Sarbanes-Oxley (SOX) Act was brought to curb corporate fraud and restore investor’s confidence in the integrity of the corporations and executives. Due to SOX, the paperwork for the companies has increased manifold, as the law requires just detailed documentation rather than proactive detection and prevention of fraud. Examples of both its effectiveness and ineffectiveness are given below:
Section 404, mandates the management to provide assertions and to be attested by independent auditors that effective internal controls are being applied to the financial reporting. However, Jumpstart Our Business Startups Act (JOBS Act) of 2012 has provisions that eliminate this requirement.
The most important part of the act is the performance of the internal auditors. Earlier, the auditing standards were being set by the industry, but SOX established PACOB (Public Company Accounting Oversight Board), which is an independent body that sets the practice standards for the auditing firms. This has improved auditing standards.
The five components of COSO framework for internal controls are Control Environment, Risk Assessment, Control Activities, Information Communication, and monitoring. Out of all these, Control environment is the most critical as it deals with integrity, ethical values, and commitment, especially for the management and the executives. The disasters of WorldCom and NASA could not have happened as in these and all the other scandals that happened, it was not the lack of other internal controls that brought about the scandals but the lack of control environment, which resulted in the management choosing a particular action, including overriding the other internal controls.
COBIT and ITIL
COBIT 5 has five domains and thirty-seven processes under two areas; governance and management. Domain Evaluate, Direct, and Monitor (EDM) comes under Governance of Enterprise IT and this is the most important of COBIT domains as it evaluates the stakeholder needs, directs the priority and decision-making, and monitors the performance, compliance, and progress against the direction that was agreed upon earlier.
Many ITIL concepts such as the financial management processes do not align with SOX as they do not provide for auditing, however, concepts that are of importance are change management and control, software configuration, asset management, and security management is helpful for SOX compliance. Out of these, security management is an important concept as it describes how information security fits in the management organization.
Cryptography
Symmetric encryption uses the same key for both encrypting and decrypting the data and hence the keys have to be shared by the data owner with the users. It has good performance, simple and fast to use, and is preferred generally but revocation of keys for those users who no longer have to use the data creates problems as the data has to be encrypted and keys distributed again. In the case of asymmetric encryption, two keys are used which are the public keys (known to everybody) and the private key (known only to the owner). A message encrypted by the public can be decrypted only by the private key. This is a very resource intensive and slow process. Hence, it is not used for large data but for small amounts of data. The best option would be to encrypt the data using symmetric key and exchange the keys using an asymmetric encryption process. Symmetric encryption provides confidentiality, while asymmetric encryption solves the problem of key distribution and scalability problems associated with symmetric encryption.
For the U.S companies, the Data Protection Act, HIPAA, and various other acts mandate that the personally identifiable data, financial data, or the health data of the customers and employees must be protected. Similar laws exist in almost all the countries. The best way to ensure the confidentiality of the data is to use encryption failing which the company faces legal liability, which could lead to heavy penalties, incarceration, or both and may result in the closure of a business.
References
Armstrong, R. (2008, February 22). SOX and ITIL: there Is no dotted-line relationship! Retrieved from s-ox.com: http://www.s-ox.com/dsp_getFeaturesDetails.cfm?CID=2105
Coenen, T. (2016, August 11). Has Sarbanes-Oxley really done anything to curb fraud? Retrieved from allbusiness.com: https://www.allbusiness.com/has-sarbanes-oxley-really-done-anything-to-curb-fraud-2-5220240-1.html
Graham-Smith, D. (2015, October 21). Encrypting your data: why your business should be using encryption. Retrieved from alphr.com: http://www.alphr.com/business/1001710/encrypting-your-data-why-your-business-should-be-using-encryption
Hancox, D. R. (2006, December). Strong controls, but the wrong controls. Retrieved from davehancox.com: http://davehancox.com/strong-controls/
Higashi, M. (2013, October 13). Symmetric vs. asymmetric encryption – which is best? . Retrieved from ciphercloud.com: https://www.ciphercloud.com/blog/cloud-information-protection-symmetric-vs-asymmetric-encryption/
Ibrahim, A. F. (2016). New secure solutions for privacy and access control in health information exchange. Theses and Dissertations - Computer Science, 1-157. doi:http://dx.doi.org/10.13023/ETD.2016.307
Kerr, D. S., & Murthy, U. S. (2007). The importance of the CobiT framework it processes for effective internal control over the reliability of financial reporting: An international survey . Waterloo, Ontario: University of Waterloo.
Verschoor, C. C. (2012, September 5). Has SOX Been successful? Retrieved from accountingweb.com: http://www.accountingweb.com/practice/practice-excellence/has-sox-been-successful