Corporate Information Security and Privacy Regulation PDF

© mirjanajovic/DigitalVision Vectors/Getty Images CHAPTER 7 Corporate Information Security and Privacy Regulation HIS CHAPTER FOCUSES ON special security issues faced by publicly traded T companies. Public companies must comply with a law that tries to improve corporate responsibility and stop fraudulent financial reporting. Rules and regulations created in response to the law impact information systems that process financial data. The rules require that these systems be reviewed to make sure that they appropriately control information security risks and threats to financial data. This chapter reviews why Congress created this law. It also reviews how the law Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. influences information security practices. Finally, it discusses how this law affects other kinds of organizations. Chapter 7 Topics This chapter covers the following topics and concepts: How the Enron scandal led to securities-law reform Why accurate financial reporting is important What the Sarbanes-Oxley Act (SOX) is Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. What compliance and security controls are How SOX influences other types of companies What some corporate privacy issues are What some case studies and examples are Chapter 7 Goals When you complete this chapter, you will be able to: Describe the difference between public and private companies Explain the history behind the Sarbanes-Oxley Act Discuss the main requirements of the Sarbanes-Oxley Act Explain the role of the Public Company Accounting Oversight Board Describe how Section 404 internal control requirements impact information security Discuss frameworks used to guide Sarbanes-Oxley internal control requirements Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. The Enron Scandal and Securities-Law Reform Enron. WorldCom. Tyco. Adelphia. These companies have come to represent a wave of corporate scandal that plagued America in the early 2000s. Each company engaged in varying levels of mismanagement, questionable financial deals, and accounting fraud. The activities at these companies shook investor confidence in U.S. corporations. They also tarnished the reputations of financial services professionals such as analysts, accountants, and auditors. Consider the following: Once called the “Most Innovative Company in America,” energy company Enron filed for bankruptcy in December 2001. It used several different fraudulent accounting methods to hide billions of dollars of debt from its investors and lenders. Cable company Adelphia filed for bankruptcy in June 2002. In 2004, a federal jury convicted Adelphia’s founder of bank and securities fraud. He was sentenced to 15 years in prison. Telecommunications company WorldCom filed for bankruptcy in July 2002. At the time, it was the largest bankruptcy in U.S. history. In July 2005, a federal court sentenced the chief executive officer (CEO) of WorldCom to 25 years in prison for corporate fraud. In June 2005, a jury convicted a former Tyco CEO of theft, conspiracy, securities fraud, and falsifying business records. A court in New York sentenced him to between 8 and 25 years in prison. He was ordered to pay restitution and fines of more than $200 million. The financial mismanagement at these companies contributed to the largest reform in U.S. securities laws since the Great Depression. The Enron bankruptcy is the case that spurred Congress to act. It is important to understand the Enron scandal to appreciate how significant the reform was. Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. Corporate Fraud at Enron The Enron case has become a part of American pop culture, as its name is now synonymous with corporate greed and scandal. Nearly 20 years after the scandal, it continues to hold our attention. Enron, which was based in Houston, Texas, formed in 1985 through the merger of two natural gas companies. Kenneth Lay was the CEO of the company. By the mid-1990s, Enron was the leading U.S. natural gas company. Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. Public Versus Private Companies A public company is also called a publicly traded company. Many investors own a public company, in which investors own a portion of the company in the form of stock. A stock represents a share of a corporation’s profits or assets. A person’s percentage of ownership in the corporation depends on how many shares of stock he or she owns. Shareholders are entitled to portions of a public company’s profits. Their share, called a dividend, represents each shareholder’s portion of the company’s earnings. People who own more shares of stock receive larger dividends. Public corporations are allowed to sell stocks and bonds. A bond represents a loan to the corporation for a specified period. The corporation must pay bondholders back the full value of the bond, plus interest. However, a person who owns a corporate bond does not have any ownership in a corporation. Only stocks represent an ownership interest. Stocks and bonds together are called securities. In the United States, the stock of a public company is traded on a stock exchange. The two most popular U.S. stock exchanges are the New York Stock Exchange (NYSE) and the NASDAQ Stock Market. National securities exchanges are registered with the U.S. Securities and Exchange Commission (SEC). You can learn more at https://www.sec.gov/fast-answers/divisionsmarketregmrexchangesshtml.html. Almost all securities sold in the United States must be registered with the SEC. To register its securities, a company must file documents about its financial condition with the SEC on a regular basis. Investors review these documents to make informed investment decisions. A public company is different from a privately held company, in which a small group of private investors owns a privately held company. In some cases, the investors all might be members of the same family. A private company does not have to answer to shareholders in the same way that a public company does. A private company distributes its profits to its owners. Private companies do not have to register with the SEC. They also do not have to file documents with the SEC that show their financial position. The largest private companies in the United States include Cargill, Koch Industries, and Albertsons.1 Enron grew quickly because it took advantage of energy market deregulation in the late 1980s. It bought and sold gas and electricity through futures contracts. These investments were initially very successful. As it grew, Enron expanded into other markets. It purchased steel mills, water utilities, and even tried to enter the internet broadband market. It also expanded internationally, pursuing opportunities in England, Mexico, and India. Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. From 1997 to 2001, Fortune magazine put Enron on its “Most Innovative Companies in America” list.2 In 2000, it named Enron to its “World’s Most Admired Companies” list.3 Enron grew from 7,500 employees in 1996 to more than 20,000 employees in 2001. Its stock was valuable. Enron encouraged its employees to include Enron stock in their retirement portfolios. To the outside world, Enron was a very successful company. Its required filings with the U.S. SEC showed that it was making money. It appeared to be able to translate its success in the energy markets to other markets. Financial analysts continued to recommend Enron stock. Investors continued to buy it. In reality, Enron was struggling. It lost billions of dollars on its international investments. Enron also started to face increased competition in the energy Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. business. It began to lose its market share in energy futures contracts because other energy companies started to use Enron’s own strategies to become profitable. By the late 1990s, Enron was in financial trouble and needed to raise money to meet its operating expenses. However, it did not want to do this in a way that would alarm its investors or alert them to potential trouble, which could cause its stock price to fall. Maintaining a high stock price was important to bring in new investors. It also was critical to being able to maintain credit lines with banks. FYI A futures contract is a contract for the sale of a good. One party agrees to sell the other party an asset at some point in the future. The two parties agree on the future quantity and price for the asset at the time the contract is made. Companies use futures contracts as an investment tool rather than as an actual contract to supply goods. Enron executives engaged in several complicated financial transactions to hide its losses. Its chief financial officer (CFO), Andrew Fastow, created several affiliated companies, then hid Enron’s losses in the financial records of these companies. The Enron CFO and other employees who worked with him owned many of these affiliated companies and profited from the transactions between Enron and the affiliated companies. These transactions were very complex and complicated to understand because Enron often changed the names of its different divisions. It also moved assets back and forth between divisions. Many of these transactions violated traditional accounting principles, which are called generally accepted accounting principles (GAAP). They are the rules for the accounting process. Accountants prepare financial statements according to these rules, which are designed to promote accurate accounting records. Enron also mislabeled loans that it received from banks to hide the transactions on its own financial statements so that its investors would not know about them. By some reports, Enron borrowed about $8.6 billion from 1992 to 2001.4 However, it hid Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. these loans from its investors. During this time, Enron filed earnings statements with the SEC that misstated its financial position. The SEC filings were hard to understand. They also showed that Enron appeared to be making money. In February 2001, CEO Kenneth Lay retired. The new CEO, Jeffrey Skilling, had been instrumental in taking Enron into new trading markets in the 1990s. He and CFO Andrew Fastow oversaw most of Enron’s business practices. In April 2001, many financial analysts began to question Enron’s complicated financial statements.5 Enron, however, continued to portray the image of a successful company. Jeffrey Skilling unexpectedly resigned from the CEO post in August 2001, at which time the board of directors asked Kenneth Lay to return to Enron as its CEO, which he did. Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. In October 2001, Enron announced its first ever loss. The SEC noticed this announcement and began to review Enron’s financial statements. Enron also began its own investigation. In late October, the Enron board of directors established a special committee, led by Director William C. Powers, to investigate the affiliated companies created by Fastow. The report that the committee issued is known as the “Powers Report.”6 In November 2001, Enron announced that it was amending its 1997–2001 financial statements because of accounting errors. This announcement shook investor confidence in Enron, and its stock price began to drop. Banks would no longer issue it credit to meet its operating expenses. At the end of November 2001, Enron stock was worth less than a dollar per share.7 FYI The Powers Report, released in February 2002, noted that Enron’s executive officers mismanaged many aspects of the company’s business. It also placed blame on Enron’s Board of Directors for failing in its corporate oversight duties. It blamed Enron’s accounting advisor, Arthur Andersen, for failing to provide objective accounting advice. You can read a copy of the report at http://i.cnn.net/cnn/2002/LAW/02/02/enron.report/powers.report.pdf. On December 2, 2001, Enron filed for bankruptcy. At the time, it was the largest bankruptcy ever. In January 2002, Enron removed its stock from the New York Stock Exchange (NYSE).8 The fallout from the Enron case was enormous. Employees who had invested their retirement savings in Enron stock lost $1.3 billion.9 The accounting firm Arthur Andersen, Enron’s auditor, closed down. The U.S. government prosecuted many of Enron’s top executives for their involvement in its business dealings. Some of these prosecutions were difficult because it was hard to determine which executives were involved in the fraud, and which executives were not. The complexity of Enron’s financial dealings contributed to this difficulty. CFO Andrew Fastow entered into a plea agreement with the U.S. government. He agreed to testify against Jeffrey Skilling and Kenneth Lay in exchange for a Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. sentence of no more than 10 years in prison. In September 2006, a federal court sentenced him to 6 years in prison. He also paid more than $30 million in restitution. Fastow was released from prison in December 2011. Enron founder and CEO Kenneth Lay was convicted in May 2006 for fraud and conspiracy. He died of a heart attack in July 2006. The court vacated his conviction after his death because he died before he could appeal. Former CEO Jeffrey Skilling was convicted in 2006 on federal fraud charges. A federal court sentenced him to 24 years in prison. He appealed his conviction to the U.S. Supreme Court, which heard oral arguments in March 2010. On June 24, 2010, the U.S. Supreme Court ruled that the government had improperly applied a law Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. used to convict Skilling and sent the case back to a lower court. In June 2013, Skilling was sentenced to 14 years in prison. He was released from jail in 2019.10 Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. Why Is Accurate Financial Reporting Important? Enron was one of many large corporate scandals in the early 2000s that shook investor confidence in the U.S. economy. Because of the scope of the fraud and the damage to Enron investors, the U.S. Congress held numerous hearings and committee meetings related to the aftermath of the scandal.11 Enron significantly misstated its financial condition in the financial statements that it filed with the SEC, leading its investors to lose money because of these fraudulent financial statements. The Enron scandal showed why accurate financial information is important. Enron was able to sustain itself for at least 5 years because of inaccurate financial reporting. During this period, financial analysts continued to recommend its stock as a good investment. The public and Enron employees invested in it. However, these people had significant losses when Enron’s troubles became public and the company finally declared bankruptcy. Enron duped its investors. By the time everyone knew the truth, it was too late to recover investment losses. Investors thus lost confidence in large public companies. The financial statements that a company files with the SEC are among the main sources of information that investors use to research that company. These documents help investors determine the true financial condition of a company. After the Enron scandal, the SEC required more information to be reported on these forms. It also required that the accuracy of these forms be certified in several different ways. Public companies are required to file several financial disclosure statements with the SEC. These forms help investors understand the financial stability of a company. The most commonly filed forms are: Form 10-K—Annual report Form 10-Q—Quarterly report Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. Form 8-K—Current report A company uses Form 10-K to file its annual report. Federal law requires that publicly traded companies submit these reports each year. Depending on their size, companies must file this report within 60 to 90 days after the end of their fiscal year. The larger a company is, the faster it has to file its report. Form 10-K is a very detailed disclosure of a company’s financial condition. A company must fully describe its business in its 10-K disclosure, explain how it is organized and how it operates, and provide its financial statements. These statements include balance sheets, statements of income and cash flows, and Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. statements of shareholder equity. An independent auditor must audit the company’s financial statements, and the auditor’s report must be included in the Form 10-K filing. In addition, the CEO and CFO of a company, as well as the majority of the company’s board of directors, must sign the company’s Form 10-K. Form 10-Q is a company’s quarterly report, which is required by federal law. Companies must file these reports after the end of each of their first three quarters in a fiscal year. These reports are usually less detailed than the end-of-the year 10-K filing. Depending on their size, companies must file this report within 40 to 45 days after the end of each fiscal quarter. Companies must file Form 8-K if they experience a major event that could affect their financial condition, because shareholders and investors should know about these events. Companies must file a Form 8-K with the SEC within 4 days of a major event.12 This period is shortened in some instances. For example, a company must file Form 8-K with the SEC immediately if it becomes aware of insider trading activities. FYI A company’s two main financial documents are its balance sheet and profit and loss statement. The balance sheet provides a summary of the company’s financial condition at a certain period. This is commonly prepared on a monthly basis. A profit and loss statement is used to determine whether a company made a profit during a certain period. General events that trigger a Form 8-K disclosure requirement include: Filing for bankruptcy Selling off significant assets Acquiring another company Getting a loan Board member resignation Board member elections Any changes to board governance documents Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. People need accurate financial information so that they can invest wisely and make money. Therefore, the SEC recommends that potential investors carefully review a company’s prospectus and financial reports. You can read the SEC’s list of information that investors should review before investing at http://www.investor.gov. The benefit of reviewing information from several different sources is that an investor can get a better picture of a company’s financial condition. It can be very hard for investors to detect fraud, as was the case in the Enron scandal. Therefore, the SEC recommends that investors look for potential red flags as they review a company’s financial condition. Red flags include companies that Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. have high-value assets, but low revenues. It also includes odd items listed in the footnotes of the company’s financial statements. Both of these red flags were present in the Enron scandal. Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. The Sarbanes-Oxley Act of 2002 Congress passed the Public Company Accounting Reform and Investor Protection Act in 2002.13 More commonly known as the Sarbanes-Oxley Act of 2002, it is called SOX or Sarbox in many resources. The Act was named after its sponsors, Senator Paul Sarbanes of Maryland and Representative Michael Oxley of Ohio. It was passed in response to corporate scandals such as Enron, WorldCom, and Adelphia. SOX proposed extensive changes to the Securities Act of 1933 and the Securities Exchange Act of 1934. SOX moved through both the U.S. House of Representatives and Senate at a quick pace. It was originally introduced in the U.S. House of Representatives in February 2002, just months after the Enron scandal became public. On July 25, 2002, both the House and Senate voted on the final version of SOX. President George W. Bush then signed SOX into law on July 30, 2002. As he signed it, he called SOX “the most far-reaching reforms of American business practices since the time of Franklin Delano Roosevelt.”14 Purpose and Scope Congress hoped that SOX reforms would prevent another Enron scandal. The main goal of SOX was to protect shareholders and investors from financial fraud. SOX increased corporate disclosure requirements and created strict penalties for violations of its provisions. SOX has 11 different titles. They are: NOTE A company uses a prospectus to describe the securities that it offers for sale. The prospectus describes the company’s business plan. Public Company Accounting Oversight Board (Title I)—Establishes the Public Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. Company Accounting Oversight Board (PCAOB). The PCAOB oversees the firms that audit public companies. Auditor Independence (Title II)—Forbids auditors from providing some types of non-audit services to their clients. Corporate Responsibility (Title III)—Requires corporations to create audit committees on their board of directors. The audit committee is responsible for hiring the corporation’s outside auditors. Enhanced Financial Disclosures (Title IV)—Enhances the amount of information that public companies must provide on their SEC filings. This section requires companies to report on internal controls that affect their financial reports. Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. Analyst Conflicts of Interest (Title V)—Establishes rules to make sure that securities analysts can give independent opinions about a public company’s stock risk. Commission Resources and Authority (Title VI)—Gives the SEC authority to discipline investment firms for unprofessional conduct. This section also gives the SEC additional funding to support its programs. Studies and Reports (Title VII)—Requires the SEC to review public accounting firms. The SEC must do this at least every 3 years. This section also requires the SEC to issue reports about how the securities market operates. Corporate and Criminal Fraud Accountability (Title VIII)—Imposes document retention requirements on companies and auditors. It protects whistleblowers, and also bans retaliation against employees who participate in fraud investigations. This section also imposes criminal penalties for violating SOX. White-Collar Crime Penalty Enhancements (Title IX)—Requires CEOs and CFOs to certify that the company’s financial reports fairly represent its financial condition. It creates criminal penalties for signing fraudulent statements. Corporate Tax Returns (Title X)—Is a statement from Congress that strongly suggests that a CEO sign the federal income tax return of a corporation. Corporate Fraud and Accountability (Title XI)—Establishes criminal liability for certain types of fraud committed by corporate officers. It also increases penalties for some types of corporate crime. SOX supplements current federal securities laws. It applies to publicly traded companies that must register with the SEC. This includes international companies that trade stock on U.S. stock exchanges. However, SOX does not apply to privately held companies. NOTE A small public company is a company with less than $75 million of public stock. Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. Main Requirements SOX is a very detailed act with many provisions. This chapter focuses on the parts of the act that have had the most impact on information technology (IT) functions. When SOX was first enacted, many companies assumed that it did not have any IT components. Congress did not mention IT anywhere within the act. This opinion changed as companies began to review their SOX compliance requirements. Many SOX provisions require companies to verify the accuracy of their financial information. Because IT systems hold many types of financial information, companies and auditors quickly realized that these systems were in Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. scope for SOX compliance. That meant that how those systems are used and the controls used to safeguard those systems had to be reviewed. The relationship between IT and SOX compliance continues to evolve. This section reviews the SOX provisions that have an IT impact. First, this section reviews the PCAOB, which creates standards that auditors must follow when reviewing the activities of public companies. These standards help auditors determine the IT controls that they must review. The creation of the PCAOB is one of the most notable SOX reforms. Second, this section reviews SOX provisions that impact records management functions. These provisions have an impact on IT operations because of the vast amount of data that is stored electronically. These provisions are important because they affect how IT systems are configured. Finally, SOX requires the executive management of a company to certify that there are controls in place to protect the accuracy of company information. This is the area where SOX compliance has caused the biggest challenge for companies and IT professionals. Public Company Accounting Oversight Board Before the creation of SOX, auditors and accountants belonged to a self-regulating profession. A profession is self-regulating when it creates and enforces its own rules of conduct. Federal and state laws place few oversight requirements on members of self-regulating professions. An attorney is a common example of a member of a self-regulating profession. Attorneys must meet minimum state law requirements to become licensed. After that, their professional behavior is largely judged by commissions made up of other attorneys who enforce rules of professional conduct. The profession itself determines what these rules of professional conduct should be. FYI Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. Information security professionals belong to a largely self-regulating profession. This is especially true when information security professionals obtain certifications that require the certificate holders to follow a code of conduct. The Enron scandal proved that self-regulation does have some drawbacks. Enron’s accounting firm, Arthur Andersen, provided it with accounting, auditing, and consulting services. Enron was a large Andersen client that paid Andersen $52 million for auditing and consulting services in 2001.15 Even the Powers Report noted that there was a lack of critical advice from its auditors at Arthur Andersen in reviewing Enron’s publicly filed financial statements.16 This may have been because Arthur Andersen was reluctant to challenge such an important client. Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. Congress created the PCAOB to provide a layer of government oversight on auditing activities. The PCAOB, which oversees the audit of public companies, was created in order to ensure that audit reports for public companies are fair and independent. Under SOX, the PCAOB has several duties.17 It must: Register accounting firms that prepare audit reports for public companies. Establish standards for the preparation of audit reports. Conduct inspections of registered public accounting firms. Conduct investigations and disciplinary proceedings against registered public accounting firms. Perform other duties or functions necessary to carry out SOX. Enforce SOX compliance. Set a budget for the PCAOB, and manage its operations. The PCAOB has five members. The SEC selects these members and appoints them to staggered terms. The SEC can remove PCAOB members if needed. PCAOB members are to be “individuals of integrity and reputation who have a demonstrated commitment to the interests of investors and the public.”18 They must be financially literate. This means that they must be able to understand financial statements. Only two members of the PCAOB are allowed to be certified public accountants (CPAs); the remaining three members cannot. Furthermore, members of the PCAOB are not allowed to have any financial interest in an accounting firm. FIGURE 7-1 shows the structure of the PCAOB. Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. FIGURE 7-1 PCAOB structure. Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. NOTE You can learn more about the role of the PCAOB by visiting its webpage at http://pcaobus.org. FYI The SEC believes that a single set of globally accepted accounting principles will benefit U.S. companies. Therefore, it is evaluating whether it should adopt the International Financial Reporting Standards (IFRS), created by the International Accounting Standards Board. You can learn about IFRS at http://www.ifrs.com/ifrs_faqs.html. The SEC has studied the IFRS extensively and compared them with U.S. accounting principles. Although the SEC has not approved IFRS for use by U.S. public companies, interest in a global framework for financial reporting remains.19 Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. One of the main functions of the PCAOB is to set standards for how auditors review public companies. It has created standards related to auditing, ethics and independence, quality control, and attestation, which must be approved by the SEC. The PCAOB bases many of its standards on GAAP, the principles established by the Financial Accounting Standards Board (FASB). The SEC has recognized GAAP as authoritative and requires financial statements to be prepared in accordance with GAAP. The PCAOB’s Auditing Standard 2201 provides guidance on how an auditor performs an audit of a company’s internal controls over financial reporting (ICFR). This standard addresses how to audit controls applied to a company’s IT systems and processes where those systems and processes impact the production of the company’s financial reports. The standard specifies a top-down approach that might limit the scope of review of IT systems. The standard also recommends that auditors focus their review on areas of the highest risk. In 2019, the PCAOB reported that auditors need to be aware of cybersecurity incidents at the companies that they audit. This is because the integrity of the data generated by the company’s IT systems could be compromised by a cybersecurity incident. If the data generated or processed by the IT systems is not accurate, then the company’s financial statements could contain errors.20 Document Retention SOX contains some records retention provisions. It is important to know about them because companies store many of their records electronically; in fact, some studies estimate that 93 percent of all business documents are created and stored electronically.22 Companies must understand how their IT systems work in order to meet SOX retention requirements. NOTE At the end of 2019 there were over 7,000 U.S. public companies. The market value of their stock was over $45 trillion.21 Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. SOX requires auditors and public companies to maintain audit papers for 7 years.23 Audit papers are documents used in an audit that support the conclusions made in an audit report. SOX takes a very broad view of the type of records that must be saved. This includes work papers, memoranda, and correspondence. It also includes any other records created, sent, or received in connection with the audit. SOX also includes electronic records. SOX also requires that a public company retain the records and documentation that it uses to assess its ICFR. These controls are discussed in the next section. Guidance issued by the SEC recognizes that this documentation takes several Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. different forms, as well as electronic data. Companies must permanently retain this information. Is the PCAOB Constitutional? The constitutionality of SOX was challenged soon after it was enacted into law in a case called Free Enterprise Fund and Beckstead and Watts v. Public Company Accounting Oversight Board. The Free Enterprise Fund and Beckstead and Watts LLP filed the case in 2006. The Free Enterprise Fund is a public interest organization, whereas Beckstead and Watts LLP was an accounting firm. The plaintiffs argued that SOX is unconstitutional. In particular, they argued that the PCAOB is unconstitutional because its creation and operation violate the constitutional separation of powers doctrine. The plaintiffs argued that separation of powers is violated because the PCAOB is an executive branch agency that the president has virtually no control over. Under SOX, the SEC alone has the power to appoint PCAOB members. In addition, PCAOB members can be fired only for cause, and only by the SEC. The president, and even the SEC, has little authority to control PCAOB members once they are appointed. The plaintiffs argued that it violates the section of the Constitution that gives the president the power to appoint and remove officers of the executive branch. They also argued that under the Constitution, Congress is not permitted to set up a structure that bypasses the president’s authority. The case was filed in the U.S. District Court for the District of Columbia. The District Court granted summary judgment for the PCAOB and upheld the constitutionality of SOX. In August 2008, the Circuit Court for the D.C. Circuit affirmed the decision of the lower court. The U.S. Supreme Court heard arguments in the case on December 7, 2009, and issued its decision in June 2010. In its decision, the Court found that the way that the PCAOB is created does indeed violate the separation of powers doctrine. Even though the portion of SOX that creates the PCAOB is unconstitutional, however, the Court said that SOX is still good law. It also said that the PCAOB could continue to function. The Court’s decision means that the SEC can now fire PCAOB members at will (or for any reason at all), instead of just for good cause. You can view the Supreme Court’s decision on the Free Enterprise case at https://www.supremecourt.gov/opinions/09pdf/08-861.pdf. In 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act expanded the role of the PCAOB. The Act gave the PCAOB additional oversight of the audits of brokers and dealers. It also gave the PCAOB the power to conduct inspections, bring enforcement action, and set standards.24 FYI Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. Many federal and state laws contain records retention requirements. SOX is another law to add to that list. Organizations should develop document retention policies to help them track their different obligations. The penalties for failing to retain records for the right amount of time can be severe. SOX makes it a crime for a person or company to knowingly and willfully violate its records retention provisions. A person who violates this provision can face fines and serve up to 10 years in prison. SOX also makes it a crime for any person to tamper with or destroy any record in an attempt to interfere with a federal investigation.25 Unlike other parts of SOX, this provision applies to any organization. Private companies also must follow it. People Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. who violate this section can face fines of up to $10 million, as well as up to 20 years in prison. Companies must make sure that electronic records are stored properly so that they can satisfy SOX retention requirements. They must store the records for the right amount of time. They also must make sure that those records are destroyed properly when the retention period expires. Certification SOX requires companies to report accurate financial data to protect their investors from harm. To encourage a company to report accurate data, SOX requires its CEO and CFO to certify the company’s SEC filings. SOX certification provisions require executives to establish, maintain, and review certain types of internal controls for their company. Disclosure Controls. SOX Section 302 requires CEOs and CFOs to certify a company’s SEC reports. The purpose of the certifications is to put executive management on notice of the company’s financial condition. The SEC can hold a CEO or CFO liable for submitting inaccurate financial reports. It makes sense that both the CEO and CFO would have to make these certifications as they are the officers who are most knowledgeable about the company’s finances and overall condition. A certification attests to the truth of certain facts. The SEC requires a certification to be included on several different forms, such as a company’s Form 10-Q and Form 10-K reports. (These certifications do not need to be included on Form 8-K.) Under the law,26 a CEO and CFO each must certify that:27 They have reviewed the report. The report does not contain untrue or misleading statements about the company. The financial statements fairly represent the company’s financial condition. The executive is responsible for creating disclosure controls and procedures that are designed to bring material information about the company to the executive’s Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. attention, and the controls are reviewed 90 days before filing the report. The executive has disclosed all significant deficiencies in its internal controls to their auditor. Whether any significant changes in the internal controls have occurred since they were last evaluated. The controls required under Section 302, called disclosure controls, are very broad. They are the processes and procedures that a company puts in place to make sure that it makes timely disclosures to the SEC. They are how management stays informed about the company’s operations. These controls must address any Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. change in information that affects company resources. They bring events to the executive’s attention so that they can be reported to the SEC. Disclosure controls are different from SOX internal controls. Internal controls are the processes and procedures that a company uses to provide reasonable assurance that its financial reports are reliable. The next section reviews these controls. Internal controls address only processes that protect the reliability of financial reports, whereas disclosure controls are broader. They include internal controls.28 FIGURE 7-2 shows the relationship between disclosure controls and internal controls. Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. FIGURE 7-2 Relationship between disclosure controls and internal controls. SOX Section 906 imposes criminal liability for fraudulent certifications. Under this section, CEOs and CFOs who knowingly certify fraudulent reports may be fined up to $1 million. They also could be imprisoned for up to 10 years. An officer who willfully makes a fraudulent certification may be fined up to $5 million and could be Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. imprisoned up to 20 years.29 Internal Controls. SOX Section 404 requires a company’s executive management to report on the effectiveness of the company’s ICFR.30 They must make this report each year on their Form 10-K filing. Under this section, management must create, document, and test ICFR. After management makes its yearly report on its ICFR, outside auditors must review the report and verify that the ICFR work. This section has caused compliance headaches for IT professionals. Under SEC rules, ICFR are processes that provide reasonable assurance that financial reports are reliable.31 ICFR provide management with reasonable assurance that: Financial reports, records, and data are accurately maintained. Transactions are prepared according to GAAP rules and are properly recorded. Unauthorized acquisition or use of data or assets that could affect financial statements will be prevented or detected in a timely manner. SOX does not define reasonable assurance. The SEC and PCAOB recognize that reasonable assurance does not mean absolute assurance.32 However, it is a high level of assurance that satisfies management that ICFR are effective. Management must be confident that these controls protect financial reporting mechanisms. NOTE SOX has no specific requirements that cybersecurity risks and incidents must be disclosed. However, the SEC has issued guidance that an organization may need to disclose any cybersecurity risks and incidents in order to ensure that its other required disclosures are not misleading.34 For example, it must disclose its cybersecurity risks if those risks would make investment in the organization risky. The SEC requires that management use evaluation criteria established by recognized experts to review the company’s ICFR and help ensure that they are effective. The SEC has recognized only one specific framework that meets its Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. requirements: the COSO Framework. The Committee of Sponsoring Organizations (COSO) of the Treadway Commission first created its “Internal Control—Integrated Framework” in 1992. The framework, commonly called the “COSO Framework,” was revised in 2013. Many U.S. businesses use this framework to assess their internal control systems.33 What Is COSO? COSO was established in 1985 to identify factors that contributed to fraudulent financial reporting. Five U.S. financial organizations sponsored COSO: the American Accounting Association, the American Institute of Certified Public Accountants (AICPA), Financial Executives International, the Institute of Internal Auditors (IIA), and the Institute of Management Accountants. COSO is a nonprofit organization. Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. Since 1987, COSO has recognized the need for the creation of ICFR. It released its first guidance on internal controls, called the “COSO Internal Control—Integrated Framework,” in 1992. The COSO framework says that internal controls are effective when they give the management of a company reasonable assurance that: It understands how the entity’s operational objectives are being achieved. Its published financial statements are being prepared reliably. It is complying with applicable laws and regulations. The COSO Framework was updated in 2013 because the business environment has grown more complex since the framework was initially issued. One of the primary contributors to this complexity is the use of IT in business. The COSO Framework has five components that organizations can use to review their IT profile. They are: Control environment—This is the organization’s culture. Control environment factors include management philosophy and the competence of the organization’s people. The control environment sets the foundation for the other components of the framework. With reference to IT, the organization should understand how technology is used within the business. Risk assessment—This refers to the identification and review of risks that are internal and external to the organization. Does the organization understand the risks to its technology environment? Control activities—This refers to how policies and procedures are followed throughout the organization. Has the organization implemented information security controls to mitigate the risks to its technology environment? Information and communication—This addresses how an organization communicates information internally to its employees, how an organization communicates to external parties, and how information systems store and generate data. Does the organization have mechanisms for communicating about risks and potential information security events that impact the organization’s systems? Monitoring—This refers to how the organization monitors its internal control systems. Does the organization monitor its information security controls and update them when needed? You can learn more about COSO’s “Internal Control—Integrated Framework” by visiting its website: https://www.coso.org/Pages/default.aspx. SOX Section 404 compliance is not easy. It is very general about the types of ICFR that companies must implement. It does not give a good definition for ICFR generally, and it does not address IT controls at all. In 2007, the SEC issued additional guidance to help companies assess ICFR during their Section 404 review in response to many complaints about the large scope of a Section 404 review. Many of these complaints focused on how to address IT controls. The SEC stated two broad principles in its guidance: Copyright © 2020. Jones & Bartlett Learning, LLC. All rights reserved. Management should assess how its internal controls prevent or detect significant deficiencies in financial statements. Management should perform a risk-based review of the effectiveness of these controls. The SEC also said that management must exercise its professional judgment to limit the scope of a Section 404 review. It reminded companies that SOX applies to internal controls, including IT controls, that affect financial reporting only.35 Management must review general IT controls to make sure that IT systems operate properly and consistently. The controls must provide management with reasonable assurance that IT systems operate properly to protect financial reporting. Grama, J. L. (2020). Legal and privacy issues in information security. Jones & Bartlett Learning, LLC. Created from westerngovernors-ebooks on 2025-02-11 03:47:55. TABLE 7-1 shows how the goals of ICFR match up with information security goals. TABLE 7-1 Internal Controls and Information Security Goals STEPS TAKEN TO MEET INTERNAL CONTROLS INFORMATION SECURITY GOALS Financial reports, records, and data are accurately Integrity maintained. Transactions are prepared according to GAAP rules Integrity, availability and properly recorded. Unauthorized acquisition or use of data or assets that could affect financial statements will be Confidentiality, integrity, availability prevented or detected in a timely manner. It is clear today that management’s review of an organization’s ICFR must include a review of IT controls as well. Although the COSO Framework does not specifically address the types of IT controls that an organization should implement, it issues guidance on how to address IT risk. Orga

Corporate Information Security and Privacy Regulation PDF

Document Details

Tags

Related

Summary

Full Transcript