SOX (also known as Pub.L. 107-204, 116 Stat. 745, the Sarbanes Oxley Act from 2002, the Sarbanes-Oxley Act, the Public Company Account Reform and Protection Act, Public Company Accounting Reform and Protection Act, and Sarbox) is a bill that was specifically passed by the House and the
Senate in order to focus on the accuracy and truthfulness of a corporation's financial records through tighter regulation and policies.
With that said, many readers are probably wondering what is IT security's connection with the SOX in the first place.
The answer to that lies with part of what spearheaded this bill to fruition in the first place: the Enron debacle.
The Enron scandal roots from the U.S. Securities and Exchange Commission's endorsement of an aggressive form of accounting called "mark to market".
Enron's shenanigans—which includes but is not limited to getting a series of CFO-owned limited partnerships utilized to divest immense numbers of debt while simultaneously letting Enron reassume this debt, making transactions with zero standalone financial value, and having an accounting firm that's obliged to its client and therefore has a conflict of interest—could very well be avoided by improved IT security in the accounting department.
This isn't IT security in the sense that better technologies to prevent hackers from penetrating into a company's accounting data could have saved Enron from its downfall; after all, by all intents and purposes, the Enron scandal was an inside job.
It instead refers to IT controls that would've detected anomalies and prevented fraud at Tyco, WorldCom, and Enron even though they were perpetrated by the owners themselves.
In a sense, what happened to the aforementioned companies was as much a failure in ethics as it was a failure in IT security control. It's no wonder that IT security companies are scrambling with products that are allegedly accommodating with the Sarbox bill.
Furthermore, there is technology presently available that would've detected the actions of trusted employees who were creating and concealing humongous amounts of losses and debts for their company.
More to the point, investors can rest at ease with companies bearing IT security controls that are 100% SOX-compliant because these programs were developed specifically to detect inconsistencies, anomalies, and whatnot from criminals inside and outside the system.
Historically speaking, if the late eighties financial scandal of Bearings Bank/Nick Leeson or the turn-of-the-millennium fraud of the Allied Irish Bank/Allfirst had better IT controls in their accounts, then those incidents would've been prevented from the start.
Although insider fraud is difficult to detect by default thanks to the involvement of trusted employees and owners who could play around the controls themselves, processes that offer things like balances and checks for records connected to reporting financial standings, detection of unusual access or account activity, and access control may serve as an effective early warning system for suspicious or fraudulent activity.
Wise investors should not invest in companies that don't provide SOX-compliant IT security software for the sake of the safety of their own investments.