SOX

Sarbanes-Oxley (SOX) requires U.S. public companies to maintain and attest to internal controls over financial reporting, enacted after the Enron/WorldCom scandals. The security-relevant work is IT General Controls (ITGCs) — access management, change management, and operations — because they protect the integrity of the systems that produce financial statements. Annual external-auditor testing of these controls backs management’s required attestation.