Content area
Full text
ABSTRACT: The Sarbanes-Oxley Act of 2002 (SOX) created a resurgence of organizational focus on internal controls. In this study, we examine the extent to which the information technology (IT) controls suggested by the ISO 17799 security framework have been integrated into organizations' internal control environments. We collected survey data from 636 members of the Institute of Internal Auditors (IIA) on the current usage of IT controls in their organizations. In addition to identifying the most and least commonly implemented IT controls, the survey results indicate that control implementation differences exist based on a company's status as public or private, the size of the company, and the industry in which the company operates. Training of internal auditors and/or IT personnel is also associated with significant differences in implemented controls. We discuss the implications of our research and offer suggestions for future research.
Keywords: information security; internal control; ISO 17799; Sarbanes-Oxley.
Data Availability: A complete copy of the survey and the data collected are available upon request.
I. INTRODUCTION
The Sarbanes-Oxley Act (SOX) was enacted in 2002 by Congress to protect shareholders and the general public from fraudulent corporate practices and accounting errors and to maintain auditor independence. SOX raised the standards for financial reporting in public companies to increase transparency, accountability, and reliability of financial information. It has become strategically important for organizations who are striving to meet SOX requirements to select and implement appropriate information security procedures in order to manage internal controls effectively.
Information security refers to all of the steps taken to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction (United States Code 2008). Information technology (IT) is a vital component of information security. IT refers to any technology that helps to manage, process, or disseminate information, such as some combination of computer hardware, software, and associated communications systems. Because of the close link between financial reporting, information security, and IT, most organizations have implemented a variety of IT controls to comply with SOX regulations (Damianides 2005).
Although the primary focus of SOX is the accuracy of an organization's financial information and the effectiveness of internal controls, SOX does not explicitly address how IT should be incorporated into the SOX compliance process. Furthermore, the SEC...