Corporate Governance, Internal Control and Compliance - - From an Information Security Perspective

RAPPORT Publicerad


Executive Summary
Corporate Governance, the system that directs and controls corporations, shall provide transparency, accountability and control of the entity?s processes to the different stakeholders. The need to guarantee transparency to companies? stakeholders increased substantially after the U.S. Congress enacted Sarbanes-Oxley
Act (SOX) on July 30, 2002. The most discussed section of SOX is Section 404. It calls for creation and maintenance of viable internal controls defined as a broad concept extending beyond the accounting function of a company.
The U.S. Securities and Exchange Commission requires companies to base their assessment on a suitable and recognized internal control framework (i.e. COSOERM). A challenge is to integrate COSO-ERM with other standards and frameworks, as for instance, the Service Management standard ISO 20000, the Information Security standard ISO 27001 and in-house developed frameworks (for example a Security Architecture).
COSO-ERM, ISO 20000 and ISO 27001 provide guidance for their solo implementation. Although they overlap in some topics, there is an inevitable gap between them due to the fact that they aim towards different goals. Thus, integrating them becomes a challenge since there is a lack of information when it comes to their collaborative use. This situation causes confusion and difficulty in most organizations where several of these standards have to be implemented simultaneously.
The most appropriate option in order to identify the IT gaps between COSO-ERM, ISO 20000, ISO 27001 and the Security Architecture is to use the framework COBIT as the ?Plumber?. The Plumber approach ?tailors? a selection of COBIT controls to pre-existing standards and frameworks. Unnecessary work can consequently be avoided; COBIT is only utilized when there are detected gaps between COSO-ERM, ISO 20000, ISO 27001, and an internal framework as a Security Architecture.
No area of U.S. SOX has generated more controversy than Section 404 (covering creation and maintenance of viable internal controls). One reason is the harsh criminal penalties that Section 404 imposes, if it is ?more than a remote likelihood? that a material misstatement could occur. Today, there are strong commercial forces behind suggested changes of SOX and Section 404. They will see a change in the probability threshold for the detection of control weaknesses from ?more than remote likelihood? to ?reasonably possible? that a material misstatement could occur. The recommendation is that scoping materiality is generally defined, as
before SOX, in terms of a five percent pre-tax income threshold.