The Sarbanes-Oxley Act of 2002 requires publicly held companies to implement internal controls over their financial reporting, operations and assets, to evaluate the strengths and weaknesses of these internal controls in official documents filed with the SEC and to make regular disclosures concerning the viability of these controls and potential fraud or losses that may affect the company's financial position.
Because most companies' financial reporting and operations depend heavily on information technology, and because many corporate assets now exist in the form of critical data, SOX has significant information security implications for companies governed by the law. This paper covers the implementation, disclosure and ongoing evaluation of internal controls for SOX compliance with a focus on the role of IT, as well as the penalties for non-compliance.