Sarbanes-Oxley Compliance and the RFI/RFP Process

In 2001, most of the world became familiar with Enron, an energy company from Houston, Texas. The
company gained notoriety as the largest bankruptcy up to that point due to irregular accounting practices
that were bordering on fraud. Because of public outrage over this and several other accounting scandals,
such as the WorldCom that followed shortly after Enron, the United States federal law Sarbanes-Oxley
Act of 2002, commonly known as SOX, was enacted on July 30, 2002 (Addison-Hewitt Associates, 2006).
The law introduced major changes to the way public companies were to conduct and report their
business, and held upper management personally accountable for the information reported to the
investors.

The law consists of eleven titles, six of which concern compliance, namely sections 302, 401, 404, 409,
802, and 906. Sections 302 Corporate Responsibility for Incident Report and 404 Management
Assessment of Internal Controls are very important to IT operations and are concerned with accuracy,
privacy, and security of financial records. Cannon and Byers (2006) state that verification is the essence of
compliance and it is simply a matter of ensuring that companys processes are executed as intended.
Cannon and Byers (2006) recommend a four-step process for the compliance: the first step in ensuring
compliance within the organization is to perform compliance assessment. The next step is to create a
high-level corporate policy that can be adapted by individual departments to meet their needs. The third

step is to use the technology to automate the compliance with the law. Finally, through regular review
and auditing procedures should be evaluated. However, the real-life compliance with various laws is not
clear-cut.
Depending on the nature of the business, in addition to SOX, Health Insurance Portability and
Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS) may need to be
considered. If company does business in European Union (EU), organization may be required to comply
with European Union Data Protection Directive (EUDPD). All these laws and compliance requirements, on
top of previously required Generally Accepted Privacy Principles (GAAP) may force companies to seek
alternatives.
Many organizations view Government Required Compliance (GRC) as an overwhelming task with little
return and as a result may choose to outsource some or all of their compliance requirements to an
outside provider. As an example, Capital Automotive REIT, a real estate investment trust, decided to
outsource all of its IT operations to an outside company, Alteritech, which ensured SOX compliance for
the Capital Automotive REIT (Allbusiness, 2005).
When deciding to outsource some or all IT operations, public companies must be aware of the GRC and
should dedicate required time to perform needs analysis with the business plan. This will ensure clear
understanding what the organization is trying to achieve and why, and among other things, upper
managements buy-in. Once identified, requirements should be briefly stated within Request for
Information (RFI), Request for Proposal (RFP), or Request for Quote (RFQ). Within RFI, RFP, and RFQ, the
client organization should specify its requirements for SOX compliance such as an audit of vendors
internal information controls, oversight procedures, and problem resolution. Consequently, the
outsourcing supplier should spell out their organizations implementation of SOX compliance policies
within their information package or proposal sent to the potential customer. As stated earlier,
compliance requires validation; however, validation of SOX compliance with third-party provider requires
greater efforts because the company distances itself from IT operations through large-scale outsourcing
(Hall and Liedtka, 2007).
When outsourcing large-scale IT operations, it is important to make sure that security and compliance
with various laws and regulations are considered. Organizations may decide to adopt and adapt
internationally accepted standards in order to deal with their IT security management. Alexrod (2004)
suggests following CISSP body of knowledge, which defines ten security classifications. In addition, newer

standard of ISO 17799, ISO 27002 can be used by as well. This standard deals broadly with security for
electronic files, paper documents, all types of communication and business continuity planning.
Companies may also decide to use Control Objectives for Information and related Technology (COBIT)
that provides framework for generic management principles that organization may adapt it to its own
unique needs.
Axelrod (2004) combined CISSP and ISO 17799 into ten security considerations, namely:
Security Management Practices covers various security management aspects, including, among other
things, personnel physical and emotional security.
Asset Management Practices discusses importance of data classification protection when considering
IT outsourcing. Data, and identify theft in particular, has been a regular headline in recent times with
thieves stealing thousands of sensitive records. As an example, consider a 2005 case, when Card
Systems Solutions, a third-party processor for credit cards and other payments for banks and
merchants, had its network hacked and 40 million credit card accounts stolen and sold all over the
world (CCRC, 2005).
Application and System Development provides an overview of what is happening during the
application and system development outsourcing. Currently, there is a movement towards educating
software developers on security aspects in order to improve application security from the bottom-up
(North, North, and North, 2009).
Operations Security and Operations Risk involves controlling processes and making sure that the
third party to which the task is outsourced follows set standards. Government laws and regulations
are increasingly mandating these standards.
Security Models and Architecture presents solid foundation upon which the rest of processes can be
built and includes architecture framework and set of industry-accepted design standards and
implementation adaptations by the organization.
Physical and Environmental Security is by far the strongest security measure for the organization and
current trends present companies integrating logical and physical security in order to provide
complete environmental security (Axelrod, 2004).

CxT Group Michigan,2415 E.Hammond Lake DriveSte,219 BloomfieldHills,

MI 48302 Contact No:(248) 282-5599 Toll Free:(877) 439-2539

 Telecommunications and Network Security describes various aspects of communication lines and
network security, including such activities as wire-tapping and induction loops. Axelrod (2004) also
describes the convergence of voice and data providers into a single carrier, aid discusses risks of
relying on a single vendor.
Cryptography provides an extra level of protection to messages sent and received without wrong
eyes viewing it. There are three types of cryptography algorithms, namely: 1). Secret Key
Cryptography (SKC); 2). Public Key Cryptography (PKC); and 3). Hash functions. By far, the most
popular is PKC, though not without problems.
Disaster Recovery and Business Continuity Organizations big and small, private, public and
government must do everything in their power to avert and defend against disasters manmade or
acts of God. However, statistical probabilities dictate that some events cannot be prevented and
organizations need to be prepared to contain the damages and be able to proceed with business as
usual. Hall and Liedtka (2007) describe a case of the Montreal Urban Community that was not able to
perform any business functions for two months as they were switching from one outsourcing vendor
to another one. The success of Business Continuity Plan is based on the thorough and accurate
security risk assessment. Risk cannot be mitigated if not defined. (Carlson, n.d., p. 13). ISO/IEC 1799
requires an organization to:
identify and prioritize its business processes;
identify and assess possible security risks that could threaten business operations;
estimate likelihood of the risk exposure; and,
analyze the impact that risk can cause on the business, including operational interruptions, slow
down, or shut down.
Legal Action Axelrod (2004) suggests consulting a lawyer at the beginning of an outsourcing
relationship in order to ensure proper contract negations. In addition, if problems do arise, legal
advice will be necessary.
Since 2002, many companies, including Microsoft, have been creating compliance software applications
aimed to help companies manage their policies. Microsoft Operations Framework (MOF) is an IT control
framework that allows companies to avoid overlapping efforts in addressing common IT control

objectives (Microsoft, 2008). As stated earlier in the paper, SOX was created as a governments response
to rising number of investor and government fraud by few crooked corporate citizens. As a result, all
public organizations must comply with the law in order to avoid investor losses and rebuild their
confidence. However, a company that is able to exhibit its full compliance with various GRCs may gain a
competitive advantage, as other compliant companies would prefer doing business with another GRC
company. Organizations may also include their GRC into marketing material.
References
Addison-Hewitt Associates. (2006). SARBANES-OXLEY ACT 2002. Retrieved June 12, 2010, from
www.soxlaw.com/
All Business. (2005, March 14). Capital Automotive REIT Outsources Information Technology
Management

to

Alteritech.

Retrieved

June

13,

2010,

from

www.allbusiness.com/banking-finance/financial-markets-investing/5038651-1.html
Cannon, J. C., & Byers, M. (2006, September). Compliance Deconstructed. ACM Queue , 30-38.
Carlson, T. (n.d.). Information Security Management: Understanding ISO 17799. Lucent Technologies
Worldwide Services.
CCRC Staff. (2005, July 08). Computer Crime Research Center. Retrieved June 14, 2010, from Russia,
Biggest Ever Credit Card Scam : www.crime-research.org/news/08.07.2005/1349/
Hall, J. A., & Liedtka, S. L. (2007). The Sarbanes-Oxley Act: IMPLICATIONS FOR LARGE-SCALE IT
OUTSOURCING. Communications of the ACM , 50 (3), 95-100.
Microsoft. (2008). IT Compliance Management Guide. Redmont, WA: Microsoft.
North, M. M., North, S. M., & North, M. M. (April 2009). Security from the Bottom-up: Compliance
Regulations and the trend towards design-oriented web applications. CCSC: South Central Conference (pp.
65-71). Atlanta: ACM.

CxT Group Michigan,2415 E.Hammond Lake DriveSte,219 BloomfieldHills,

MI 48302 Contact No:(248) 282-5599 Toll Free:(877) 439-2539