Keeping IT Secure and Complying with SOX

As public companies scramble to meet the many layers of requirements contained in the Sarbanes-Oxley Act, information security is getting serious attention.

The Public Company Accounting Oversight Board (PCAOB) requires that companies and their auditors must maintain audit records for seven years. SOX carries heavy penalties for companies that destroy, alter or falsify business records, which include e-mail and instant messages. Section 802, for example, calls for fines of up to $1 million and prison terms of up to 20 years “for knowingly deleting an e-mail with the intent to impede, obstruct or influence a current or future federal investigation.”

Security Computing magazine reports that companies are mulling a “delete everything” policy when it comes to e-mail, or an approach that allows some e-mails to be deleted while others are saved.

Some experts are advising companies to save nearly all e-mail as a business record to protect against both federal audits and lawsuits. Many are using a third-party service that can store and retrieve the communications when needed, the magazine reported.

According to the Sarbanes-Oxley Compliance Journal, consistent security controls are needed not only to meet the SOX requirements, but to ensure that IT systems are working properly and are monitored for security violations.

While many organizations are starting to put well-documented IT security policies in place, many are not there yet, instead going through the time-consuming process of gathering the information needed. Some companies are automating IT controls, keeping in mind that controls must be “reasonable, enforceable and auditable,” the SOX Journal reported.

SecurityFocus columnist Mark Rasch wrote in The Register, the UK's biggest technology website, “The better reason to have good controls over IT and IT security, however, is not because it will make you SOX compliant - but because it will make your business more efficient, enable you to better utilize your data, and allow you to trust ALL the data, not just financial reporting data.”

You may like these other stories...

Regulatory compliance, risk management and cost-cutting are the big heartburn issues for finance execs in the C-suite. Yet financial planning and analysis—a key antacid—is insufficient.That's just one of the...
Continuing its efforts to simplify accounting procedures, the FASB has issued a proposed Accounting Standards Update on customer fees paid in a cloud computing arrangement. The newly-proposed update (Intangibles—...
How are you planning? What tools do you use (or fail to use) for forecasting? PlanGuru is a business budgeting, forecasting, and performance review software company based in White Plains, N.Y. AccountingWEB recently spoke...

Already a member? log in here.

Upcoming CPE Webinars

Sep 9
In this session we'll discuss the types of technologies and their uses in a small accounting firm office.
Sep 10
Transfer your knowledge and experience to prepare your team for the challenges and opportunities of an accounting career.
Sep 11
This webcast will include discussions of commonly-applicable Clarified Auditing Standards for audits of non-public, non-governmental entities.
Sep 24
In this jam-packed presentation Excel expert David Ringstrom, CPA will give you a crash-course in creating spreadsheet-based dashboards. A dashboard condenses large amounts of data into a compact space, yet enables the end user to easily drill down into details when warranted.