The Public Company Accounting Reform and Investor Protection Act, most commonly referred to as the Sarbanes-Oxley Act (SOX), is comprehensive legislation intended to reform the accounting practices, financial disclosures and corporate governance of public companies.
SOX mandates that organizations ensure the accuracy of financial information and the reliability of systems that generate it. Section 404 of SOX requires that management perform an assessment of internal controls over financial reporting and obtain attestation from external auditors, on an annual basis. In today's businesses, information technology (IT) systems are inextricably linked with financial reporting, and information security is essential in ensuring the reliability of these systems.
The Securities and Exchange Commission (SEC) ruled that the Treadway Commission’s Committee of Sponsoring Organizations (COSO) would serve as the basis for performance and reporting standards. COSO does not address, in any meaningful manner, information technology and security considerations. The IT framework that most closely aligns with COSO is COBIT (Control Objectives for Information and related Technology).