Do you know your obligations for setting and testing internal controls on your financial reporting under the US Sarbanes-Oxley Act? Fiona Williams, a partner in Deloitte Touche Tohmatsu Security Services, answers readers' questions.
Q I work for a security supplier and when I ask customers if they routinely perform vulnerability scans, they say the reports are too long and it's not effective. The ignorance is bliss attitude seems to pervade security management. I tell customers that Sarbanes-Oxley makes them liable for vulnerabilities, but either they don't believe it or don't seem to care. Can you offer me any advice?
A Work with your customers to understand their overall control approaches and which key controls they rely on to mitigate security risks. If a company has to comply with Sarbanes-Oxley, it should have started this process, and will have documented and tested its controls. The company's auditors will review and test the adequacy of the controls. You may be able to help the company automate those controls, using your tools to help mitigate risk.
Q To what extent does information security risk assessment (as opposed to compliance testing) need to be incorporated into controls evaluation as a part of Sarbanes-Oxley certification? Is it enough to identify appropriate controls and frequency of testing, and assess the adequacy of those controls? Or does the risk assessment have to take into consideration the impact of adverse events and the likelihood of such events taking place? Are there any guidelines on the granularity of assessments and methodologies (qualitative versus quantitative), depending on factors such as inherent risk?
A Sarbanes-Oxley requires companies to perform a risk assessment on their internal controls over financial reporting. The risk assessment on information security needs to cover only the integrity of financial information. But there are numerous factors to consider, such as inherent risk, and you should involve your auditor in these discussions to ensure you are doing the appropriate work.
Q Do we have to retain electronic records such as e-mail and voicemail? If so, for how long?
A Record retention is a hot topic because of Sarbanes-Oxley, but there have always been regulations on the retention of e-mail and other communications. A recent study indicated that fewer than 50 percent of companies kept critical e-mails. Ask your lawyers to explain how your company is affected.
Q Do any publications discuss specific requirements for corporate security departments under Sarbanes-Oxley? We would like to clarify definitive criteria for investigation and physical security controls.
A I am not aware of any such publications, but you could refer to the Isaca publication and the Cobit framework for guidance.
Q We have defined our internal key controls using the Coso framework. Can you offer any reference documentation we can use to understand how deeply our controls will be tested by our external auditors, specifically the general IT controls and security?
A Management needs to do its own testing and assessment of the effectiveness of internal controls over financial reporting. Your external auditors will then independently test the controls to ensure that they work as stated by management. Testing typically combines corroborative inquiry, observation and reperformance of a selection of control procedures. It is not possible to offer guidance on exactly which controls will be tested - that will depend on the management's risk assessment. Your question underlines the importance of communicating early and often with external auditors to make sure they are satisfied with internal testing.
Written by CSO
This was first published in August 2004