How do IT security audits of software affect the organizations compliance with the Sarbanes-Oxley Act?
As the Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) continue to establish rules and standards to tighten the interpretation of Sarbanes-Oxley provisions, it remains clear that systems and software security are integral to SOx compliance. A security audit of an organization’s application portfolio is a warranted element of a SOx compliance program relevant to the assurance of information and software security. Because Sarbanes-Oxley specifically addresses financial information and all the processes related to managing this information, ensuring its reliability and security, and ensuring reliable financial reporting, it necessarily applies to information security and management controls. A breach in information security that could allow insiders or attackers to compromise financial information or systems would certainly be considered “significant” to SOx compliance, and would require management and auditors to disclose the breach and
