In 2002, a country shocked by the financial scandal of Enron and Arthur Anderson reacted by passing sweeping legislation designed to prevent the recurrence of widespread financial reporting fraud that distorts information relied upon by investors.  This legislation, the Sarbanes-Oxley Act (SOX), outlined strict controls that publicly traded companies must follow to ensure the accuracy of their financial reports and made Chief Executive Officers and Chief Financial Officers personally responsible for the accuracy of those statements.

Information security professionals may have missed the initial announcement of Sarbanes-Oxley, thinking that it was purely a problem for the accountants.  Their minds were quickly changed, however, when auditors pointed out the provisions of SOX Section 404 which required that independent auditors perform an assessment of the company’s internal controls designed to ensure the integrity of the data used to generate financial reports.  They quickly realized that these provisions meant that auditors would, sometimes for the first time, be carefully evaluating the appropriateness and correctness of information security controls.  This resulted in a significant burden for companies of all sizes, but disproportionally affected smaller businesses, who were expected to meet the same level of scrutiny as Fortune 500 companies.