Computer Ethics

Readings

Sarbanes-Oxley Act of 2002 (H.R. 3763)The following are pertinent excerpts from the Act:

SEC. 302. CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS.

(a) REGULATIONS REQUIRED- The Commission shall, by rule, require, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m, 78o(d)), that the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act that--

(1) the signing officer has reviewed the report;

(2) based on the officer's knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading;

(3) based on such officer's knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report;

(4) the signing officers--

(A) are responsible for establishing and maintaining internal controls;

(B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;

(C) have evaluated the effectiveness of the issuer's internal controls as of a date within 90 days prior to the report; and

(D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;

(5) the signing officers have disclosed to the issuer's auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function)--

(A) all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer's ability to record, process, summarize, and report financial data and have identified for the issuer's auditors any material weaknesses in internal controls; and

(B) any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer's internal controls; and

(6) the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.

SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS.
(a) RULES REQUIRED.

The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—

(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and
procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement. 15 USC 7262.

SEC. 406. CODE OF ETHICS FOR SENIOR FINANCIAL OFFICERS.

(a) CODE OF ETHICS DISCLOSURE- The Commission shall issue rules to require each issuer, together with periodic reports required pursuant to section 13(a) or 15(d) of the Securities Exchange Act of 1934, to disclose whether or not, and if not, the reason therefor, such issuer has adopted a code of ethics for senior financial officers, applicable to its principal financial officer and comptroller or principal accounting officer, or persons performing similar functions.

(b) CHANGES IN CODES OF ETHICS- The Commission shall revise its regulations concerning matters requiring prompt disclosure on Form 8-K (or any successor thereto) to require the immediate disclosure, by means of the filing of such form, dissemination by the Internet or by other electronic means, by any issuer of any change in or waiver of the code of ethics for senior financial officers.

(c) DEFINITION- In this section, the term `code of ethics' means such standards as are reasonably necessary to promote--

(1) honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships;

(2) full, fair, accurate, timely, and understandable disclosure in the periodic reports required to be filed by the issuer; and

(3) compliance with applicable governmental rules and regulations.

(d) DEADLINE FOR RULEMAKING- The Commission shall--

(1) propose rules to implement this section, not later than 90 days after the date of enactment of this Act; and

(2) issue final rules to implement this section, not later than 180 days after that date of enactment.

SEC. 802. CRIMINAL PENALTIES FOR ALTERING DOCUMENTS.

(a) IN GENERAL- Chapter 73 of title 18, United States Code, is amended by adding at the end the following:

`Sec. 1519. Destruction, alteration, or falsification of records in Federal investigations and bankruptcy

`Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.

`Sec. 1520. Destruction of corporate audit records

`(a)(1) Any accountant who conducts an audit of an issuer of securities to which section 10A(a) of the Securities Exchange Act of 1934 (15 U.S.C. 78j-1(a)) applies, shall maintain all audit or review workpapers for a period of 5 years from the end of the fiscal period in which the audit or review was concluded.

`(2) The Securities and Exchange Commission shall promulgate, within 180 days, after adequate notice and an opportunity for comment, such rules and regulations, as are reasonably necessary, relating to the retention of relevant records such as workpapers, documents that form the basis of an audit or review, memoranda, correspondence, communications, other documents, and records (including electronic records) which are created, sent, or received in connection with an audit or review and contain conclusions, opinions, analyses, or financial data relating to such an audit or review, which is conducted by any accountant who conducts an audit of an issuer of securities to which section 10A(a) of the Securities Exchange Act of 1934 (15 U.S.C. 78j-1(a)) applies. The Commission may, from time to time, amend or supplement the rules and regulations that it is required to promulgate under this section, after adequate notice and an opportunity for comment, in order to ensure that such rules and regulations adequately comport with the purposes of this section.

`(b) Whoever knowingly and willfully violates subsection (a)(1), or any rule or regulation promulgated by the Securities and Exchange Commission under subsection (a)(2), shall be fined under this title, imprisoned not more than 10 years, or both.

`(c) Nothing in this section shall be deemed to diminish or relieve any person of any other duty or obligation imposed by Federal or State law or regulation to maintain, or refrain from destroying, any document.'.

How Does IT Involve itself with Sarbanes-Oxley Compliance?

From a Whitepaper published by PriceWaterHouseCoopers: How to move your company to sustainable Sarbanes-Oxley compliance - from project to process* Available at: http://www.pwc.com. Downloaded September 15, 2005.

"No single technology solution achieves all of these benefits. Instead, companies will want to combine several types of functionality—some  of which are available in their current technology environment and  others that they will acquire. These include:

  • A company’s core processing systems (such as their ERP and  HR systems)
  • Enhancement of controls around the core processing systems (such as tools that help with segregation of duties and process integrity)
  • A company’s core IT infrastructure (such as tools that help with user access, identity management and monitoring IT change management)
  • Data integration capabilities (such as databases and XBRL and  web services)
  • Process automation and monitoring systems (such as business  process management platforms)
  • Compliance reporting tools (such as business intelligence and  corporate reporting platforms)
  • Compliance management tools (such as incident, learning or  document management and work flow systems)

A significant issue emerging from first year Sarbanes-Oxley efforts is  the ineffective use of technology. Going forward, the CICO must involve the IT department in proactively identifying opportunities—based on clearly defined compliance processes—to leverage technology, both to improve controls and to enable an effective Sarbanes-Oxley program. Using technology to automate controls and manage the compliance process enables:

  • Improvement in the quality of information and speed of delivery
  • Assurance that compliance steps (e.g., testing) are performed in  accordance with the program design
  • Identification and management of events in a consistent and  auditable manner
  • Accountability in the management and reporting of events through a “closed loop” environment "

Last updated: August 9, 2007. Computer Ethics is a course taught in the CS/IS Department at Kennesaw State University, Kennesaw, Georgia. Opinions expressed on this Web site are those of the author, Ann K. Moceyunas. Certain Portions Copyright © 1996 -2007 Moceyunas P.C. All rights reserved. Have Questions? Contact Ann Moceyunas at ann@moceyunas.com.