Keeping IT Secure and Complying with SOX

As public companies scramble to meet the many layers of requirements contained in the Sarbanes-Oxley Act, information security is getting serious attention.

The Public Company Accounting Oversight Board (PCAOB) requires that companies and their auditors must maintain audit records for seven years. SOX carries heavy penalties for companies that destroy, alter or falsify business records, which include e-mail and instant messages. Section 802, for example, calls for fines of up to $1 million and prison terms of up to 20 years “for knowingly deleting an e-mail with the intent to impede, obstruct or influence a current or future federal investigation.”

Security Computing magazine reports that companies are mulling a “delete everything” policy when it comes to e-mail, or an approach that allows some e-mails to be deleted while others are saved.

Some experts are advising companies to save nearly all e-mail as a business record to protect against both federal audits and lawsuits. Many are using a third-party service that can store and retrieve the communications when needed, the magazine reported.

According to the Sarbanes-Oxley Compliance Journal, consistent security controls are needed not only to meet the SOX requirements, but to ensure that IT systems are working properly and are monitored for security violations.

While many organizations are starting to put well-documented IT security policies in place, many are not there yet, instead going through the time-consuming process of gathering the information needed. Some companies are automating IT controls, keeping in mind that controls must be “reasonable, enforceable and auditable,” the SOX Journal reported.

SecurityFocus columnist Mark Rasch wrote in The Register, the UK's biggest technology website, “The better reason to have good controls over IT and IT security, however, is not because it will make you SOX compliant - but because it will make your business more efficient, enable you to better utilize your data, and allow you to trust ALL the data, not just financial reporting data.”

You may like these other stories...

Cybersecurity is no longer the domain of an organization's IT staff. It's moved to the boardroom, and in a big way. Accountants and financial managers may have been thinking it's just the province of the tech...
You probably don't want to think about how many times you access the File menu in Excel 2010 or 2013. Personally I think Excel 2010 has the best possible File menu arrangement, other than having Print Preview grafted...
Following other recent high-profile hacking events, investigators discovered yesterday that hackers broke into the draft work paper files of several famous CPA firms. Revealing images of the scantily clad documents have been...

Already a member? log in here.

Upcoming CPE Webinars

Sep 24
In this jam-packed presentation Excel expert David Ringstrom, CPA will give you a crash-course in creating spreadsheet-based dashboards. A dashboard condenses large amounts of data into a compact space, yet enables the end user to easily drill down into details when warranted.
Sep 30
This webcast will include discussions of important issues in SSARS No. 19 and the current status of proposed changes by the Accounting and Review Services Committee in these statements.
Oct 21
Kristen Rampe will share how to speak and write more effectively by understanding your own and your audience's communication style.
Oct 23
Amber Setter will show the value of leadership assessments as tools for individual and organizational leadership development initiatives.