Chapter 14: Regulations | It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]

An Introduction to Legislation Related to Internal Controls

The global nature of business and technology has long dictated a common understanding and support of standards, as demonstrated by the strategic partnerships of the International Organization of Standardization (ISO), the International Electrotechnical Commission (IEC), the International Telecommunication Union (ITU), and the World Trade Organization (WTO). Participation in these standards bodies has been voluntary, with a common goal of promoting global trading for all countries at all levels. Individual countries have gone further to establish governmental controls on business activities of corporations operating within their boundaries.

Regulatory Impact on IT Audit

Over the past decade, the U.S. government has passed numerous industry-specific privacy acts and other regulations. Each has been intended to protect and support the business consumer. Consequently, internal and external audit groups are tasked with reviewing business processes and procedures to ensure that appropriate business controls are in place to mitigate risks to the business and the consumer.

The International Association of Internal Auditors (IIA) and the International Information Systems Audit and Control Association (ISACA) publish guidelines to assist members of these internal and external audit groups in establishing common controls and audit processes.

Note

Despite numerous voluntary standards and guidelines in addition to regulatory mandates, corporations operating in the United States have been involved in notorious scandals in the early years of the twenty-first century. These scandals rocked global confidence in the U.S. public markets.

History of Corporate Financial Regulation

In the 1970s, the concern over internal controls related to financial reporting began to take shape as a result of the growth in bankruptcies and financial collapses such as Penn Central Railroad in 1970, the largest bankruptcy in U.S. history at that point in time. In 1976, a congressional investigation by the Moss and Metcalf committees recommended increased federal regulation in the areas of accounting and auditing. In 1977, the Foreign Corrupt Practices Act made bribes illegal and required corporations to keep extensive records of transactions for disclosure purposes.

By the mid-1980s, the savings and loan industry had collapsed. Congress looked at whether the government should take over the issuance of accounting standards and oversight of auditors. In 1986, the Committee of Sponsoring Organizations (COSO) examined how fraudulent financial management could be curtailed and how auditors could reduce the recognized gap between what auditors do and what the public expects. COSO published the first formalized guidelines for internal controls known as Internal Controls-Integrated Framework, described in more detail in Chapter 13. These voluntary industry guidelines were intended to help public companies become self-regulating and thus avoid the need for governmental regulation.

In 1991, Federal Deposit Insurance Corporation Act (FDICIA) was enacted for the banking industry as a response to the savings and loan collapse. It introduced upper-management accountability using sign-offs.

However, when Enron and other major corporations failed in 2001 and 2002, the U.S. government moved swiftly to enact the most extensive corporate reforms of all in an effort to restore public confidence in U.S. business operations. The Sarbanes-Oxley Act of 2002 and its subsequent revisions have far-reaching impact on all corporations (foreign and domestic) doing business with the United States and on the technology groups supporting those businesses. This chapter will summarize the impact of Sarbanes-Oxley and other government- and industry-imposed regulations on information services departments.