COBIT, COSO, ITIL and OATBNL (And other acronyms to be named later)
Because of SOX's reliance on controls, the Committee of Sponsoring Organizations of the Treadway Commission (headed by former SEC member James Treadway) developed a series of controls for financial processes which are now known as the COSO guidelines. COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting. For IT auditors, the relevant guidelines are COBIT (Control Objectives for Information and Related Technologies) which is an open standard published by the IT Governance Institute and the Information Systems Audit and Control Association. (In the UK, there is the IT Infrastructure Library, published by the Office of Government Commerce in Great Britain which compliments COBIT.) These are a series of IT controls which should be in place in order to make such a SOX certification with respect to IT.
But here is the fundamental question -- has there ever been a pervasive and material financial fraud which has resulted directly or indirectly from a failure of an IT security control? Would IT controls have prevented or detected the frauds at Enron, WorldCom, Tyco, and the like?
The answer to the former question is probably yes. If we look back historically to things like the Bearings Bank/Nick Leeson fraud of the late 1980's, or the Allied Irish Bank/Allfirst fraud of the beginning of this millennium -- cases in which trusted employees generated and concealed tremendous losses for the company -- IT security controls may have been able to prevent or detect such frauds, which certainly would have been material to investors. While such fraud perpetrated by insiders are difficult to detect because such insiders frequently have intimate knowledge of the controls themselves, processes that provide for things like access control, detection of unusual account or access activity, checks and balances for records relating to financial reporting may provide early warning for such fraudulent activity. At best you can make such systems fraud resistant -- not foolproof. Indeed, in many cases those committing significant frauds against a company must obtain unauthorized or superuser access to IT systems in order to either perpetuate the frauds or conceal them. IT security controls can also help companies certify compliance with other legal and regulatory requirements -- a SOX mandate.
But for frauds like the next Enron and their ilk, IT security -- even under COBIT guidelines -- would likely provide no remedy. Where key decisions about how to account for profits, losses and liabilities are created by senior management and approved by independent accountants, all that the IT staff does is streamline the process for ensuring that these decisions are effectuated -- not preventing fraudulent or erroneous assumptions.
Contingent liabilities
One underemphasized provision of SOX is the requirement that companies disclose to investors both material events and contingent liabilities that might impact the bottom line. In this regard, IT security becomes more relevant. If you had a choice between investing in a financial institution (or a nuclear power plant) that had sound IT security practices, or one that had none, clearly you would find the IT security decisions to be important. Similarly, a significant attack on an infrastructure could yield losses to confidentiality, reliability or integrity of systems or data that would have to be disclosed to investors (just ask ChoicePoint about that).
The thing to remember about SOX is that it is primarily focused on the accuracy of financial reporting data. IT security is important under SOX only to the extent that it enhances the reliability and integrity of that reporting. To the extent that SOX provides an incentive to companies to do that which they reasonably should be doing anyway, by all means feel free to use it to convince with senior management. The better reason to have good controls over IT and IT security, however, is not because it will make you SOX compliant -- but because it will make your business more efficient, enable you to better utilize your data, and allow you to trust ALL the data, not just financial reporting data. If it takes a few senior executives going to jail to achieve that, so be it.
Now ask yourself: are your security vendor's products "100% Sarbanes Oxley Compliant?" You can bet they probably are. And remember, their solutions meeting SOX compliance are also 100% cholesterol free!
