What effect does the Act have on the IT profession and/or ISACA members?
IT professionals, especially those in executive positions, need to become well versed in internal control theory and practice to meet the requirements of the Act. CIOs must take on the challenges of (1) Enhancing their knowledge of internal control, (2) Understanding their company’s overall Sarbanes-Oxley compliance plan, (3) Developing a compliance plan to specifically address IT controls, and (4) Integrating this plan into the overall Sarbanes-Oxley compliance plan. The Act sections of greatest concern to IT professionals are sections 404 and 409. Section 404 reads as follows: Management Assessment of Internal Controls a. RULES REQUIRED—The Commission shall prescribe rules requiring each annual report required by section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m) to contain an internal control report, which shall: 1. State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and