Information Security, ISO27001 and SOX
The Sarbanes-Oxley Act of 2002 (SOX), introduced in the United States in the aftermath of Enron, has important information security implications for US exchange-listed enterprises. It applies to all Securities and Exchange Commission (‘SEC’)-registered 'accelerated filers', irrespective of where their trading activities are geographically based. Compliance is mandatory and there are significant potential sanctions for individual directors.
SOX specifically focuses on the accuracy of a company's financial records and controls related to income, expenses, accounting, liabilities, and so on. Information security is a fundamental component of SOX compliance as a result of the Public Company Accounting Oversight Board (the PCAOB, which was created to define auditing standards) creating Standard #2. This states that senior management is responsible not only for financial information but also for the way that information is generated, accessed, collected, stored, processed, and transmitted, and this responsibility can only be achieved with effective IT systems controls.
ISO27001 provides an independent, internationally recognized best-practice framework for achieving these objectives.
There are really two broad groups of IT systems control activities that organizations need to consider:
- general controls, and
- application controls.
General controls are those controls which ensure that the financial information from a company’s application systems can be relied upon. General controls exist most commonly as part of an Information Security Management System (such as that identified in ISO27001/ISO17799).
Application controls are embedded in the software to detect or prevent unauthorized transactions. Such controls can be used to ensure the completeness, accuracy, validity and authorization of transactions.
‘information technology general controls over program development, program changes, computer operations, and access to programs and data help ensure that specific controls over the processing of transactions are operating effectively’.
Auditing Standard No 2 (paragraph 52) requires evaluation of the effectiveness of company-level controls at the outset of the audit engagement, on the basis that it is the company-level controls that have such a ‘pervasive impact on controls at the process, transaction or application level’. These company-level controls include consistent policies and procedures and codes of conduct. The auditing standard specifically refers to the existing standard, Consideration of Internal Control in a Financial Statement Audit, issued by the AICPA in 1990, because it sets out clearly the effect of information technology on internal control over financial reporting.
ISO 27001 is the world's best-practice approach to cost-effectively achieving an adequate information technology internal control framework.
