The Information Content of Sarbanes-Oxley in Predicting Security Breaches
Posted: 25 Jul 2017
Date Written: July 22, 2017
How effective is compliance with the Sarbanes-Oxley Act (SOX) in identifying and eliminating firm threats from information systems breaches? We investigated publicly reported security breaches of internal controls in corporate systems to determine whether SOX assessments are information bearing with respect to breaches which can lead to materially significant losses and misstatements. The results of our tests varied significantly between breach types. SOX Section 404 adverse decisions on effectiveness of controls occurred in 100% of credit card data breaches and around 33% of insider breaches. SOX 404 audits provided a contrarian “effective” control decisions on 88% of situations where there was a control breach concerning a portable device. This suggests that employees are subverting particularly strict internal controls by using portable devices that can be carried outside the physical boundaries of the firm. We found that management and SOX 404 auditors do not general agree on the underlying internal control situation at any time; instead the SOX 404 team was likely to discover material weaknesses and “educate” management and internal audit teams about the importance of these control weaknesses. SOX attestations were poor at identifying control weaknesses from unintended disclosures, physical losses, hacking and malware, stationary devices, and situations where the cause of the breach was unknown. Hazard and occupancy structural models were constructed to extrapolate to a larger population; results showed that both SOX 302 and 404 section audits provided information germane to the frequency of breaches, with SOX 404 being three times as informative as section 302 reports. The hazard model found an expected 2.88% reduction in breaches when SOX 302 controls are effective; management “material weakness’ attestations provided no information in this structural model, whereas there would be around a 1% increase in breach occurrence when there are significant deficiencies. SOX 404 attestations were the most informative, and a negative SOX 404 attestation is projected to increase the frequency of breaches by around 8.5%. We concluded that the strength of internal controls attested in SOX reports is likely to be a significant factor in the occurrence of a breach at a firm in a specific period.
Keywords: Sarbanes-Oxley, Security Breaches, Internal Control, Auditing
JEL Classification: M14, M45
Suggested Citation: Suggested Citation