Sarbanes-Oxley

The Sarbanes-Oxley Act of 2002 serves to protect investors and workers from corporate accounting fraud. The Act applies to any company making public filings. Sections of the act cover accounting reporting and oversight, executive reporting, and internal information flow. STEALTH – ISS®’s extensive background in technical control architecture and security implementation provides our customers with the best tools to approach their Sarbanes-Oxley compliance needs.

Regulatory Breakdown
The Sarbanes Oxley Act of 2002 included enhancements for tighter financial disclosures, improved whistle-blower processes, and the most highlighted section concerning principal CEO and CFO accountability. SOX mandates that these principals certify all financial statements, and places personal penalties against these individuals. The requirement placed upon organizations by Sarbanes Oxley requires both technology and a solid culture change to human procedures and routine.

SOX applies to all institutions that are regulated under the jurisdiction of the Securities Exchange Committee (SEC). Section 404 of SOX makes no distinction between domestic and foreign institutions; therefore these organizations are expected to abide by the guidelines set forth by section 404. Penalties and sanctions are enforced by the SEC ranging from fiscal penalties, jail time, de-listing from the exchanges, or other appropriate penalties. Compliance to Sarbanes Oxley concerning internal controls is required based upon market capital and filing status.

Sarbanes Oxley section 404 addresses the necessity for IT internal controls over financial reporting. Information technology departments, internal and external audit teams, and management must develop a working relationship to ensure these controls are deployed across all required areas. Organizations, as stated previously, must certify the information they disclose by certifying internal controls adequately assure the integrity of the data included. Additionally the auditor of the company must concur with management regarding the sufficiency of the internal controls that are designed to protect the integrity and confidentiality of the information. The goal of this legislation is to enable the movement of health information among health-related organizations in a protected manner. It includes various stringent privacy and security protections including limits on sharing and use of encryption. HIPAA applies to US healthcare providers / health insurers and their business associates. If your financial institution has an employer-sponsored health care plan, this legislation also applies to you.

The Administrative Simplification section of HIPAA mandates a new security policy to protect an individual’s health information, while permitting the appropriate access and use of that information by healthcare providers, clearinghouses and health plans.

IT Governance

Entities covered by the act must:

  • Implement a comprehensive IT Controls program for all systems involved with financial reporting.
  • Ensure that systems meet appropriate framework metrics to assure the integrity and validity of the financial data.
  • Properly address and remediate all IT Internal Controls through adequate risk assessments, gap analysis, and compliance validation efforts.
  • Protect against any reasonably anticipated:
  • threats or hazards to the security or integrity of the information