Sarbanes-Oxley is clear: companies must have internal controls in place and the effectiveness of those controls must be audited. However, the law does not address the reliability of the company's information systems, which is now being addressed by the Securities and Exchange Commission, Dow Jones Newswires reported.
"We're leveraging our oversight role to encourage public accounting firms to look very closely at information-security controls of those companies," Chrisan Herrod, the SEC's chief security officer, said Tuesday during a conference on cybersecurity, which was reported by Dow Jones.
The SEC is asking auditors to look closely at information-security systems when assessing client companies' internal controls. Companies with fiscal years ending in November are among the first to be required by Sarbanes-Oxley to file an auditor's report on the effectiveness of their internal controls.
The 2002 corporate governance law does not specifically address the assessment of corporate information systems for reliability, but some argue that the systems provide the crux of internal control and financial integrity, Dow Jones reported.
The law "when it was written, may not have been intended to examine information technology, but I think there is some reasonable discussion to be had about whether you can certify the financial statements absent an examination of the information technology infrastructure that supports that," Bob Dix, staff director on the House Technology subcommittee, told Dow Jones.
SEC regulators don't plan to address the deficiency through legislation but rather plan to spread the word to the audit community that the information systems test is a good idea.
"CEOs in corporate America still don't get it," Herrod, who worked as chief security officer for companies including GlaxoSmithKline PLC (GSK) before joining the SEC, told Dow Jones. "They still don't concern themselves with information security...as much as you would think they would, given the events of the last three years."