The information content of Sarbanes-Oxley in predicting security breaches

Abstract

How effective is compliance with the Sarbanes-Oxley Act (SOX) in identifying and eliminating firm threats from information systems breaches? We investigated publicly reported security breaches of internal controls in corporate systems to determine whether SOX assessments are information bearing with respect to breaches which can lead to materially significant losses and misstatements. The results of our tests varied significantly between breach types. SOX Section 404 adverse decisions on effectiveness of controls occurred in 100% of credit card data breaches and around 33% of insider breaches. SOX 404 audits provided a contrarian “effective” control decision on 88% of situations where there was a control breach concerning a portable device. This suggests that employees are subverting particularly strict internal controls by using portable devices that can be carried outside the physical boundaries of the firm. We found that management and SOX 404 auditors do not general agree on the underlying internal control situation at any time. Instead the SOX 404 auditors were likely to discover material weaknesses and “educate” management and internal audit teams about the importance of these control weaknesses. SOX attestations were poor at identifying control weaknesses from unintended disclosures, physical losses, hacking and malware, stationary devices, and situations where the cause of the breach was unknown. Hazard and occupancy structural models were constructed to extrapolate to a larger population. Results showed that both SOX 302 and 404 audits provided information germane to the frequency of breaches, with SOX 404 being three times as informative as section 302 reports. The hazard model found an expected 2.88% reduction in breaches when SOX 302 controls were effective. Management's “material weakness’ attestations provided no information in this structural model, whereas there would be around a 1% increase in breach occurrence when there exist significant deficiencies. SOX 404 attestations were the most informative; a negative SOX 404 attestation is projected to increase the frequency of breaches by around 8.5%. We concluded that the strength of internal controls attested in SOX reports is likely to be a significant factor in the occurrence of a security breach in a specific period.