Today is the federally mandated deadline for investment companies and other publicly owned firms to be in compliance with internal auditing controls stipulated by the Sarbanes-Oxley (SOX) Act of 2004. However, it appears many companies might miss the deadline.
Under terms of the SOX law, otherwise known as the Public Company Accounting Reform and Investor Protection Act, the U.S. Securities and Exchange Commission can impose heavy penalties on corporations that fail to comply.
Industry watchers reported last week that many firms were racing against the clock to comply with today’s deadline.
According to news accounts posted on the Sarbanes-Oxley Web site over the weekend, financial companies are in disarray on the compliance issue.
One case cited on the Web site quoted from a Bloomberg News report that PricewaterhouseCoopers expects 80 percent of its clients will probably miss today’s deadline for certifying financial controls. PricewaterhouseCoopers is the third-largest accounting firm in the United States.
Greg Murphy, CEO of wireless security firm AirWave, which is one company that has been working with corporations to get them into compliance by the deadline, said the law was designed to make companies accountable for the security of the data on their networks. It makes the corporations’ management responsible for establishing internal controls to ensure the security of the firm’s data.
The law holds corporation auditors responsible for certifying that the internal controls for use of encryption of all data and all network access complies with the new law.
“That law makes the auditor responsible for an annual certification. It is an ongoing process, not a one-shot deal,” Murphy told the E-Commerce Times.
The law requires that IT departments work with their corporations’ auditors to explain and deliver secure networks. Murphy said every access point on a network, whether wirebound or wireless, is critical and can become a major compliance problem.
The auditor ultimately must know about every access point and must certify that data is encrypted.
Audit for Compliance
AirWave conducted security sweeps of corporate networks to find access points that were not known or not secure.
The bottom line, Murphy said, is that corporations must have adequate internal security controls on their networks.
Besides heavy penalties for firms that fail to meet the deadline, the SEC could bar a company from trading its stock on the U.S. market, Murphy said.
“I suspect there will be a lot of catch up after November 15,” Murphy said. “This is the most significant piece of corporate law since the 1930’s.”
The Sarbanes-Oxley Act has three main parts that specify the requirements for compliance:
- Section 302 establishes corporate responsibility for security reports. The CEO and the CFO must prepare a statement certifying financial statements and disclosures.
- Section 404 establishes the need to assess internal controls. An internal control report must accompany an annual report taking responsibility for and assessing the effectiveness of internal controls.
- Section 409 requires real-time disclosure of security issues. Material changes affecting financial disclosures must be reported on a “rapid and current basis.”
The Sarbanes-Oxley Act sets the foundation for a continuing regulatory policy to ensure the security of financial networks.
“As new technologies evolve, requirements will change to meet the new security threats,” Murphy said.