We investigated publicly reported security breaches of internal controls in corporate systems to determine whether SOX assessments are information bearing with respect to breaches which can lead to materially significant losses and misstatements. SOX Section 404 adverse decisions on effectiveness of controls occurred in 100% of credit card data breaches and around 33% of insider breaches. SOX 404 audits provided a contrarian "effective" control decisions on 88% of situations where there was a control breach concerning a portable device. We found that management and SOX 404 auditors do not general agree on the underlying internal control situation at any time; instead the SOX 404 team was likely to discover material weaknesses and "educate" management and internal audit teams about the importance of these control weaknesses. SOX attestations were poor at identifying control weaknesses from unintended disclosures, physical losses, hacking and malware. Hazard and occupancy models showed that both SOX 302 and 404 section audits provided information on the frequency of breaches, with SOX 404 being three times as informative as section 302 reports. The hazard model found an expected 2.88% reduction in breaches when SOX 302 controls are effective; management "material weakness' attestations provided no information in this structural model, whereas there would be around a 1% increase in breach occurrence when there are significant deficiencies. SOX 404 attestations were the most informative, and a negative SOX 404 attestation is projected to increase the frequency of breaches by around 8.5%.
and occupancy structural models were constructed to extrapolate to a larger population; results showed that both SOX 302 and 404 section audits provided information germane to the frequency of breaches, with SOX 404 being three times as informative as section 302 reports. The hazard model found an expected 2.88% reduction in breaches when SOX 302 controls are effective; management "material weakness' attestations provided no information in this structural model, whereas there would be around a 1% increase in breach occurrence when there are significant deficiencies. SOX 404 attestations were the most informative, and a negative SOX 404 attestation is projected to increase the frequency of breaches by around 8.5%. We concluded that the strength of internal controls attested in SOX reports is likely to be a significant factor in the occurrence of a breach at a firm in a specific period. (349 words)
- The Sarbanes-Oxley Act and Threat to the Firm’s Systems Following the Enron and WorldCom collapses that marked the end of the dot-com bubble, U.S. legislators sought to better protect and inform investors through passage of the Sarbanes-Oxley Act of 2002 (“SOX”). Section 404 of SOX (“SOX 404”) requires companies to review under the supervision of external auditors their internal controls over financial reporting (“ICFRs”) and declare whether their ICFRs are “effective” or “ineffective.” Section 302 of SOX (“SOX 302”) requires companies to self-report on effectiveness of internal controls. One significant reason for the focus on internal control is the potential for firms to suffer systems intrusion from external actors, commonly referred to as security breaches or hacks, which can lead to materially significant losses and misstatements. a 500-million-account hack of Yahoo, 340 million AdultFriendFinder accounts (their second hack in a year) and numerous other breaches. Both frequency and scale of breaches have grown dramatically in the past five years.
Auditors have argued forcefully that they have no explicit responsibility for detecting fraud and external threats during audits. Nonetheless audits were forced to embrace some responsibility for detecting fraud and threats after the Enron and WorldCom collapses. (AICPA 2002) provides specific guidelines with respect to the auditor’s responsibility for identifying external threats and fraud that may result in material misstatements. Security breaches and other external threats to the firm are subsumed under the category of “fraud” which AU 316.05 clarified.
" a broad legal concept and auditors do not make legal determinations of whether fraud has occurred. Rather, the auditor’s interest specifically relates to acts that result in a material misstatement of the financial statements. The primary factor that distinguishes fraud from error is whether the underlying action that results in the misstatement of the financial statements is intentional or unintentional. Fraud is an intentional act that results in a material misstatement in financial statements that are the subject of an audit."
The Sarbanes-Oxley Act was a formal attempt to impose additional joint responsibility on auditors and management for the detection of fraud and external threats, and for this research, SOX sections 302 and 404 which require internal control assessments. SOX compliance has been contentious. Questions have been raised concerning the effectiveness of expensive SOX reviews, the external validity of SOX assessments for security breaches, errors, fraud and other external financial threats to the firm, and usefulness of SOX reporting to investors and other stakeholders. Unfortunately, these questions have been difficult to study, as external breaches, frauds and other crimes are significantly underreported in business, leading to a reporting bias in datasets that creates difficulties in controlled studies. Corporate executives, politicians and lobbyists have argued that the Sarbanes-Oxley Act (SOX) of 2002 is a cumbersome and costly regulation that is not effective (Drawbaugh 2012). Compliance with just section 404 has been estimated to average $1.7 million per firm annually (FEI 2007) and arguments have even been made before the US Supreme Court that SOX is unconstitutional (FEP 2010). Publications on market and economy wide effects of SOX implementation have opined with case studies and polemics as well as empirical studies (Bratton 2003, Romano 2004, Coates 2007, Engel, Hayes et al. 2007, Kang, Liu et al. 2010) but the evidence on whether SOX implementation has improved security and integrity of internal controls is still equivocal. This research addresses the question “How effective is corporate investment in SOX compliance in identifying and eliminating the threat from internal control security breaches?” External validity and utility of SOX assessments are difficult to measure because of the inclination for firms, conscious of their reputation, to significantly underreport interna
This content is AI-processed based on open access ArXiv data.
