The SOX Act was established as a reaction to numerous financial scandals (e.g., Enron, WorldCom) and is designed to increase corporate accountability and implement measures to defend against corporate and accounting fraud.
While there are numerous sections to the SOX Act, there are two that stand out regarding information security requirements:
Section 302 requires that officers of the company (CEO and CFO) sign off on quarterly and annual reports to, amongst other items, attest that the report is complete and accurate and to report on the effectiveness of internal controls.
Section 404 requires that an assessment of internal control over financial reporting be conducted and included as part of the annual report. While the assessment of controls focus on those relevant to financial reporting, the requisite level of control is dependent on IT functionality. Due to this relationship, the assessment must include an evaluation of the design and operational effectiveness of general IT controls.
Addressing SOX Section 404 will require the organization to incorporate information technology controls in a manner consistent with a control framework such as ISO 27001 or Control Objectives for Information and related Technology (COBIT).
Publicly Traded Companies