A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Hacking Your SOX Off: Sarbanes Oxley, Fraud, and Fraudulent Financial Reporting (Hacking Illustrated Series InfoSec Tutorial Videos)

Hacking Your SOX Off: Sarbanes Oxley, Fraud, and Fraudulent Financial Reporting

I had to do a presentation for one of my MBA courses, and one of the topic choices was the Sarbanes-Oxley act. I chose it because I thought I could relate it to computer security, but as it turns out the connection is somewhat tenuous as you will see if you watch the presentation. Below is a screencast of the presentation, and below that a text version of my Power Point slides for easy reference.


Sarbanes Oxley, Fraud, and Fraudulent Financial Reporting
Adrian Crenshaw

I Am Not A Lawyer
I Am Not A Certified Public Accountant

Why did I choose this topic?
I had to do if for class. :)
I do a lot of information security education from the technical side, so I wanted to know what SOX means for a techie
I kept seeing folks referring to “SOX Compliance” in my security reading
So, what does SOX mean to a hacker

What is SOX
Sarbanes-Oxley is US legislation enacted on July 30, 2002
AKA: Public Company Accounting Reform and Investor Protection Act of 2002
CPA Employment Act :)

Put forth in part because of accounting scandals of corporations such as Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom that cost investors billions of dollars
What is SOX
"To protect investors by improving the accuracy
and reliability of corporate disclosures made
pursuant to the security laws, and for other

Attempts to increase accountability
Applies only to publicly traded companies

1) Public Company Accounting Oversight Board (PCAOB)
2) Auditor Independence
3) Corporate Responsibility
4) Enhanced Financial Disclosures
5) Analyst Conflicts of Interest
6) Commission Resources and Authority
7) Studies and Reports
8) Corporate and Criminal Fraud Accountability
9) White Collar Crime Penalty Enhancement
10) Corporate Tax Returns
11) Corporate Fraud Accountability

Key Provisions
SOX Section 302: Internal control certifications
SOX Section 404: Assessment of internal control
SOX Section 802: Criminal penalties for violation of SOX
Information Security Triad
What is an Internal Control
SOX Section 302: Internal control certifications
Holds the Chief Executive Officer (CEO) and Chief Financial Officer (CFO) personally responsible to certify that financial reports are accurate and complete.
They must also assess and report on the effectiveness of internal controls around financial reporting.
CEOs and CFOs now face the potential for criminal fraud liability.
Section 302 does not specifically list which internal controls must be assessed.

SOX Section 404: Assessment of internal control
The most contentious aspect of SOX
PCAOB standards require management to do the following:
Assess both the design and operating effectiveness of selected internal controls related to significant accounts and relevant assertions, in the context of material misstatement risks;
Understand the flow of transactions, including IT aspects, sufficient enough to identify points at which a misstatement could arise;
Evaluate company-level controls, which correspond to the components of the COSO framework;
Perform a fraud risk assessment;
Evaluate controls designed to prevent or detect fraud, including management override of controls;
Evaluate controls over the period-end financial reporting process;
Scale the assessment based on the size and complexity of the company;
Rely on management's work based on factors such as competency, objectivity, and risk;
Conclude on the adequacy of internal control over financial reporting.

SOX Section 802: Criminal penalties for violation of SOX
" Whoever knowingly alters, destroys, mutilates, conceals,
covers up, falsifies, or makes a false entry in any record,
document, or tangible object with the intent to impede,
obstruct, or influence the investigation or proper
administration of any matter within the jurisdiction of any
department or agency of the United States or any case filed
under title 11, or in relation to or contemplation of any such
matter or case, shall be fined under this title, imprisoned not
more than 20 years, or both. "

Also requires auditors to maintain accounting
documents and work papers for a minimum of five

So, after all of that, what does SOX have to do with information security

Not a whole lot, it’s primarily concerned with accuracy in financial reports
InfoSec professionals may benefit from bigger budgets because the higher ups are afraid of liability for inaccurate data (playing the Integrity angle)
However, InfoSec can help in the following ways:
Documentation, documentation, documentation
Control of access to financial records
Detection of modification
Preventions of data loss and contingent liabilities
Contingent liability
Liability for investor losses in stock price based on:
Disclosures that lessen consumer confidence
Security issues that effect reliability and safety

Control Objectives for Information and related Technology
Security Policy
Security Standards
Access and Authentication
Network Security
Segregation of Duties
Physical Security

Higher cost burden on US companies
Less IPOs take place on US stock exchange
Increased investor confidence
Financial restatements decreased significantly

Web References

The text of the law (PDF)
SANS Institute - An Overview of Sarbanes-Oxley for the Information Security Professional by Gregg Stults
Sarbanes Oxley for IT Security by Mark Rasch
Signing Statement of George W. Bush
SOX Wikipedia Entry
Sarbanes-Oxley An Opportunity for Security Professionals
The Sarbanes-Oxley Act 2002

Book References
Sarbanes - Oxley IT Compliance Using COBIT and Open Source Tools
Lahti, Christian; Peterson, Roderick

IT Governance : A Manager's Guide to Data Security and BS 7799/ISO 17799
Calder, Alan; Watkins, Steve

Business Guide to Information Security
Reuvid, Jonathan

Enterprise Information Systems Assurance and System Security : Managerial and Technical Issues
Warkentin, Merrill; Vaughn, Rayford

Printable version of this article

15 most recent posts on Irongeek.com:

    If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

    Copyright 2019, IronGeek
    Louisville / Kentuckiana Information Security Enthusiast