250
A Practical Guide to Security Assessments
questions. Because of the broad nature of these requirements, questions can be taken
from a number of the questionnaires in the appendices of this book as well as other
resources, such as the standards listed in Chapter 9 of this book.
SARBANES–OXLEY ACT
The Sarbanes–Oxley Act was passed largely as a result of the Enron scandal to help
restore investor confidence. The legislation makes management and the auditors
more accountable for the numbers on financial statements. The first major piece of
this legislation was Section 302 — Corporate Responsibility for Financial Reports,
which requires chief executive officers (CEOs) and chief financial officers (CFOs)
of publicly traded companies to certify that the financial statements are accurate.
Technically, management is responsible for the financial statements, but this require-
ment brought attention to the fact that management certifies and attests to the
accuracy of the financial statements.
The relevant section of Sarbanes–Oxley as it relates to security assessments is
Section 404 — Management Assessment of Internal Controls. Most eligible com-
panies are required to be in compliance with Section 404 by June 15, 2004. Smaller
companies must achieve compliance by April 15, 2005. Specific guidance on deter-
mining the compliance date for a company is contained in Section 404-1: Introduction.
This act essentially requires auditors to issue an internal control–related report,
which contains two key elements, as part of the annual report:
• Management responsibility for establishing an adequate internal control
framework to support accurate financial reporting
• The auditor’s assessment of the effectiveness of the internal control structure
To achieve compliance with Sarbanes–Oxley, auditors must have a thorough
understanding of the internal control framework. Before Sarbanes–Oxley, auditors
may or may not have reviewed internal controls. If these controls were reviewed,
one of the main purposes was to determine the amount and nature of substantive or
detailed testing that was performed to certify the numbers on the financial statements.
If auditors did not have a very high comfort level with the internal control structure,
more detailed testing was required on certain numbers in the financial statements to
have the required assurance. Auditors could even choose to do minimal internal
control review and do a significant amount of detailed testing to certify financial
statements. With Sarbanes–Oxley, auditors must understand the internal control
framework associated with financial reporting. As a result, auditors must review areas
such as application access for certain applications, information flow between systems,
and how the integrity of information is maintained. For audit firms, Section 404
increases their work and brings about the need for auditors with different skill sets.
From a security assessment perspective, the internal control report is a good
resource when gathering the initial information for a security assessment. The
effectiveness of the internal control framework is a significant component of the
AU1706_C10.fm Page 250 Thursday, August 19, 2004 7:51 PM