Problem solve Get help with specific problems with your technologies, process and projects.

Exactly what is a Sarbanes-Oxley anyhow?

If you read the text of the legislation, you'll see computer security isn't even mentioned. What gives? It turns out you have to read between the lines.

The Sarbanes-Oxley Act of 2002 is the name of a bill passed by the 107th Congress of the United States as a direct response to the abuses uncovered in the Enron scandal. It is affectionately known as "SOX" these days and that is how I will refer to it here. SOX is an attempt by Congress to force corporate executives to take responsibility for their actions. How successful it will be in legislating moral values still remains to be seen.

The American Institute of Certified Public Accountants (AICPA) has a nice Web site devoted to SOX and compliance issues.

At this address, you can find the entire text of the SOX legislation, a sixty-six page document in Adobe Acrobat form. If you're involved in computer security, you owe it to yourself to read it through.

The AICPA also has a wonderfully digested summary available at this same Web site.

This document is worthy of a closer look as it summarizes in a few pages what the SOX legislation is attempting to accomplish. So, don't just listen to what people are telling you about SOX, go out and read it for yourself. I'll stop now while you do this ... come back and pick this up at this point after you're done.

- - - - -

If you're like me, you are now pretty confused. I thought this was about computer security? But, when I read this, even in the nice summary, I don't see anything at all about computer security. In fact, the word "computer" doesn't even appear anywhere in the congressional document. What gives? Well, it turns out that you have to read between the lines.

SOX has three specific sections where computer security issues can come into play and others where it is implied. These three specific sections are 302, 404 and 409 (which I know you're familiar with because you just read them). Remember, the whole objective is to get corporate executives to be responsible for the numbers they report to the public.

Section 302 deals with Corporate Responsibility For Financial Reports. Computer security comes into play here because your executives need to know that your data has not been tampered with. Somebody in your organization, if your company qualifies under the act, is going to have to sign off that the data is accurate and hasn't been tinkered with.

Section 404 deals with Management Assessment Of Internal Controls. Here again, computer security plays a role. Someone up there (maybe even you) is going to have to outline the controls that are in place that are safeguarding your company data and assess how well those controls are working.

Section 409 deals with Real Time Disclosure. On the surface, this doesn't sound like a computer security issue, but your organization is going to be the one providing the numbers and they have to be accurate and easily available for quick distribution. That means that the numbers need to be fully automated and that they are protected from accidental or intentional loss. Further, that information cannot be tampered with once issued.

Well, that's a brief look. If you have any questions about anything in this tip, just ask me and I'll give you my best shot. My e-mail address is I can even e-mail you the full SOX legislation document, just ask.

Rich Loeber is president of Kisco Information Systems Inc., in Saranac Lake, NY. The company is a provider of various security products for the iSeries market.


Thank the Enron and WorldCom scandals for the tough new disclosure regulations handed down by the federal government. As a consumer, you might welcome the tighter restrictions, but as an IT pro, the changes probably feel more like a stranglehold. Check out this article to learn which regulations have IT managers reaching for the Tylenol.

The iSeries is one of the most secure systems, but there are still ways for data to be compromised -- network holes and users with too much authority, for example. The information in this Featured Topic helps you close up any gaps you may have.

Is your system as secure as it can be? If you think it can be better, check out these hot expert Q&As.

Not surprisingly, security is even more of an issue this year -- especially with Sarbanes-Oxley compliance deadlines. Here are 10 hot tips to ensure your security is all it can be.

Dig Deeper on IT compliance and governance strategies

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.