对SOX,需要记住的是,它主要关注财务报告数据的准确性。在SOX下,IT安全的重要性在于,它提高了财务报告的可靠性和完整性。
相关信息:
萨班斯:中国企业的梦魇还是机遇
萨班斯法案:这更将是一个机遇
SOX法案考验中国在美上市公司
全球风险时代以不变应万变之道
CobiT认证培训全面迈进4.0时代
联通全国进行SOX法案的内部培训
Sarbanes Oxley seems wholly focused on the accuracy of a company's financial records and controls around these records, so where does IT security come into the picture?
At a recent computer security conference in Las Vegas, I was struck by the fact that every computer security vendor was advertising its product, software, service or consulting services as, "100% Sarbanes Oxley Compliant." It's sort of like the saying of being fat free and having reduced carbs. It got me wondering, does the Sarbanes Oxley law really have anything at all to do with computer security? The quick answer is, not as much as you might suspect, but more than the law did before.
A bit of history
To understand the Sarbanes Oxley Act of 2002, (SOX) you have to understand Enron. After reading Kurt Eichenwald's 742 page tome about the Enron scandal, I cannot claim to understand even what Enron did for a living. However, the Enron accounting scandal that led to SOX was a combination of corporate arrogance, director and officer inattention, CFO greed, pervasive conflict of interest, accountants who were captured by their client, and a failure to heed numerous warning signs, including those of inside whistleblowers like Sherron Watkins. At its core, the Enron debacle involved the United States Securities and Exchange Commission's approval of an aggressive (and likely inappropriate to its uses by Enron) form of accounting by Enron called "mark to market," coupled with a series of CFO-owned limited partnerships which were used to offload significant quantities of Enron debt while at the same time this debt was actually being reassumed by Enron itself.
The surest sign of accounting fraud is financial transactions that bear no true independent economic value (although such things are commonplace in the accounting world -- think sale and leasebacks, offshore corporations and subsidiaries, etc.) Enron's accounting firm, Arthur Anderson, was beholden to its client for significant fees not only from accounting but from consulting services as well, creating additional conflicts of interest. Complaints of whistleblowers were dismissed by senior Enron management, because they felt as if they were, in the words of movie director Alex Gibney, "The Smartest Guys in the Room."
When SEC and DOJ investigations ensued, Anderson's counsel reminded everyone about the Anderson rule on not retaining accounting workpapers, leading to essentially a shredding party -- although the U.S. Supreme Court heard oral arguments during the last week of August on whether or not this activity was even criminal.
After Enron, Congress faced a series of other companies that have either been indicted for fraud or have had to significantly restate earnings because of a failure to accurately capture income and expenses. These include HeathSouth, Adelphia, Tyco, WorldComm, Quest Communications, and Global Crossing. In each of these cases, it is alleged that senior management participated in events which led to the misstatement of earnings and the deception of investors. Indeed, each of these cases reflect equally corporate officials stealing from the company as well as stealing for the company.
What is important to note about each of these major financial frauds -- the ones that essentially led Congress to act -- is that none of them involved breakdowns in computer security. Indeed, had there been significant improvements on computer security and access control at each of these companies, there likely would have been no change in the result.
Congress gets involved
Otto Von Bismark once said that those who like sausage and have respect for the law should not watch either being made. The same could be said about the United States Congress. The Sarbanes Oxley Act imposes significant accounting and control requirements on U.S. publicly owned companies (and probably on foreign companies which are either traded on U.S. exchanges or which make up a significant part of a U.S. company's financial reporting). Thus, the new law, which was signed on July 30, 2002, directly addresses the Enron scandal by, for example: establishing records retention requirements for audit papers, creating a new oversight board for accounting firms auditing publicly traded companies (PCAOB), mandating auditor independence, mandating corporate responsibility and accountability at publicly traded companies, reducing conflicts of interests of financial analysts, providing protections for "whistleblowers," and imposing new criminal penalties relating to fraud, conspiracy, and interfering with investigations. You would be hard pressed in reading the text of SOX, its legislative history, or any of the voluminous testimony surrounding it, to find the words "computer security" or "computer crime."
There are several provisions of SOX which do, however, impact IT auditors and security professionals -- even if only tangentially. For example, Section 302 requires the CEO and CFO to certify that the financial reports are true and accurate, and that there are in existence adequate controls over financial reporting and disclosure. Section 404 describes these controls, and requires that certification be both reasonable and that the outside auditors also certify the existence of such adequate controls over financial reporting. SOX Section 409 requires publicly traded companies to promptly report any changes in financial condition or reporting that might be material to investors, and Section 802 mandates that companies and their auditors maintain accounting documents and work papers for a minimum of seven years. Nary a mention of IT security. Indeed, SOX seems wholly focused on the accuracy of a company's financial records and controls around these records -- income, expenses, accounting, liabilities, etc. Where does IT security come into the picture?
When the Public Company Accounting Oversight Board, created as a result of SOX, got to work it established auditing standards, including Standard 2, titled "An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements ." This document recognized that senior management can't just certify controls ON the system, these controls also have to control the way financial information is generated, accessed, collected, stored, processed, transmitted, and used through the system.
