Management Information Systems, 13TH ED.
MANAGING THE DIGITAL FIRM
Kenneth C. Laudon Jane P. Laudon
continued
Learning Track 2: The Sarbanes-Oxley Act
Reacting to corporate accounting and governance scandals that made headlines in the early days of
the twenty-first century, the United States Congress enacted legislation to protect investors from
fraudulent corporate accounting and restore public confidence in corporate America. e legis-
lation, known ocially as the Public Company Accounting Reform and Investor Protection Act
of 2002, acquired the common name of the Sarbanes-Oxley Act (alternatively SOX or Sarbox), so
named for the members of Congress who sponsored the bill, Senator Paul Sarbanes (D-MD) and
Representative Michael G. Oxley (ROH).
e scandals in question, including Enron, WorldCom, and Tyco, resulted in bankruptcy and, in
some cases, the complete collapse of major public corporations. Hundreds of thousands of share
holders lost millions of dollars due to the unethical actions of a handful of executives and faulty
SOX forces companies to ensure the accuracy of their financial records though internal account
ing controls. All internal audits must in turn be certified by an independent external auditor. e
importance of an independent external auditor is underscored by the fact that Enrons accountant,
Arthur Andersen, also relied on income from Enron for consulting services. is conict of inter-
est inuenced the accounting firm to, at best, tacitly approve inaccurate records. SOX declares that
outside auditors may not furnish actuarial, legal, or consulting services to their audit clients. In
addition to mandating the independence of auditors, SOX enforces compliance to the following:
Financial reports must not contain any misrepresentations
CEOs and CFOs of corporations must review all financial reports and are responsible for their
Chapter 8: Securing Information Systems
Chapter 8 Learning Track 2 2
continued
Companies, and executives, that fail to comply with SOX regulations are subject to a variety of
penalties, ranging from criminal and civil actions for securities violations to lengthy jail terms and
hefty fines for executives who purposefully misstate financial records. SOX also criminalizes the
corrupt alteration, destruction, mutilation, or suppression of documents for the purpose of devalu
ing them or evading disclosure in ocial proceedings.
Along with heavy consequences for violations, SOX compliance carries financial burdens for imple
e terms of SOX mandate the long-term storage and protection of financial records, as well
as the rapid availability of such records in case an oversight agency or subpoena requests them.
Interference with the proper retention of records, including destruction, alteration, and falsifica
tion, carries harsh criminal penalties mentioned earlier. Records that need to be retained include
Chapter 8 Learning Track 2 3
WORM media prevent overwriting or deleting data once they have been recorded as a result of the
write-once technology. ese media are also high-performance and high-capacity solutions at a
reasonable cost. Technologists have used magnetic tape reliably to store data for decades. Its tradi-
tional strengths, including capacity, cost, transfer rates, durability, and portability, combine with
the security of WORM technology to satisfy the SOX-compliance needs of many businesses.
Creating unalterable, long-lasting data records is not the end of the information security process.
SOX compliance is a complex undertaking. e following guidelines may be helpful to any busi-
ness that has questions about their strategy for storing and securing data:
Do you have the ability to store data and prevent them from being altered for the appointed
retention period?
Is the technology you are using exible enough to be updated so that access to stored data
remains possible years from now?