ejh50_021307.ppt 112KB Jun 23 2011 07:15:50 AM
The Impact of Sarbanes-Oxley (SOX)
Act on Information Security Governance
Gurpreet Dhillon & Sushma Mishra
Presented by Elaine Hulitt
13-Feb-2007
Copyright 2007 by Elaine Hulitt
References
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
W. Borden, “HealthSouth scandal the latest in health care ills”,
http://www.forbes.com/newswire/2003/11/04/rtr1135443.html, Reuters News Service, November, 2003.
D. Callahan, “WorldCom”, In the cheating culture: Why More Americans Are DOING WRONG to Get Ahead,
http://www.cheatingculture.com/worldcom.htm, (current 12 Feb 2007), Harcourt, January, 2004.
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission, http://www.coso.org/, (current 12 Feb
2007).
G. Dhillon & S. Mishra, “The Impact of Sarbanes-Oxley (SOX) Act on Information Security Governance,” Chapter V In
Enterprise Information Systems Assurance and System Security: Managerial and Technical Issues, M. Warkentin & R.B.
Vaughn, eds., Idea Group Publishing, 2006, pp. 62-79.
The Institute of Internal Auditors, “Applying COSO’s Enterprise Risk Management – Integrated Framework,”
http://www.tamus.edu/offices/iaudit/presentations/ERM%20COSO%20Presentation.ppt#258,1,Applying COSO’s
Enterprise Risk Management — Integrated Framework, September, 2004.
Lerach Goughlin Stoia Geller Rudman & Robbins LLP, “THE ENRON FRAUD,”
http://www.enronfraud.com/, (current 12 Feb 2007).
SOX-online, COSO & COBIT Center, http://www.sox-online.com/coso_cobit.html, (current 12 Feb 2007).
Tyco Fraud InfoCenter, “Tyco Fraud Information,” http://www.tycofraudinfocenter.com/index.php, (current 12 Feb 2007).
Wikipedia: The Free Encyclopedia, “Control Objectives for Information and related Technology (COBIT),”
http://en.wikipedia.org/wiki/COBIT, (current 31 Jan 2007).
Copyright 2007 by Elaine
Hulitt
The Impact of SOX Act on Information
Security Governance
Jeopardy Question
Corporate & Information Technology (IT) Governance
Industry Internal Control Assessment Frameworks
Fundamental Business Objectives
Committee of Sponsoring Organizations (COSO) of the Treadway
Commission
Control Objectives for Information and related Technology (COBIT)
Sarbanes-Oxley Act (SOX)
The Importance of Information Technology Governance to
SOX
IT Challenges
Conclusion
Copyright 2007 by Elaine
Hulitt
Let’s Play Jeopardy – Corporations for $1000
Enron
HealthSouth
Tyco
WorldCom
Copyright 2007 by Elaine
Hulitt
And the Question Is?
Who are:
Corporations that were victims of outrageous
accounting fraud and corporate governance failures.
Enron: Filed for Chapter 11 bankruptcy in December, 2001;
Executives accused of insider trading ($1.19 billion), Overstated net
income by $591 million. [6]
HealthSouth: Executives indicted November, 2003; Conspired to
inflate earnings by $2.7 billion;. [1]
Tyco: Executives charged with civil fraud and theft in September,
2002; Accused of stealing $600 million. [8]
WorldCom: Filed for bankruptcy in November, 2002 – largest in
American history; Overstated earnings by $11 billion. [2]
Copyright 2007 by Elaine
Hulitt
Corporate & IT Governance
Corporate Governance: “is ethical corporate
behavior by directors or others charged with
governance in the creation and presentation of
wealth of all stakeholders.”
IT Governance: “is a structure of relationships
and processes to direct and control the
enterprise to achieve its goal by adding value
while balancing risk and return over IT and its
processes.”
Copyright 2007 by Elaine
Hulitt
Industry Internal Control
Assessment Framework
Internal Controls: A set of policies,
procedures, and organizational structures
implemented to reduce risk and assure
business objectives are achieved.
Fundamental Business Objectives
COSO
COBIT
Copyright 2007 by Elaine
Hulitt
Fundamental Business Objectives
Economy and Efficiency of operations
Reliability of financial and operational data
and management reports
Well-guided compliance efforts directed to all
laws and regulations.
Copyright 2007 by Elaine
Hulitt
Committee of Sponsoring Organizations
(COSO)
of the Treadway Commission Framework
Original control evaluation components
1) Control environment: Are policies and procedures defined
and followed that promote ethical behavior?
2) Risk assessment: Are potential threats identified?
3) Control activities: Are control procedures implemented
-- checks and balances?
4) Information and communication: Is related internal and
external data consulted to make informed decisions?
5) Monitoring: Are control systems evaluated to ensure
they are performing as intended?
Copyright 2007 by Elaine
Hulitt
COSO cont.
Additional control evaluation components
[D]
6) Objective setting: Is risk strategy considered when
setting objectives?
7) Event identification: Are internal and external events that
may influence the risk profile identified?
8) Risk response: Have risk responses been identified,
evaluated, used?
Copyright 2007 by Elaine
Hulitt
Control Objectives for Information and
Related Technology (COBIT)
Planning and organization: Must understand the strategic
importance of IT and how to best utilize IT to meet business
objectives.
Acquisition and implementation: Focuses on development
and/or acquisition and implementation of tools to meet
business objectives.
Delivery and support: Considers the delivery of system
support services; definition of support processes.
Monitoring: focuses on monitoring all IT processes for
quality and compliance with control requirements.
Copyright 2007 by Elaine
Hulitt
Figure 1. Relationship between COSO components and COBIT objectives
(excerpt)
COSO Component
Monitoring
Information and
Communication
Control
Activities
Risk Assessment
Control
Environment
COBIT Control Objectives
Deliver and Support (DS)
Define and manage service levels
x
Manage third-party services
x
x
x
x
x
x
Manage performance and capacity
x
Ensure continuous service
x
Ensure systems security
x
Identify and allocate costs
Copyright 2007 by Elaine
Hulitt
x
x
x
The Impact of SOX Act on Information
Security Governance
Jeopardy Question
Corporate & Information Technology (IT) Governance
Industry Internal Control Assessment Frameworks
Fundamental Business Objectives
Committee of Sponsoring Organizations (COSO) of the Treadway
Commission
Control Objectives for Information and related Technology (COBIT)
Sarbanes-Oxley Act (SOX)
The Importance of Information Technology Governance to
SOX
IT Challenges
Conclusion
Copyright 2007 by Elaine
Hulitt
Sarbanes-Oxley Act (SOX)
The Public Company Accounting Reform and
Investor Protection Act
Law passed by U.S. Congress in July, 2002
(131 pages)
Requires companies to use stringent policies
and procedures to report financial information
accurately and timely.
Copyright 2007 by Elaine
Hulitt
SOX cont.
Mandates auditor involvement at every stage of
assessment of business effectiveness.
Oversight is provided by the powerful Public
Company Accounting Oversight Board (PCAOB).
Violation of any U.S. Security and Exchange
Commission (SEC) rule issued under SOX
may result in civil or criminal sanctions.
Copyright 2007 by Elaine
Hulitt
The Importance of IT Governance to SOX
(SOX Control Examples)
Title IX – White Collar Crime Penalty
enhancements: Section 906. Corporate
Responsibility for Financial Reports:
Holds CEOs, CFOs, and corporate directors
both accountable and liable for the accuracy
of financial disclosures.
Copyright 2007 by Elaine
Hulitt
The Importance of IT Governance to SOX
(SOX Control Examples cont.)
Title VIII – Corporate and Criminal Fraud
Accountability: Section 802. Criminal
Penalties for Altering Documents:
Establishes new criminal penalties for altering
and destroying “corporate audit documents
and related records, including e-records.”
Copyright 2007 by Elaine
Hulitt
The Importance of IT Governance to SOX
(SOX Control Examples cont.)
Title IV – Enhanced Financial Disclosures:
Section 404. Management Assessment of
Internal Controls:
Requires CEOs and CFOs to certify the
effectiveness of the financial controls they
have in place – signed internal control report.
Copyright 2007 by Elaine
Hulitt
IT Challenges
SOX became law in July, 2002. “SOX came into effect in
2004.” Corporations were required to comply by November,
2004.
Reliable and verifiable data integrity and electronic records
retention policy
Integrity of communications
Process/work flows
Disaster recovery practices and security policies
Improve anti-fraud techniques across industries
Rigorous checking of effectiveness of internal controls
Cost of Compliance
Copyright 2007 by Elaine
Hulitt
Conclusion
To comply with the SOX:
companies will need to improve information
quality.
Technology improvements are required to provide
cost-efficient, online, real-time reporting.
SOX can’t legislate ethics and integrity into
the public management process.
Copyright 2007 by Elaine
Hulitt
Presentation Use Authorization
Permission is granted to share this
presentation with the public.
Permission is granted to use this presentation
at Mississippi State University.
________________
Elaine Hulitt
13-Feb-2007
Copyright 2007 by Elaine
Hulitt
Act on Information Security Governance
Gurpreet Dhillon & Sushma Mishra
Presented by Elaine Hulitt
13-Feb-2007
Copyright 2007 by Elaine Hulitt
References
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
W. Borden, “HealthSouth scandal the latest in health care ills”,
http://www.forbes.com/newswire/2003/11/04/rtr1135443.html, Reuters News Service, November, 2003.
D. Callahan, “WorldCom”, In the cheating culture: Why More Americans Are DOING WRONG to Get Ahead,
http://www.cheatingculture.com/worldcom.htm, (current 12 Feb 2007), Harcourt, January, 2004.
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission, http://www.coso.org/, (current 12 Feb
2007).
G. Dhillon & S. Mishra, “The Impact of Sarbanes-Oxley (SOX) Act on Information Security Governance,” Chapter V In
Enterprise Information Systems Assurance and System Security: Managerial and Technical Issues, M. Warkentin & R.B.
Vaughn, eds., Idea Group Publishing, 2006, pp. 62-79.
The Institute of Internal Auditors, “Applying COSO’s Enterprise Risk Management – Integrated Framework,”
http://www.tamus.edu/offices/iaudit/presentations/ERM%20COSO%20Presentation.ppt#258,1,Applying COSO’s
Enterprise Risk Management — Integrated Framework, September, 2004.
Lerach Goughlin Stoia Geller Rudman & Robbins LLP, “THE ENRON FRAUD,”
http://www.enronfraud.com/, (current 12 Feb 2007).
SOX-online, COSO & COBIT Center, http://www.sox-online.com/coso_cobit.html, (current 12 Feb 2007).
Tyco Fraud InfoCenter, “Tyco Fraud Information,” http://www.tycofraudinfocenter.com/index.php, (current 12 Feb 2007).
Wikipedia: The Free Encyclopedia, “Control Objectives for Information and related Technology (COBIT),”
http://en.wikipedia.org/wiki/COBIT, (current 31 Jan 2007).
Copyright 2007 by Elaine
Hulitt
The Impact of SOX Act on Information
Security Governance
Jeopardy Question
Corporate & Information Technology (IT) Governance
Industry Internal Control Assessment Frameworks
Fundamental Business Objectives
Committee of Sponsoring Organizations (COSO) of the Treadway
Commission
Control Objectives for Information and related Technology (COBIT)
Sarbanes-Oxley Act (SOX)
The Importance of Information Technology Governance to
SOX
IT Challenges
Conclusion
Copyright 2007 by Elaine
Hulitt
Let’s Play Jeopardy – Corporations for $1000
Enron
HealthSouth
Tyco
WorldCom
Copyright 2007 by Elaine
Hulitt
And the Question Is?
Who are:
Corporations that were victims of outrageous
accounting fraud and corporate governance failures.
Enron: Filed for Chapter 11 bankruptcy in December, 2001;
Executives accused of insider trading ($1.19 billion), Overstated net
income by $591 million. [6]
HealthSouth: Executives indicted November, 2003; Conspired to
inflate earnings by $2.7 billion;. [1]
Tyco: Executives charged with civil fraud and theft in September,
2002; Accused of stealing $600 million. [8]
WorldCom: Filed for bankruptcy in November, 2002 – largest in
American history; Overstated earnings by $11 billion. [2]
Copyright 2007 by Elaine
Hulitt
Corporate & IT Governance
Corporate Governance: “is ethical corporate
behavior by directors or others charged with
governance in the creation and presentation of
wealth of all stakeholders.”
IT Governance: “is a structure of relationships
and processes to direct and control the
enterprise to achieve its goal by adding value
while balancing risk and return over IT and its
processes.”
Copyright 2007 by Elaine
Hulitt
Industry Internal Control
Assessment Framework
Internal Controls: A set of policies,
procedures, and organizational structures
implemented to reduce risk and assure
business objectives are achieved.
Fundamental Business Objectives
COSO
COBIT
Copyright 2007 by Elaine
Hulitt
Fundamental Business Objectives
Economy and Efficiency of operations
Reliability of financial and operational data
and management reports
Well-guided compliance efforts directed to all
laws and regulations.
Copyright 2007 by Elaine
Hulitt
Committee of Sponsoring Organizations
(COSO)
of the Treadway Commission Framework
Original control evaluation components
1) Control environment: Are policies and procedures defined
and followed that promote ethical behavior?
2) Risk assessment: Are potential threats identified?
3) Control activities: Are control procedures implemented
-- checks and balances?
4) Information and communication: Is related internal and
external data consulted to make informed decisions?
5) Monitoring: Are control systems evaluated to ensure
they are performing as intended?
Copyright 2007 by Elaine
Hulitt
COSO cont.
Additional control evaluation components
[D]
6) Objective setting: Is risk strategy considered when
setting objectives?
7) Event identification: Are internal and external events that
may influence the risk profile identified?
8) Risk response: Have risk responses been identified,
evaluated, used?
Copyright 2007 by Elaine
Hulitt
Control Objectives for Information and
Related Technology (COBIT)
Planning and organization: Must understand the strategic
importance of IT and how to best utilize IT to meet business
objectives.
Acquisition and implementation: Focuses on development
and/or acquisition and implementation of tools to meet
business objectives.
Delivery and support: Considers the delivery of system
support services; definition of support processes.
Monitoring: focuses on monitoring all IT processes for
quality and compliance with control requirements.
Copyright 2007 by Elaine
Hulitt
Figure 1. Relationship between COSO components and COBIT objectives
(excerpt)
COSO Component
Monitoring
Information and
Communication
Control
Activities
Risk Assessment
Control
Environment
COBIT Control Objectives
Deliver and Support (DS)
Define and manage service levels
x
Manage third-party services
x
x
x
x
x
x
Manage performance and capacity
x
Ensure continuous service
x
Ensure systems security
x
Identify and allocate costs
Copyright 2007 by Elaine
Hulitt
x
x
x
The Impact of SOX Act on Information
Security Governance
Jeopardy Question
Corporate & Information Technology (IT) Governance
Industry Internal Control Assessment Frameworks
Fundamental Business Objectives
Committee of Sponsoring Organizations (COSO) of the Treadway
Commission
Control Objectives for Information and related Technology (COBIT)
Sarbanes-Oxley Act (SOX)
The Importance of Information Technology Governance to
SOX
IT Challenges
Conclusion
Copyright 2007 by Elaine
Hulitt
Sarbanes-Oxley Act (SOX)
The Public Company Accounting Reform and
Investor Protection Act
Law passed by U.S. Congress in July, 2002
(131 pages)
Requires companies to use stringent policies
and procedures to report financial information
accurately and timely.
Copyright 2007 by Elaine
Hulitt
SOX cont.
Mandates auditor involvement at every stage of
assessment of business effectiveness.
Oversight is provided by the powerful Public
Company Accounting Oversight Board (PCAOB).
Violation of any U.S. Security and Exchange
Commission (SEC) rule issued under SOX
may result in civil or criminal sanctions.
Copyright 2007 by Elaine
Hulitt
The Importance of IT Governance to SOX
(SOX Control Examples)
Title IX – White Collar Crime Penalty
enhancements: Section 906. Corporate
Responsibility for Financial Reports:
Holds CEOs, CFOs, and corporate directors
both accountable and liable for the accuracy
of financial disclosures.
Copyright 2007 by Elaine
Hulitt
The Importance of IT Governance to SOX
(SOX Control Examples cont.)
Title VIII – Corporate and Criminal Fraud
Accountability: Section 802. Criminal
Penalties for Altering Documents:
Establishes new criminal penalties for altering
and destroying “corporate audit documents
and related records, including e-records.”
Copyright 2007 by Elaine
Hulitt
The Importance of IT Governance to SOX
(SOX Control Examples cont.)
Title IV – Enhanced Financial Disclosures:
Section 404. Management Assessment of
Internal Controls:
Requires CEOs and CFOs to certify the
effectiveness of the financial controls they
have in place – signed internal control report.
Copyright 2007 by Elaine
Hulitt
IT Challenges
SOX became law in July, 2002. “SOX came into effect in
2004.” Corporations were required to comply by November,
2004.
Reliable and verifiable data integrity and electronic records
retention policy
Integrity of communications
Process/work flows
Disaster recovery practices and security policies
Improve anti-fraud techniques across industries
Rigorous checking of effectiveness of internal controls
Cost of Compliance
Copyright 2007 by Elaine
Hulitt
Conclusion
To comply with the SOX:
companies will need to improve information
quality.
Technology improvements are required to provide
cost-efficient, online, real-time reporting.
SOX can’t legislate ethics and integrity into
the public management process.
Copyright 2007 by Elaine
Hulitt
Presentation Use Authorization
Permission is granted to share this
presentation with the public.
Permission is granted to use this presentation
at Mississippi State University.
________________
Elaine Hulitt
13-Feb-2007
Copyright 2007 by Elaine
Hulitt