Chapter 7: Corporate Information Security and Privacy Regulation

Public companies are required to file several financial disclosure statements with the SEC. The most commonly filed forms are:

Form 10-K—Annual report

Form 10-Q—Quarterly report

Form 8-K—Current report

Form 10-k

A report that a public company must file with the U.S. Securities and Exchange Commission at the end of its fiscal year. It is a detailed and comprehensive report on the company's financial condition Must be filed within 60-90 days after the end of the fiscal year

Form 10-Q

A report that a public company must file with the U.S. Securities and Exchange Commission at the end of each fiscal quarter. It is a report on the company's financial condition at the end of its first three quarters in a fiscal year. Must be filed within 40-45 days after the end of each fiscal quarter.

Form 8-K

A report that a public company must file with the U.S. Securities and Exchange Commission. A company must file it within 4 days of experiencing a major event that affects shareholders and investors.

Public Company Accounting Reform and Investor Protection Act

More commonly known as the Arbanes-Oxley Act (SOX) or Sarbox

SOX

to protect shareholders and investors from financial fraud

How many titles does SOX have?

11

Public Company Accounting Oversight Board (PCAOB) (Title 1)

Establishes the Public Company Accounting Oversight Board (PCAOB). The PCAOB oversees the firms that audit public companies.

Auditor Independence (Title II)

Forbids auditors from providing some types of non-audit services to their clients.

Corporate Responsibility (Title III)

Requires corporations to create audit committees on their board of directors. The audit committee is responsible for hiring the corporation's outside auditors

Enhanced Financial Disclosures (Title IV)

Enhances the amount of information that public companies must provide on their SEC filings. This section requires companies to report on internal controls that affect their financial reports.

Analyst Conflicts of Interest (Title V)

Establishes rules to make sure that securities analysts can give independent opinions about a public company's stock risk.

Commission Resources and Authority (Title VI)

Gives the SEC authority to discipline investment firms for unprofessional conduct. This section also gives the SEC additional funding to support its programs.

Studies and Reports (Title VII)

Requires the SEC to review public accounting firms. The SEC must do this at least every 3 years. This section also requires the SEC to issue reports about how the securities market operates.

Corporate and Criminal Fraud Accountability (Title VIII)

Imposes document retention requirements on companies and auditors. It protects whistleblowers, and also bans retaliation against employees who participate in fraud investigations. This section also imposes criminal penalties for violating SOX

White-Collar Crime Penalty Enhancements (Title IX)

Requires CEOs and CFOs to certify that the company's financial reports fairly represent its financial condition. It creates criminal penalties for signing fraudulent statements.

Corporate Tax Returns (Title X)

Is a statement from Congress that strongly suggests that a CEO sign the federal income tax return of a corporation.

Corporate Fraud Accountability (Title XI)

Establishes criminal liability for certain types of fraud committed by corporate officers. It also increases penalties for some types of corporate crime

Public Company Accounting Oversight Board (PCAOB)

oversees the audit of public companies, and ensures that audit reports for public companies are fair and independent

Under SOX, the PCAOB has several duties

-Register accounting firms that prepare audit reports for public companies.

-Establish standards for the preparation of audit reports.

-Conduct inspections of registered public accounting firms.

-Conduct investigations and disciplinary proceedings against registered public accounting firms.

-Perform other duties or functions necessary to carry out SOX.

-Enforce SOX compliance.

-Set a budget for the PCAOB, and manage its operations.

PCAOB member requirements

-to be individuals of integrity and reputation who have demonstrated commitment to the interests of investors and the public

-Be financial literate

-Only 2 members are allowed to be certified accountants

-no financial interests in accounting firm

One of the main functions of the PCAOB is

to set standards for how auditors review public companies.

What standards has PCAOB created?

It has created standards related to auditing, ethics and independence, quality control, and attestation, which must be approved by the SEC

Generally Accepted Accounting Principles (GAAP)

the principles established by the Financial Accounting Standards Board (FASB) The SEC has recognized GAAP as authoritative and requires financial statements to be prepared in accordance with GAAP.

PCAOB's Auditing Standard

provides guidance on how an auditor performs an audit of a company's internal controls over financial reporting (ICFR).

What does the PCAOB address?

how to audit controls applied to a company's IT systems and processes where those systems and processes impact the production of the company's financial reports

SOX requires auditors and public companies to maintain audit papers for how long?

7 years

SOX certification provisions require executives to:

establish, maintain, and review certain types of controls for their company

SOX Section 302

requires CEOs and CFOs to certify a company's SEC reports.

What is the purpose of SOX Section 302?

to put executive management on notice of the company's financial condition.

Disclosure controls

the processes and procedures that a company puts in place to make sure that it makes timely disclosures to the SEC.

What should disclosure controls address?

must address any change in information that affects company resources.

Internal Controls

Internal controls are the processes and procedures that a company uses to provide reasonable assurance that its financial reports are reliable

what does internal controls address?

processes that protect the reliability of financial reports, whereas disclosure controls are broader.

SOX Section 906

imposes criminal liability for fraudulent certifications

Violations of SOX Section 906 can result in:

-up to $1 million in fines and/or imprisoned for up to 10 years

-if it is willfully done then it is a up to a $5 million fine and up to 20 years

SOX Section 404

requires a company's executive management to report on the effectiveness of the company's ICFR

Committee of Sponsoring Organizations (COSO)

a framework used to assess internal control systems

COBIT Framework

aims to help organizations create value from their IT assets

6 Key principles of COBIT:

Providing stakeholder value

Adopting a holistic approach

Understanding that governance is dynamic

Separating governance from management

Tailoring governance to the organization's needs

Covering the whole organization

GAIT methodology

helps auditors and companies scope Section 404 reviews of IT controls

GAIT has four main principles:

A top-down approach should be used to review risks and IT controls.

The review of risks and IT controls should be limited to financially significant systems, applications, or data.

IT controls and risks exist at various layers in an IT system (application, database, operating system, and network infrastructure).

IT processes should be mitigated by IT control objectives, not individual controls.

2 standards created by ISO and IEC

ISO/IEC 27001:2013, "Information Technology—Security Techniques—Information Security Management Systems—Requirements"

ISO/IEC 27002:2013, "Information Technology—Security Techniques—Code of Practice for Information Security Controls"

National Institute of standards and Technology (NIST)

creates information security guidance for federal agencies

Security and Privacy Controls for Federal Information Systems and Organizations

Security and Privacy Controls for Federal Information Systems and Organizations" states the minimum security controls that organizations should use to create an effective information security program.

SOX governance provisions include:

Independent directors

Audit committee

Conflicts of interest