The arrival of the Sarbanes-Oxley Act of 2002 has ushered in a new era of
corporate governance. The Act impacts a wide range of businesses, both public
and private operating inside and outside the United States. In the US, Sarbanes-
Oxley has federal and state level implications and the penalties for noncompliance
could impact both executive and middle management personnel.
There are three key sections in the Act that directly affect the information
technology systems and software that are implemented by a corporation.
Section 302 - requires officers to certify annual or quarterly reports
submitted to the SEC (or be subject to penalties defined in section 906).
Section 404 - requires the production of a new kind of report validating the
internal controls over the financial reporting process.
Section 409 - requires improved notification of material events to the
marketplace that may impact the financial results of the business.
Delivering compliance with Sarbanes-Oxley demands the attention of executive,
finance and IT managers, and is as much about following defined processes as it
is about information technology implementations. However, information
technology systems and software, especially identity management, access
control and access logging capability, have a large role to play in providing a
foundation for compliance. Computers, applications and data that support
compliance with sections 404 and 409, must be secured so that the integrity of
financial reporting process is guaranteed.
The OmniPass product family provides identity management, access control and
logging and can help provide this solid foundation for compliance. Most of the Act
revolves around accountability for financial information that is generated and
flows within a corporation. Each step of the financial reporting and certification
process requires someone in the organization to be responsible for reported
information. Therefore, it becomes a requirement to perform strong user
authentication, and to ensure that only authorized and authenticated users,
access computers, applications and data that are part of the financial reporting
and certification process, otherwise the chain of accountability is broken.
Compliance with Sarbanes-Oxley is a challenge. The OmniPass product family
alone can not deliver compliance, but it is a foundation for the IT systems which
are the backbone of the defined processes put in place by the corporation. The
objective of this whitepaper is to outline the scope and key requirements of the
Sarbanes-Oxley Act from an information technology perspective, and to relate
these requirements to OmniPass.
