response to the flood of unethical financial practices by public corporations. In a nutshell, it was too easy for a company to “cook the books” and for executives to line their pockets at the expense of shareholders while claiming ignorance. SOX greatly tightened restrictions on methods companies can use for maintaining and reporting financial data, and on their financial processes generally.
SOX is enforced by the U.S. Securities and Exchange Commission (SEC). SOX requires that institutions maintain tight control over access to their sensitive financial data. The Information Technology Governance Institute (ITGI), a group created to assist companies with IT governance, has created a set of security-related recommendations for helping with SOX compliance. One of the provisions of SOX as an embezzlement preventative is that no single individual in a company should be in position to both make and receive any given payment—a so-called segregation of duties requirement. Therefore it is very important for companies to be able to prove the identity of the author of key communications such as emails that have to do with making or receiving payments, and to be able to state with certainty that they have not been tampered with. the Business Software Alliance (BSA) formed an Information Security Governance Task Force which identified ISO 27002 as serving the purpose satisfactorily—heightening the importance of these standards. See below for a description of ISO 27002.