SOX affects information security and the below are two specific sections of the act:
section 302: Corporate responsibility for financial reports
Section 302 states that the Chief Executive Officer (CEO) and Chief Financial Officer (CFO) must personally certify that financial reports are accurate and complete. They must also assess and report on the effectiveness of internal controls around financial reporting.section 404: Management assessment of internal controls
Section 404 states that a corporation must assess the effectiveness of its internal controls and report this assessment annually to the SEC. The assessment must
also be reviewed and judged by an outside auditing firm.
Public Company Accounting Oversight Board (PCAOB)
The role of PCOAB is to oversee and guide auditors as they assess a company’s compliance with SOX."Proposed Auditing Standards" provide more detailed guidance for assessing compliance with the intent of SOX. information technology (IT) general controls form the foundation for many other types of financial reporting controls and, therefore, must be assessed for SOX.
COSO & COBIT
For the purpose of internal control guidance, PCAOB has selected a controlframework created by the Committee of Sponsoring Organizations (COSO). The
COSO framework provides a structured and comprehensive set of guidelines for
creating and implementing internal controls.
The Information Technology Governance Institute (ITGI) is a group created to assist corporations with governing their IT and ensuring IT efficiently supports business mission and goals. ITGI has used COSO and COBIT to create a set of specific IT control objectives for SOX.
references
http://pcaobus.orghttp://www.coso.org/default.htm
http://www.isaca.org/
