Sarbanes-Oxley Act & Section 302,404,409

November 25, 2009

The Sarbanes-Oxley Act of 2002 also known as the Public Company Accounting Reform and Investor Protection Act of 2002 is mandatory. ALL organizations, large and small, MUST comply.

Section 302

Corporate responsibility for Financial Activities

Public Company Officers must certify the accuracy of financial statements and must certify that statements fairly present the operations and financialcondition of the issuer.

It also requires material information that is used to generate reports be retained and made available to the public.

It Affects

This directly affects the IT and security departments because it is
primarily IT systems that generate these periodic reports and which control e-mail, the main method of communication within most organizations.

Section 404

Management Assessment of Internal Controls

Section 404 is the most pertinent section within SOX to issues surrounding information security. It addresses the necessity of corporate management to be fully accountable for the integrity of all data associated with their financials.

It states that management teams of public companies must establish and maintain adequate “Internal Controls” over their financial reporting systems to safeguard against unauthorized and improper use of financial information.

Internal Controls are defined as “all control methods a company uses to prevent, detect and correct errors and frauds that might get into financial statements”.

Section 409

Real Time Issuer Disclosure

Public Companies must be aware of, and declare, changes in their financial conditions or operations within 48 hours of material events.  All events which could affect a company’s finances, stock price or intellectual property (among otherthings) must be captured, documented with a process that can be audited and reported in a rapid fashion.

This includes operational risk with IT systems such as:

• Major or extended system outages
• Loss of critical data
• Security breaches
• Intellectual Property and Digital Rights Management issues
• Major computer virus and worm attacks

SEC Delays 404(b) Compliance for Small Biz

June 23, 2008

The Securities and Exchange Commission has granted small companies a one-year reprieve with regard to complying with the auditor-attestation requirements of Section 404(b) of the Sarbanes-Oxley Act.

With the extension, smaller companies will now be required to provide the attestation reports in their annual reports for fiscal years ending on or after December 15, 2009.

“The extension of the Section 404(b) compliance date for smaller companies is the latest in a series of Commission efforts to help reduce unnecessary compliance costs for smaller companies while preserving important investor protections,”

Section 404 has two provisions: 404(a) requires company management to assess the effectiveness of the company’s internal controls over financial reporting, while 404(b) requires an auditor attestation on management’s assessment.