What is Sarbanes-Oxley Act?
The Sarbanes-Oxley Act of 2002 (commonly referred to as SOX or SarbOX) is a comprehensive accounting framework for all public companies doing business in the US. Companies will be required to disclose all pertinent financial performance information publicly in a uniform, transparent manner. All financial performance results must have substantiating data readily identified and easily available for follow-up audits.

Why Sarbanes-Oxley Act?
The Sarbanes-Oxley Act of 2002 is introduced in the wake of a series of corporate financial scandals, including those affecting Enron, Arthur Andersen, and WorldCom. Among the major provisions of the act are: criminal and civil penalties for securities violations, auditor independence / certification of internal audit work by external auditors and increased disclosure regarding executive compensation, insider trading and financial statements.

How does Sarbanes-Oxley Act affect IT?
Due to the pervasive use of IT the processing of financial records, there is a critical need to ensure that IT processes comply with SOX requirement. The Sarbanes-Oxley Act is composed of several titles and sections, but the following are the ones that affect IT departments most.

• Section 404: This requires a company to assess its internal controls over financial reporting. Every process related to the balance sheet, from issuing checks to recording sales, must be documented. (Those processes usually use computer systems managed by IT departments.) Transparency is the goal.
• Section 302: This makes chief executive officers and chief financial officers responsible for the accuracy of their company's financial statements and the processes used to compile them.
• Section 409. This requires companies to disclose changes in their financial condition or operation in real-time. The goal is to protect investors from delayed reporting of material events.

IT Controls, IT Audit and SOX
In today’s business environment, the financial reporting processes of most organizations are driven by Information Technology (IT) systems. Few companies manage their data manually and most companies have moved to electronic management of data, documents, and key operational processes. Therefore, it is apparent that IT plays a vital role in internal control. As PCAOB Auditing Standard 2 states:

"The nature and characteristics of a company’s use of information technology in its information system affect the company’s internal control over financial reporting."

Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. Systems such as ERP (Electronic Resource Planning) are deeply integrated in the initiating, authorizing, processing, and reporting of financial data. As such, they are inextricably linked to the overall financial reporting process and needs to be assessed, along with other important process for compliance with Sarbanes-Oxley Act. So, although the Act signals a fundamental change in business operations and financial reporting, and places responsibility in corporate financial reporting on the chief executive officer (CEO) and chief financial officer (CFO), the chief information officer (CIO) plays a significant role in the signoff of financial statements. Source: www.wikipedia.org

For more information on the Sarbanes Oxley Act, please visit www.sarbanes-oxley.com