The Sarbanes-Oxley act of 2002(SOX) is a form of legislation, also known as the “Public Company Accounting Reform and Investor Protection” in the legislature and in the house. It is referred to as ‘Corporate and Auditing Accountability and Responsibility Act’. The Sarbanes-Oxley act is a United States federal law enacted in the year 2002 that set new and enhanced standards for all the management and public accounting firms, public company boards in the U.S. (Cote). The bill passed and enacted due to the reactions of some of the big corporate and amounting scandals. Therefore, the enacting was as a result of the responses to the financial scandals to major firms. The bill meant to protect the general public and the shareholders from errors associated with accounting and fraudulent practices in the firms. Management of Sarbanes-Oxley act is by the Securities and Exchange Commission (SEC) that is responsible for setting deadlines for compliance. It is also responsible for and also the publishing of rules on requirements. The Sarbanes-Oxley act is not a set of business activities and does not specify how a business should either store its records and when. Moderately, it is a definition of which records are to be stored and for how long they are to be stored (Robertson 57).
The legislation of the above act does not only affect the financial sector of corporations. It also affects the IT area whose role is the storing of firms electronic records. The Sarbanes-Oxley Act states that all the business records, including electronic messages, electronic records and needs to be saved for “not less than five years.” The outcomes for non-compliance firms are either fines or imprisonment, or both. The IT departments are increasingly facing the test of creating and maintaining a company’s records collection in a cost-effective manner that satisfies the requirements that are stated by the legislation in the United States (Robertson 588). The aspect of compliance is basically a fixed aspect of corporate IT society. This is due to the fact that the Sarbanes- Oxley act rules and regulations requirements are that an audit trial of the log documents and all the related files in a firm must be retained for a period of five years. Both the electric and the paper versions of files need to be retained for the above period of time; however, the act does not give the ways in which the files are to be stored. That is the role of the IT managers to come up with the best ways of data storage, recovery and protection. This means that the impact of the Sarbanes-Oxley act is a major issue to every component of the IT operations. The IT operations include the data storage, messaging, virtualization, and networking. Therefore, the IT managers must be able to provide electronic records for all the audit trials for the compliance audits (Robertson 60).
The major things that IT managers will have to do differently when Sarbanes-Oxley becomes fully implemented and effective includes such as:
This is a major area that will have to change in the IT firms; this is due the fact that this filed is responsible for the transportation of the financial reporting data and all the transactions that can affect this data in all the networking hosts. In most cases, the firms’ network is extended to business partners, customers and suppliers. In order to ensure that the data is not tampered with, lost or damaged requires a strong control organization around the company’s network infrastructure. The act also has penalties on the it personnel who tampers with the data Sec. 802(a) “Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not, more than 20 years, or both.”(Phillips 83). In order to gauge the effectiveness of the IT security controls at every firm regardless of size, the data is usually based on the financial reports that on the other hand, depend on the IT information systems for the processing and storage and the firm’s network infrastructure for the data accessibility. Therefore, it is vital that a proper control structure is designed at the entity level in order to support all the vital and crucial data for any organization. The IT manager has the role of ensuring that the form he/she is responsible of needs a proper control structure at the entity level in order to support the running of all the business processes and one that it can rely on the aspect of information technology and the surrounding corporate environment. This aspect brings about the rule that defines the preservation period for record storage. Firms should securely store all the business records via the use the same strategies set for public accountants. This is basically the role of the IT sector. The Sarbanes- Oxley act of 2002 states “Sec. 802(a) (1) “Any accountant who conducts an audit of an issuer of securities to which, section 10A (a) of the Securities Exchange Act of 1934 (15 U.S.C 78j-1(a)) applies, shall maintain all audit or review work papers for a period of 5 years from the end of the fiscal period in which the audit or review was concluded” (Phillips 84). The Process level IT Security Controls is a major sector in the IT section that needs an emphasis in accordance to the Sarbanes- Oxley act. This is due to the fact that the process-level assessment is a process that affects the financial report data. Therefore, the IT managers in the firm should ensure that several IT security controls exist, to ensure that the financial reporting data has integrity. These includes such as logging of log-on attempts that are not successful, validation controls, encryption of precise data and transactions (Cote).
The Sarbanes- Oxley act of 2002 requires the IT department to analyze the design and operating effectiveness of the firm both in the process and the entity levels (Cote). This ensures that the financial reporting data is secure and accurate. The presence of a strong and reliable IT security control method is very crucial to the Sarbanes fulfillment. In the absence of this, the administration of the firm will either reveal a significant deficiency in the corporate internal control structure or expose the firm’s organizational employees to personal liabilities especially in cases where they certify financial statements that are not accurate.
Cote, Ben. Failed Audit? Sarbanes-Oxley Compliance Journal. 2008. Web.
Philips, Peter. Security and Loss Prevention: An Introduction. London: Diane publishers. 2007. Print
Robertson, Roy. Sarbanes.-Oxley and the new internal auditing rules. New York: Wiley publishers. 2004. Print