CHAPTER 2
Fundamental Governance Concepts and Sarbanes-
Oxley Rules
AS WE DISCUSSED IN CHAPTER 1, the term enterprise IT governance is
not new, but is a concept that has meant different things to different people.
The concept of enterprise governance has been evolving over recent years,
at least in the United States. As a response to ongoing cycles of business
frauds and failures particularly in the latter decades of the past century,
there has been an increased emphasis on embellishing enterprise codes of
conduct and establishing what are called corporate ethics departments.
This author got involved in corporate governance issues when he directed
the internal audit function for a large U.S. corporation and was asked to
chair a task force and take leadership for the company to revise many
internal rules, rewrite its code of conduct, and establish an ethics function
for that company in response to a major threat of litigation involving
consumer fraud. Strong enterprise governance practices were established
for that company, although they emphasized general operations and with
little emphasis on IT systems and operations.
Enterprise governance issues became increasingly important in the first
years of this century when the United States experienced a series of major
corporate failures that were generally caused by accounting misdeeds and
financial fraud. The notorious poster boy for this period was the
commodities trading firm Enron. Its sudden and unexpected failure was
based on financial fraud and caused several corporate executives to go to
prison. Enron’s failure precipitated passage of the Sarbanes-Oxley Act (SOx)
in the United States, as well as similar requirements worldwide. The
sections following will provide an overview of SOx’s internal controls and
governance legislation.
The general governance concepts that were discussed in Chapter 1 take a
somewhat different direction when we introduce information technology
(IT) concepts and systems into the mix. Many of our general management
governance concepts were established and somewhat perfected during the
last half of the twentieth century. Standards were established, as were work
practices between management and external auditors and regulators.
In addition to our overview of SOx concepts, this chapter provides a high-
level review of IT governance issues, including their IT-related enterprise
risk, security, and legislative issues. The chapter will discuss some of the
internal and external threats that impact enterprise IT governance
processes as well as some of the characteristics of effective IT governance
in the enterprise. This chapter surveys both general and specific IT
governance concepts as they apply to today’s senior manager. Many of
these concepts also will be referenced and discussed in greater detail in
other specific topic chapters.
, SARBANES-OXLEY ACT
The Sarbanes-Oxley Act is a U.S. law enacted in 2002 to improve public company financial
reporting, audit, and enterprise governance processes. It first had a major impact on businesses
in the United States and now is recognized worldwide. Although SOx’s auditing and internal
control rules have directly changed many external auditor and IT financial practices, SOx has
also had a major impact on IT governance. A general understanding of SOx, with an emphasis
on its Section 404 internal accounting control rules, is a key knowledge requirement for all
senior managers.
SOx became a U.S. law as a response to a series of accounting misdeeds and financial failures at
such once-major corporations as Enron and WorldCom. SOx has caused major changes that have
impacted corporate governance, accounting, and financial reporting audit processes—first in the
United States and now worldwide. Although SOx is a comprehensive set of legislation with
many components, most of its business and auditor attention has focused on the SOx Section 404
internal control attestation rules. These internal control audit procedures have caused a major
amount of effort and concern as corporations began to establish compliance with SOx. This
section provides a high-level overview of SOx today, with an emphasis on its Section 404 and
the rules that are most important for IT governance issues. We will summarize SOx
requirements for reviews of internal accounting controls and will summarize the relatively new
external auditing standard called Auditing Standard No. 5 (AS5), a set of more risk-based
auditing approaches that also emphasizes the importance of performing financial reporting
internal control reviews. All senior enterprise managers should have a general knowledge and
understanding of SOx internal control rules.1
Sarbanes-Oxley Act Key IT Governance Elements
The official name of SOx is the Public Accounting Reform and Investor Protection Act. It
became law in August 2002, with most of the final detailed rules and regulations released by the
end of the following year. Its title being a bit long, business professionals refer to it as the
Sarbanes-Oxley Act from the names of its principal congressional sponsors. Most generally refer
to it today as SOx, SOX, or Sarbox, among many other variations.
SOx introduced a series of totally changed processes for external auditing and gave new
governance responsibilities to senior executives and board members. SOx also established the
Public Company Accounting Oversight Board (PCAOB), a rule-setting authority under the
Securities and Exchange Commission (SEC) that issues financial auditing standards and
monitors external auditor governance. As happens with all financial and securities-related
federal laws, an extensive set of specific regulations and administrative rules has been developed
by the SEC based on the SOx legislation.
U.S. federal laws are organized and issued as separate sections of legislation called Titles, with
numbered sections and subsections under each. Much of the SOx legislation contains rules that
are not that significant for many business professionals. For example, Section 602(d) of Title I
states that the SEC “shall establish” minimum professional conduct standards or rules for SEC
practicing attorneys. While perhaps good to know, this does not have any enterprise
management or IT governance impact. Exhibit 2.1 summarizes the major titles or sections of
SOx, although our focus will only be on SOx’s Titles I and IV. Our intent is not to describe all
sections of SOx or to reproduce the full text of this legislation—it can be found on the Web2—
but to highlight
, portions of the law that are more significant to interested business professionals. We will start
with a discussion of SOx’s Title I, the PCAOB, and the Section 404 rules.
EXHIBIT 2.1 Sarbanes-Oxley Act Key Provisions Summary
Secti Subject Rule or Requirement
on
101 Establishment of Overall rules for the establishment of the
PCAOB PCAOB, including its membership
requirements.
104 Accounting Firm Schedule for PCAOB inspections of registered
Inspections public accounting firms.
108 Auditing Standards The PCAOB will accept current but will issue
its own new auditing standards.
201 Out of Scope Outlines prohibited accounting firm practices
Practices such as internal audit outsourcing,
bookkeeping, and financial systems design.
203 Audit Partner The audit partner and the reviewing partner
Rotations must rotate off an assignment every 5 years.
301 Audit Committee All audit committee members must be
Independence independent directors.
302 Corp. The CEO and CFO must personally certify their
Responsibility for periodic financial reports.
Financial Reports
305 Officer and If compensation is received as part of
Director Bars fraudulent or illegal accounting, the benefiting
officer or director is required to personally
reimburse funds received.
404 Internal Control Management is responsible for an annual
Reports assessment of internal controls.
407 Financial Expert One audit committee director must be a
designated financial expert.
408 Enhanced Review The SEC may schedule extended reviews of
of Financial reported information based on certain specified
Disclosures factors.
409 Real-Time Financial reports must be distributed in a rapid
Disclosure and current manner.
1105 Officer or Director The SEC may prohibit an officer or director
Prohibitions from serving in another public company if
guilty of a violation.
Fundamental Governance Concepts and Sarbanes-
Oxley Rules
AS WE DISCUSSED IN CHAPTER 1, the term enterprise IT governance is
not new, but is a concept that has meant different things to different people.
The concept of enterprise governance has been evolving over recent years,
at least in the United States. As a response to ongoing cycles of business
frauds and failures particularly in the latter decades of the past century,
there has been an increased emphasis on embellishing enterprise codes of
conduct and establishing what are called corporate ethics departments.
This author got involved in corporate governance issues when he directed
the internal audit function for a large U.S. corporation and was asked to
chair a task force and take leadership for the company to revise many
internal rules, rewrite its code of conduct, and establish an ethics function
for that company in response to a major threat of litigation involving
consumer fraud. Strong enterprise governance practices were established
for that company, although they emphasized general operations and with
little emphasis on IT systems and operations.
Enterprise governance issues became increasingly important in the first
years of this century when the United States experienced a series of major
corporate failures that were generally caused by accounting misdeeds and
financial fraud. The notorious poster boy for this period was the
commodities trading firm Enron. Its sudden and unexpected failure was
based on financial fraud and caused several corporate executives to go to
prison. Enron’s failure precipitated passage of the Sarbanes-Oxley Act (SOx)
in the United States, as well as similar requirements worldwide. The
sections following will provide an overview of SOx’s internal controls and
governance legislation.
The general governance concepts that were discussed in Chapter 1 take a
somewhat different direction when we introduce information technology
(IT) concepts and systems into the mix. Many of our general management
governance concepts were established and somewhat perfected during the
last half of the twentieth century. Standards were established, as were work
practices between management and external auditors and regulators.
In addition to our overview of SOx concepts, this chapter provides a high-
level review of IT governance issues, including their IT-related enterprise
risk, security, and legislative issues. The chapter will discuss some of the
internal and external threats that impact enterprise IT governance
processes as well as some of the characteristics of effective IT governance
in the enterprise. This chapter surveys both general and specific IT
governance concepts as they apply to today’s senior manager. Many of
these concepts also will be referenced and discussed in greater detail in
other specific topic chapters.
, SARBANES-OXLEY ACT
The Sarbanes-Oxley Act is a U.S. law enacted in 2002 to improve public company financial
reporting, audit, and enterprise governance processes. It first had a major impact on businesses
in the United States and now is recognized worldwide. Although SOx’s auditing and internal
control rules have directly changed many external auditor and IT financial practices, SOx has
also had a major impact on IT governance. A general understanding of SOx, with an emphasis
on its Section 404 internal accounting control rules, is a key knowledge requirement for all
senior managers.
SOx became a U.S. law as a response to a series of accounting misdeeds and financial failures at
such once-major corporations as Enron and WorldCom. SOx has caused major changes that have
impacted corporate governance, accounting, and financial reporting audit processes—first in the
United States and now worldwide. Although SOx is a comprehensive set of legislation with
many components, most of its business and auditor attention has focused on the SOx Section 404
internal control attestation rules. These internal control audit procedures have caused a major
amount of effort and concern as corporations began to establish compliance with SOx. This
section provides a high-level overview of SOx today, with an emphasis on its Section 404 and
the rules that are most important for IT governance issues. We will summarize SOx
requirements for reviews of internal accounting controls and will summarize the relatively new
external auditing standard called Auditing Standard No. 5 (AS5), a set of more risk-based
auditing approaches that also emphasizes the importance of performing financial reporting
internal control reviews. All senior enterprise managers should have a general knowledge and
understanding of SOx internal control rules.1
Sarbanes-Oxley Act Key IT Governance Elements
The official name of SOx is the Public Accounting Reform and Investor Protection Act. It
became law in August 2002, with most of the final detailed rules and regulations released by the
end of the following year. Its title being a bit long, business professionals refer to it as the
Sarbanes-Oxley Act from the names of its principal congressional sponsors. Most generally refer
to it today as SOx, SOX, or Sarbox, among many other variations.
SOx introduced a series of totally changed processes for external auditing and gave new
governance responsibilities to senior executives and board members. SOx also established the
Public Company Accounting Oversight Board (PCAOB), a rule-setting authority under the
Securities and Exchange Commission (SEC) that issues financial auditing standards and
monitors external auditor governance. As happens with all financial and securities-related
federal laws, an extensive set of specific regulations and administrative rules has been developed
by the SEC based on the SOx legislation.
U.S. federal laws are organized and issued as separate sections of legislation called Titles, with
numbered sections and subsections under each. Much of the SOx legislation contains rules that
are not that significant for many business professionals. For example, Section 602(d) of Title I
states that the SEC “shall establish” minimum professional conduct standards or rules for SEC
practicing attorneys. While perhaps good to know, this does not have any enterprise
management or IT governance impact. Exhibit 2.1 summarizes the major titles or sections of
SOx, although our focus will only be on SOx’s Titles I and IV. Our intent is not to describe all
sections of SOx or to reproduce the full text of this legislation—it can be found on the Web2—
but to highlight
, portions of the law that are more significant to interested business professionals. We will start
with a discussion of SOx’s Title I, the PCAOB, and the Section 404 rules.
EXHIBIT 2.1 Sarbanes-Oxley Act Key Provisions Summary
Secti Subject Rule or Requirement
on
101 Establishment of Overall rules for the establishment of the
PCAOB PCAOB, including its membership
requirements.
104 Accounting Firm Schedule for PCAOB inspections of registered
Inspections public accounting firms.
108 Auditing Standards The PCAOB will accept current but will issue
its own new auditing standards.
201 Out of Scope Outlines prohibited accounting firm practices
Practices such as internal audit outsourcing,
bookkeeping, and financial systems design.
203 Audit Partner The audit partner and the reviewing partner
Rotations must rotate off an assignment every 5 years.
301 Audit Committee All audit committee members must be
Independence independent directors.
302 Corp. The CEO and CFO must personally certify their
Responsibility for periodic financial reports.
Financial Reports
305 Officer and If compensation is received as part of
Director Bars fraudulent or illegal accounting, the benefiting
officer or director is required to personally
reimburse funds received.
404 Internal Control Management is responsible for an annual
Reports assessment of internal controls.
407 Financial Expert One audit committee director must be a
designated financial expert.
408 Enhanced Review The SEC may schedule extended reviews of
of Financial reported information based on certain specified
Disclosures factors.
409 Real-Time Financial reports must be distributed in a rapid
Disclosure and current manner.
1105 Officer or Director The SEC may prohibit an officer or director
Prohibitions from serving in another public company if
guilty of a violation.
