The Information Content of Sarbanes-Oxley in Predicting Security Breaches

TL;DR

This study evaluates how effectively Sarbanes-Oxley (SOX) assessments predict security breaches, revealing that SOX 404 audits are more informative than section 302 reports and highlighting discrepancies between management and auditors.

Contribution

It provides empirical evidence on the predictive power of SOX assessments regarding security breaches and compares the informativeness of different SOX sections.

Findings

SOX 404 audits are highly effective in identifying control weaknesses.

SOX 302 controls are associated with a 2.88% reduction in breaches.

Negative SOX 404 attestations correlate with an 8.5% increase in breach frequency.

Abstract

We investigated publicly reported security breaches of internal controls in corporate systems to determine whether SOX assessments are information bearing with respect to breaches which can lead to materially significant losses and misstatements. SOX Section 404 adverse decisions on effectiveness of controls occurred in 100% of credit card data breaches and around 33% of insider breaches. SOX 404 audits provided a contrarian "effective" control decisions on 88% of situations where there was a control breach concerning a portable device. We found that management and SOX 404 auditors do not general agree on the underlying internal control situation at any time; instead the SOX 404 team was likely to discover material weaknesses and "educate" management and internal audit teams about the importance of these control weaknesses. SOX attestations were poor at identifying control weaknesses from unintended disclosures, physical losses, hacking and malware. Hazard and occupancy models showed that both SOX 302 and 404 section audits provided information on the frequency of breaches, with SOX 404 being three times as informative as section 302 reports. The hazard model found an expected 2.88% reduction in breaches when SOX 302 controls are effective; management "material weakness' attestations provided no information in this structural model, whereas there would be around a 1% increase in breach occurrence when there are significant deficiencies. SOX 404 attestations were the most informative, and a negative SOX 404 attestation is projected to increase the frequency of breaches by around 8.5%.