Sarbanes-Oxley: Policy Brief and Violation Case Study. George Louthan

Transcription

1 Sarbanes-Oxley: Policy Brief and Violation Case Study George Louthan April 14, 2010

2 Contents 1 Policy Brief Introduction Background Overview of Sarbanes-Oxley Title Overview Primary Effects PCAOB Risk Assessment Summary Breach Case Study: Enron Note on the meaning of breach with respect to Sarbanes-Oxley Introduction Background Financial Fraud Specifics IT Security Flaws Mitigating Controls Conclusion References

3 Chapter 1 Policy Brief 1.1 Introduction The Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting Reform and Investor Protection Act, was passed in response to multiple financial scandals around the turn of the millennium. It imposed numerous reforms upon publicly traded corporations, including stricter auditing requirements and more stringent controls to ensure the accuracy of companies financial statements and annual reports to the Securities and Exchange Commission (SEC). In addition to these financial regulatory measures, Sarbanes-Oxley (also called Sarbox or SOX) has information security consequences, specifically related to internal controls and risk assessments with IT components. In particular, IT is expected to contribute to controls that minimize material misstatement risk (MMR), meaning the risk of meaningfully incorrect reporting about the company s financial situation. 1.2 Background In the early part of the 2000s, several highly publicized, highly damaging scandals involving large publicly held corporations caused some of the largest bankruptcies in history, causing stockholders, employees, and retirees to lose millions of dollars due largely to accounting fraud. Because of an apparent lack of accountability and less than stringent requirements for auditing firms, corporate executives were able to perpetrate fraud on massive scales. Shoddy accounting practices, embezzlement, corporate looting, and stock price manipulation among numerous very large companies led to a rash of highly visible bankruptcies and corporate failures in 2001 and For example, in the Enron scandal, the $64 billion dollar company was driven to bankruptcy when it became clear that its balance sheets had been manipulated to hide liabilities and to exaggerate profits, and its audits had failed spectacularly to discover any of these practices; in fact, the company was bankrupt. Other companies driven to bankruptcy due to financial fraud in the same timeframe include WorldCom (who had the same auditor), Adelphia, Tyco International, and others. These failures led to widespread embarrassment at the state of the U.S. corporate financial system, which was gaining a reputation for these shoddy business practices and executive fraud. As a result, there arose a perceived need to impose regulatory reforms upon publicly traded US companies, and on July 30, 2002, the Sarbanes-Oxley Act, intended to address these issues, was enacted after being passed virtually unani- 2

4 mously by both chambers of the United States Congress. 1.3 Overview of Sarbanes-Oxley Title Overview Sarbanes-Oxley contains 11 titles. Not all of them need be addressed here, because only two specific sections deal with information systems; however, for completeness, a very brief summary of each title and its intent is provided below. Title 1: PCAOB Establishes the Public Company Accounting Oversight Board, which has SOX-backed regulatory authority. Title 2: Auditor independence Regards approval requirements and conflict of interest limitation for auditors. For example, auditing companies may not provide other services for audit clients. Title 3: Corporate Responsibility Makes senior executives personally responsible for correctness of financial reports. Title 4: Enhanced Financial Disclosures New, more detailed financial reporting requirements are instituted; requires internal controls for assuring the accuracy of financial reports, and audits thereof. Title 5: Analyst Conflicts of Interest Creates a code of conduct for securities analysts, including conflict of interest disclosure. Title 6: Commission Resources and Authority Gives the SEC authorities to govern brokers, advisors, and dealers in securities. Title 7: Studies and Reports Requires the SEC and Comptroller General to conduct various studies and produce reports. Title 8: Corporate and Criminal Fraud Accountability Creates criminal penalties for interference with financial records, and institutes whistle-blower protections. Title 9: White Collar Crime Penalty Enhancement Failure to certify corporate financial reports is made a criminal offense; new, stronger sentencing guidelines for white collar crimes are instituted. Title 10: Corporate Tax Returns The CEO must now sign the company s tax return. Title 11: Corporate Fraud Accountability Creates new authorities for the SEC to freeze unusual transactions, and deals with the criminalization of corporate records tampering Primary Effects The most important and expensive portions of the act have turned out to be Sections 302 and 404. Relatively brief in their statement, they create sweeping requirements for organizations: the executives are now personally responsible for ensuring that their material misstatement risk (MMR) is minimized, and there must be instituted, assessed, and audited internal controls to minimize MMR. The specific details of these requirements are delegated to PCAOB (the Public Company Accounting Oversight Board, often pronounced peek-a-boo ), which provides copious and detailed guidance and standards foe conducting these assessments. 3

5 1.4 PCAOB Risk Assessment Perhaps the most important aspect of SOX, as far as an information systems risk manager is concerned, is the Section 404 Top-down Risk Assessment, a process that is only indirectly required by SOX itself. Instead, PCAOB, the regulatory body responsible for implementing the general requirements of SOX, has issued Auditing Standard 5, which specifies this risk assessment. Perhaps the most widespread and damaging misconception about SOX is that it imposes specific, checkliststyle IT security requirements. In fact, SOX requires nothing more of IT than an accomplishment of due diligence necessary to prevent computer security incidents that lead to material misstatement risk, and allows virtually any reputable computer security framework to be employed to achieve this (though the COSO framework is specifically endorsed but not IT focused, and the COBIT framework, which is IT-focused is also encouraged and frequently applied). Furthermore, the IT side of Sarbanes-Oxley compliance can result encompass the use of information systems to implement internal controls over accounting practices. For instance, the deployment of an automated system for monitoring financial documentation designed to detect and report anomalies indicative of fraud would itself constitute an internal control. In the eyes of SOX and PCAOB, IT controls are not a distinct domain; rather, they are part of an overarching controls strategy. PCAOB has promulgated Auditing Standard 5, the standard specifying the procedure known as the SOX Section 404 Top-Down Risk Assessment. This risk assessment is intended to be a holistic approach to assessing an organization s risk of material misstatement on financial documents. Again, this is the only risk that SOX requires be assessed; the SOX 404 Risk Assessment is not concerned with other kinds of risks to the company, only with the risk that the company will misrepresent its financial information. Auditing Standard 5 addresses IT security, emphasizing that there is not a distinct, separate IT security assessment; any assessment of IT controls is necessarily only one component of an integrated, top-down risk assessment of all aspects of an organization s MMR controls. In fact, the auditing standard provides criteria for determining whether the assessment need deal specifically with IT at all. 1.5 Summary In summary, the Sarbanes-Oxley act created new requirements for accountability, auditing, and risk assessments for public companies, which were standardized and specified by the Public Company Accounting Oversight Board (PCAOB), also created by SOX. These risk assessments are concerned entirely with the efficacy of internal controls (specifically accounting controls) in preventing material misstatement on financial documents and SEC reports, with the goal of preventing the kind of fraud that bankrupted Enron, WorldCom and others. The effects of SOX in information technology are confined to two aspects: the ability of IT to provide controls to detect and prevent actions leading to material misstatement, and the secure deployment of information systems to avoid their causing material misstatement. Like all other internal controls, information systems are subject to SOX compliance top-down risk assessments, as standardized in PCAOB Auditing Standard 5. The IT risk assessment is not a separate process, but rather (if it even occurs) is integrated into the overall risk assessment. These risk assessments focus upon the material misstatement risk (MMR) of the company. 4

6 Chapter 2 Breach Case Study: Enron 2.1 Note on the meaning of breach with respect to Sarbanes-Oxley In order to put any case study of a violation or breach into the proper context of Sarbanes-Oxley, it is important first to describe what exactly is meant by a breach or violation in this particular case. Unlike many other information security related regulations, SOX is not concerned primarily with preventing data leakage or intrusions; rather it is wholly and exclusively focused upon the ability of information systems to prevent, detect, and avoid causing material misstatement of financial records. For this reason, a breach of Sarbanes-Oxley does not necessarily look like most other IT security breaches; its hallmark is not disclosure or downtime, but rather fraud. For this reason, this case study is likely to look very different from many others; it is concerned with financial fraud, and the lack of proper controls that would have detected, reported, or prevented that fraud; and also of the failure of audits to determine the need for such controls. 2.2 Introduction In December of 2001, owing to massive financial fraud on the part of its executives, Enron declared bankruptcy. Through shoddy accounting practices, conflicts of interest among external auditors, and a lack of proper financial reporting controls, the company s management created the illusion of profitability in order to elevate stock prices when, in reality, the company was billions of dollars in debt. The company also reportedly suffered from serious computer security flaws, among its other troubles with poor internal controls. Aside from the poor accounting practices, relatively simple computer systems could have been deployed that would have detected and reported the sorts of shoddy financial activities that doomed Enron. These continuous auditing systems would have allowed a SOX-compliant external financial audit to detect and report these dealings. Although Sarbanes-Oxley was enacted largely to prevent Enron-style scandals from occurring in the future, Enron is still an extremely useful example of a company that broke virtually every rule that SOX imposes. It had flaws in its financial structure, its auditing systems, and its information systems, all of which rendered it noncompliant with the regulations that SOX would later impose regulations that would have prevented its artificial stock price inflation and, later, its disastrous bankruptcy. 5

7 2.3 Background Enron s compensation structure, especially for executives, was based heavily upon bonuses for stock price performance. This led to a corporate culture obsessed with the kind of short-term gains that inflated stock prices, and the company s accounting practices soon came to reflect a desire to emphasize profits and hide debts in order to appear strong to Wall Street Financial Fraud Specifics The specific accounting practices that allowed the company s fraud were related to special purpose entities, a type of legal entity created to fulfill a special purpose. By the time of its bankruptcy, Enron had created hundreds of special purpose entities, to which its massive liabilities and debts were assigned, in order to allow these debts to be hidden from its balance sheets. The auditing firm, Arthur Andersen, responsible for verifying Enron s accounting practices, was also retained as an accounting consultant for Enron. In effect, they were verifying their own work, a significant conflict of interest. It is likely that a rigorous traditional audit would have detected the practices that led to the company s failure IT Security Flaws Enron was also reportedly guilty of grossly neglecting proper computer security practices. Employees were regularly allowed to use peer-to-peer file sharing applications with firewall exceptions; the due to poor patch management, the company s computer systems were hit extremely hard by the Code Red and Nimda viruses. Complicated password policies and lack of enforcement resulted in Post-It notes and papers with passwords to multiple accounts and many workstations and desks; and, perhaps most disturbing, all IT management systems were custom-built. Incidentally, in the midst of its death throes, Enron s travel booking system (managed by a company called Concur) was attacked; in spite of Enron s poor security practices, this attack was thwarted by Concur and was, in any event, unrelated to material misstatement risk, the primary concern of SOX. Nevertheless, this reveals the possibility that, because of IT inadequacies, executive accounting practices were not Enron s only source of material misstatement risk. 2.4 Mitigating Controls The financial accountability requirements imposed by SOX would likely have prevented the kinds of shoddy practices that led to Enron s failure. However, there are some IT controls that were not only necessary to lessen the company s MMR and provide auditing tools to prevent the debacle that occurred, but also controls that ought to have been part of the basic due diligence of the company s IT department. One software method for detecting accounting problems is called continuous audit. In continuous auditing based on anomaly detection, strange and unusual (a vague description that will stand for the moment) financial activity is detected and automatically reported to management and audit personnel. Extraordinary transactions, such as the transfer of debts into an assetless shell company simultaneous to removal of those debts from the main company s balance sheet would constitute an event worthy of reporting. Because these kinds of transactions were at the heart of Enron s frauds, a system capable of detecting them 6

8 as they occurred would have created a higher level of assurance that the company s accounting practices were on the level thereby reducing material misstatement risk. Furthermore, Enron would have been well served by taking a generally top-down, holistic approach to managing their risk of violating accounting practices. In the business world, a general approach for doing this is provided by COSO, the Committee of Sponsoring Organizations of the Treadway Commission, in their Internal Controls framework. Their IT vulnerabilities would have been mitigated by, again, taking an integrated, systematic approach to developing and deploying the company s information systems. A process like that provided by the COBIT framework would have enabled them to develop such an approach. 2.5 Conclusion In spite of all of the possibilities that existed for mitigating Enron s material misstatement risk, the main flaw with Enron was with the company s corporate culture, which emphasized profits over transparency, and even over compliance with the law. If the company had made it a priority to develop the kinds of internal controls that Sarbanes-Oxley later mandated in order to prevent financial misstatements, it would likely have avoided being rocked by the massive scandal that it experienced. This example was illustrative of the reasons that SOX requires what it does; the risk of material misstatement of a company s financial records should be considered parallel to its risk of a massive Enron-style corporate meltdown. Relatively simple accounting controls and IT-based auditing tools would easily have caught and prevented the fraud that Enron s executives perpetrated upon its shareholders. Frameworks now exist that can be followed to prepare a corporation for SOX compliance (such as COBIT and COSO); auditing standards have been promulgated that would allow independent auditors to catch the kind of fraud that caused Enron s failure. And simple information systems can automate these controls. SOX exists largely because of Enron s failures, and it even though it predated the law, it is perhaps the best example of what not to do concerning the law. 2.6 References Sarbanes Oxley for IT Security? Would Continuous Auditing Have Prevented the Enron Mess? Enron: Security Woes Too? SANS Sarbanes-Oxley Whitepaper. Sarbanes Oxley Act of 2002, hosted by University of Cincinnati College of Law. Serena Software. The Impact of Sarbanes-Oxley on IT and Corporate Governance. PCAOB Auditing Standard No PCAOB AU On the Docket: Free Enterprise Fund and Beckstead and Watts v. Oversight Board. Public Company Accounting 7