Spurzem (2009) states that the Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The act is administered by the Securities and Exchange Commission (SEC), which sets deadlines for compliance and publishes rules on requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records; rather, it defines which records are to be stored and for how long. The legislation not only affects the financial side of corporations, it also affects the IT departments whose job it is to store a corporation's electronic records. The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for "not less than five years." The consequences for non-compliance are fines, imprisonment, or both. IT departments are increasingly faced with the challenge of creating and maintaining a corporate records archive in a cost-effective fashion that satisfies the requirements put forth by the legislation.
Section 404 of Sarbanes-Oxley
In consequence, Search Financial Security (2009) shows the Section 404 of SOX mandates that all publicly traded companies must establish internal controls and procedures for financial reporting and must document, test and maintain those controls and procedures to ensure their effectiveness. The purpose of SOX is to reduce the possibilities of corporate fraud by increasing the stringency of procedures and requirements for financial reporting.
These reports require to be conveyed annually of the public company by management on the internal control over financial reporting within the organization. McGladrey & Pullen (2006) indicated that the report should contain:
•A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company. •A statement identifying the framework used by management to evaluate the effectiveness of internal control. •Management's assessment of the effectiveness of internal control as of the end of the company's most recent fiscal year. •Disclosure of material weaknesses (A material weakness is a significant deficiency or combination of significant deficiencies that result in more than a remote likelihood that a material misstatement will not be prevented or detected.) •A statement that its auditor has issued an attestation report on management's assessment
Information Technology Control in Sarbanes-Oxley
Information technology controls has an increased been focused after the SOX section 404 establishment of internal controls over the financial reporting. In order to assist with SOX compliance, the framework of COBIT can be used. Qualified Audit Partner (2007) states that the Control Objectives for Information and related Technology (COBIT) is a set of best practices for information technology (IT) management created by ISACA and the IT Governance Institute (ITGI) in 1996. ISACA (2007) indicates that COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework. The framework does explain how the Information technology processes transfer the information that the business needs to reach its objectives. This approach is handled via 34 high-level control objectives, one for each information technology process. It also identifies several criteria of efficiency, effectiveness, reliability,...