Auditors are Urged to Test Information System Integrity
Sarbanes-Oxley is clear: companies must have internal controls in place and the effectiveness of those controls must be audited. However, the law does not address the reliability of the company's information systems, which is now being addressed by the Securities and Exchange Commission, Dow Jones Newswires reported.
"We're leveraging our oversight role to encourage public accounting firms to look very closely at information-security controls of those companies," Chrisan Herrod, the SEC's chief security officer, said Tuesday during a conference on cybersecurity, which was reported by Dow Jones.
The SEC is asking auditors to look closely at information-security systems when assessing client companies' internal controls. Companies with fiscal years ending in November are among the first to be required by Sarbanes-Oxley to file an auditor's report on the effectiveness of their internal controls.
The 2002 corporate governance law does not specifically address the assessment of corporate information systems for reliability, but some argue that the systems provide the crux of internal control and financial integrity, Dow Jones reported.
The law "when it was written, may not have been intended to examine information technology, but I think there is some reasonable discussion to be had about whether you can certify the financial statements absent an examination of the information technology infrastructure that supports that," Bob Dix, staff director on the House Technology subcommittee, told Dow Jones.
SEC regulators don't plan to address the deficiency through legislation but rather plan to spread the word to the audit community that the information systems test is a good idea.
"CEOs in corporate America still don't get it," Herrod, who worked as chief security officer for companies including GlaxoSmithKline PLC (GSK) before joining the SEC, told Dow Jones. "They still don't concern themselves with information security...as much as you would think they would, given the events of the last three years."
Voice of the Editor
Which isn’t completely true. I mean, occasionally I drop by when I manage to sneak out of the nonstop frat party over at Going Concern, but I’m mostly a wallflower over there. I’m happy to say that I’ve been given express permission (or explicit orders, if you like) to wander over here to AccountingWEB more often.
Why is that, you might ask? My job is to replace the irreplaceable Gail Perry as Editor-in-Chief. What does that mean? I don’t really know! I think it’ll be fun getting a feel for things, throwing in my own thoughts here and there, and listening to the discussions you’re having about the accounting profession.