SOX

After a number of high-profile business scandals in the United States, including Enron and WorldCom, the Sarbanes-Oxley Act of 2002 (SOX) was enacted as legislation. This act is also known as the “Public Company Accounting Reform and Investor Protection Act.” The purpose is to “protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.”28 This regulation affects all companies listed on stock exchanges in the United States.

In section 404, the SOX requires that “each annual report … contain an internal control report … [that] contains an assessment of … the effectiveness of the internal control structures and procedures of the issuer for financial reporting.” As information technology plays a major role in the financial reporting process, IT controls would need to be assessed to see if they fully satisfy this SOX requirement. Although information security requirements have not been specified directly in the Act, there would be no way a financial system could continue to provide reliable financial information, whether due to possible unauthorized transactions or manipulation of numbers, without appropriate security measures and controls in place. SOX requirements indirectly compel management to consider information security controls on systems across the organization in order to comply with SOX.29

Get Web Commerce Security Design and Development now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.