Databases Reference
In-Depth Information
that to their knowledge the filed reports do not contain any untrue state-
ment or omission and that they represent the true financial condition of
the company. They are personally responsible for the report and can even
go to jail if a few years down the line the company needs to restate finan-
cial reports (as has been done often in the past few years) as a result of
improper information presented in financial reports—especially if they
cannot prove that they took enough steps to try to ensure that the infor-
mation was correct.
SOX is a detailed document, and you don't really need to read the whole
of it. The most important section (and the one most IT people focus on) is
Section 404, which requires management to report on the effectiveness of
the company's internal control over financial reporting. This section
requires management's development and monitoring of procedures and
controls for making assertions about the adequacy of internal controls over
financial reporting. Furthermore, it is management's responsibility and can-
not be delegated or abdicated, so they also need to understand what is being
audited, monitored, and how control is enforced (i.e., they cannot just be
told that everything is okay). It goes even further: management has to doc-
ument and evaluate the design and operation of, and report on the effec-
tiveness of, its internal controls. Management has to document the
framework used, assess its effectiveness, publish any flaws and weaknesses,
and do all of this within the annual report published to investors. This boils
down to the need for visibility, transparency, and segregation of duties.
11.1.4
California Senate Bill 1386
In September 2002, the Governor of California signed Senate Bill 1386
into effect. Among other things, SB 1386 mandates that:
. . . operative July 1, 2003, . . . a state agency, or a person or business
that conducts business in California, that owns or licenses computer-
ized data that includes personal information, as defined, to disclose in
specified ways, any breach of the security of the data, as defined, to
any resident of California whose unencrypted personal information
was, or is reasonably believed to have been, acquired by an unautho-
rized person. . . . For purposes of this section, ''breach of the security
of the system'' means unauthorized aquisition of computerized data
that compromises the security, confidentiality, or integrity of personal
information maintained by the agency.
Search WWH ::
Custom Search