The Sarbanes-Oxley Act 2002 (SOX) requires all US public companies and any Securities and Exchange Commission listed foreign companies to attest and certify as to the integrity of their financial reporting. In reality, even companies outside the scope of SOX are finding that their business partners expect them to be compliant with the Act.
There is much that is right about SOX. It brings information risk management firmly to the board agenda and has raised the visibility of information security and risk management. Yet it is an expensive and sometimes painful exercise, for the legislation was not enacted for the benefit of the organisation, but to protect stakeholders, notably investors.
What does SOX mean for information risk management?
SOX has significant implications and costs for information risk management activities, including IT systems and controls. However the Act offers little guidance as to how compliance should be achieved.
The onus then is on each organisation to interpret the meaning of the Act in its own context, and to be able to justify it to an external party.
This requires a key set of skills, including technical systems-based knowledge, combined with a sound organisational and business understanding, as well as an understanding of risk methodologies.
Typically these skills will be found within information risk management, and thus a significant proportion of the effort to achieve compliance with the legislation may be provided by this function.
What is the problem?
Laying aside the difficulties in translating a law into risk mitigating controls (which is a non-trivial task in itself), there are a number of areas where the SOX compliance process could increase the risk to an organisation's business.
The compliance approach
The compliance requirement of the Sarbanes-Oxley Act mandates an organisation to protect the integrity of financial information, and to prove to an independent third party that it has done so through the use of appropriate controls.
This 'comply or else' approach targets areas of risk relating solely to financial integrity and can be likened to a badly aimed gun. The consequence is that areas of high business risk which would be identified by a risk based approach may not be addressed, as the legislation does not require it.
Integrity, integrity, integrity
By being legally requiring to protect the integrity of financial information, an organisation may find itself focusing on information integrity at the expense of the other properties of information - confidentiality and availability.
Confidentiality of financial information however has its own set of protective legislation, particularly where this information relates to individuals.
In this case the whole arsenal of privacy legislation fires off (for example Data Protection Act (UK), Gramm-Leach-Bliley Act (US)). However, financial information that is not related to individuals, and other non financial information, such as corporate and internal transactions, is not covered by such legislation and therefore may not be adequately protected.
The requirement of SOX to protect the availability of financial information is largely assumed, and is absent from the legislation. This means that risk mitigation related to availability of information is hard to justify as part of the SOX compliance, and may be neglected. One of the areas of greatest confusion this has generated is related to the SOX requirement for adequate disaster recovery and or business continuity provisions.
Put simply - there is no such requirement.
Diversion of resource
These apparent gaps in SOX are to be expected. It was never designed to be an all-encompassing risk mitigation piece of legislation - it does what it says on the tin, nothing more.
In a world where there is unlimited resource to deal with risk mitigation, this would not be a problem. However SOX compliance is expensive, both in resource and hard cash. The reality for an organisation is that risk mitigation activities and budgets will be diverted to the SOX compliance effort, at the expense of other risk management initiatives.
For an organisation whose primary business is financial, this is probably a good thing. Financial information is a key asset for the organisation and money spent protecting it is to be welcomed and could potentially be quantified in improvements in organisational performance.
For an organisation whose primary business is not financial, for example manufacturing or service industries, the importance of financial information may be secondary to other types of information related to day-to-day operations, such as production scheduling or passenger handling systems. For these organisations, even minor problems with the integrity or availability of this type of information can be mission-threatening in a very short space of time.
To summarise, any organisation that has to comply with SOX may experience a diversion of risk mitigation resources away from areas of risk that are truly critical for the business. Hence the overall risk to the business is increased. If SOX compliance was a one-off exercise, this might be an acceptable state of affairs. However, SOX compliance is on-going, and this diversion of resource can be expected to be sustained.
The hidden cost of fraud
Section 302 of the Sarbanes-Oxley Act 2002 states that a disclosure must be made of 'any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer's internal controls'. This provision is often neglected in the SOX compliance exercise, but can be an item that can incur significant additional costs.
For such a disclosure to be made, it is implicit that there are appropriate mechanisms for the detection of fraud of any magnitude. Again, this compliance approach may be at odds with the way that some organisations function.
In a number of market sectors, fraud is considered to be an overhead of doing business, and a level of fraud is tolerated, but called by another name - such as 'shrinkage' or 'ullage'. Some organisations may find that the SOX obligations are at odds with the way they do business.
Of course SOX does not require prevention of fraud, just the reporting of it, but it does implicitly require that there are detection mechanisms and systems in place - again a non-trivial and potentially expensive task.
So what is wrong with SOX?
The Sarbanes-Oxley Act was born of a number of high profile corporate scandals involving financial fraud. Whether a compliance and control based approach will be able to stop fraud and scandal, which tend to be committed by people rather than systems and processes, has yet to be proved. To consider that it has shortcomings in some risk management areas is perhaps a little unfair, as it was never designed to address these areas. Nevertheless, it has overall benefited the cause of information risk management by bringing it firmly to the board agenda.
Where it has fallen short is, by grabbing the attention of senior executives as to their personal liability (noting that the penalties under the Act can be more severe than for murder), it has created an industry of its own. This has diverted attention from other risk mitigation activities that may be more important to organisational well-being and survival in the longer term.
- Andy Jones is a consultant with the Information Security Forum, www.securityforum.org INFORMATION SECURITY FORUM
The Information Security Forum (ISF), a global not-for-profit membership organisation, includes over half of the Fortune 100 companies as part of its 260+ membership. The ISF investigates topics of concern to its members and shares good practice among them, funding and cooperating in the development of practical research about information security. Its aim is to provide authoritative, best practice material, along with powerful business-driven methodologies and tools, to reduce the cost involved in developing independent solutions.
The Sarbanes-Oxley Act 2002 has been high on corporate agendas recently, but comparatively little research has been done on the particular implications for information security and associated information risk.
Based on interviews and questionnaires with its members the ISF has published a white paper entitled Sarbanes-Oxley - Implications for information security.
That white paper forms the basis for this article.