As computers proliferated in the heyday of the 1980s and 1990s, internal controls over IT did not keep pace with the rapidly changing infrastructure architectures. However, the crackdown on internal controls initiated over financial reporting has expanded to include IT, and rightfully so.
Now, in addition to Sarbanes-Oxley, Gramm Leach Bliley, SB 1386, HIPAA, and other regulations, further requirements are coming. As of 2006, over 30 U.S. state and federal laws were pending. With identity theft nearing crisis proportions, data protection and privacy are very pressing topics for legislators.
The increased regulatory requirements are raising awareness among senior corporate management. Information security is gaining increasingly serious visibility. Most companies are now realizing that they previously had little understanding of their exposures and are admitting that they need to make a conscious effort to identify their risks and take increasingly definitive measures to address them.
Auditing Standard No. 2: "An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements" (effective June 17, 2004), http://www.pcaobus.org.
California State Senate, http://www.info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html.
Federal Reserve Board, Basel II Capital Accord, http://www.federalreserve.gov/generalinfo/ basel2.
Federal Trade Commission, http://www.ftc.gov/privacy/privacyinitiatives/glbact.html.
FFIEC Information Technology Handbook, http://www.ffiec.gov.
Ford, Paul, "Sarbanes-Oxley and the Global Capital Market," Simpson Thacher & Bartlett, New York, 2004.
"Implications of Sarbanes-Oxley on IT Departments," Seminar and Panel Discussion, Baylor University, Waco, TX, April 15, 2004.
International Accounting Standards Board, http://www.iasb.org.
International Organization for Standardization, ISO-Overview, February 2004, http://www.iso.org.
IT Governance Institute, IT Control Objectives for Sarbanes-Oxley: The Importance of IT in the Design, Implementation and Sustainability of Internal Control Over Disclosure and Financial Reporting, Rolling Meadows, IL, 2004, http://www.isaca.org.
IT Governance Institute, CoBIT, Committee of Sponsoring Organizations of the Treadway Commission (COSO), Rolling Meadows, IL, July 2000, http://www.coso.org.
"Implications of Proposed Auditing Standard on Internal Control," KPMG's Defining Issues, KPMG, No. 03-22, October 2003, http://www.us.kpmg.com/RutUS_prod/Documents/12/1921810Alert0322.pdf.
McDowall, Bob, "U.S. Approach to Corporate Governance Looks Set to be Introduced in Europe," http://www.it-analysis.com.
Mishkin, Frederic S., "Evaluating FDICIA," Federal Reserve Bank of New York, Graduate School of Business, Columbia University, and National Bureau of Economic Research, December 1996, http://www.0.gsb.columbia.edu/faculty/fmishkin/PDFpapers/FDICIA96.pdf.
Office of the Privacy Commissioner of Canada, Personal Information Protection and Electronic
Payment Card Industry Data Security Standard, Version 1.0, December 15, 2004, © 2004 Visa U.S.A., Inc., http://www.usa.visa.com/download/business/accepting_visa/ops_risk_management/
Protiviti, Inc., Guide to the Sarbanes-Oxley Act: It Risks and Controls-Frequently Asked Questions, December 2003.
Public Company Accounting Oversight Board, "An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements," Final Auditing Standard, Release No. 2004-001, March 9, 2004.
Sarbanes-Oxley Act 2002, U.S. Securities and Exchange Commission (effective July 30, 2002), http://www.sec.gov/about/laws/soa2002.pdf.
"Sarbanes-Oxley: A Focus on IT Controls," ISACA SOX-IT Symposium, Chicago, IL, April 7, 2004.
"Sarbanes-Oxley Financial Rules Will Challenge IS Organizations," Gartner FirstTake, Gartner Research, May 30, 2003.
"Sarbanes-Oxley Section 404 Compliance for Information Technology Managers," Auditnet.org "SEC Extends Sarbanes-Oxley Section 404 Deadlines," E-Compliance Advisor, March 12, 2004, http://www.advisor.com.
"Section 302 Corporate Responsibility for Financial Reports," RSM McGadrey, 2003, http://www.rsmmcgladrey.com.
"Section 906-Corporate Responsibility for Financial Reports," University of Cincinnati College of Law, 2002.
"The Clock Ticks on Sarbanes-Oxley Section 404," Financial Executives International, May 15, 2004, http://www.fei.org.
Trainor, Ed, "Do the Right Thing! Making Sense of Sarbanes-Oxley," SIM publication, 2003.
U.S. Department of Health & Human Services, Office of Civil Rights, HIPAA, http://www.hhs.gov/ocr/hipaa/privacy.html.
Van Ecke, Patrick, "EMC Centera-Corporate Governance in the European Union: Enhancing Credibility," Belgium, April 2005, http://www.bitpipe.com/detail/RES/1118421898_858.html.