英文标题：
《The Information Content of Sarbanes-Oxley in Predicting Security
Breaches》
---
作者：
J. Christopher Westland
---
最新提交年份：
2018
---
英文摘要：
We investigated publicly reported security breaches of internal controls in corporate systems to determine whether SOX assessments are information bearing with respect to breaches which can lead to materially significant losses and misstatements. SOX Section 404 adverse decisions on effectiveness of controls occurred in 100% of credit card data breaches and around 33% of insider breaches. SOX 404 audits provided a contrarian \"effective\" control decisions on 88% of situations where there was a control breach concerning a portable device. We found that management and SOX 404 auditors do not general agree on the underlying internal control situation at any time; instead the SOX 404 team was likely to discover material weaknesses and \"educate\" management and internal audit teams about the importance of these control weaknesses. SOX attestations were poor at identifying control weaknesses from unintended disclosures, physical losses, hacking and malware. Hazard and occupancy models showed that both SOX 302 and 404 section audits provided information on the frequency of breaches, with SOX 404 being three times as informative as section 302 reports. The hazard model found an expected 2.88% reduction in breaches when SOX 302 controls are effective; management \"material weakness\' attestations provided no information in this structural model, whereas there would be around a 1% increase in breach occurrence when there are significant deficiencies. SOX 404 attestations were the most informative, and a negative SOX 404 attestation is projected to increase the frequency of breaches by around 8.5%.
---
中文摘要：
我们调查了公司系统中公开报告的违反内部控制的安全违规行为，以确定SOX评估是否与可能导致重大损失和误报的违规行为相关。SOX第404节关于控制有效性的不利决定发生在100%的信用卡数据泄露和大约33%的内幕泄露中。SOX 404审计在88%的情况下提供了反向的“有效”控制决策，其中涉及便携式设备的控制违反。我们发现，管理层和SOX 404审计师在任何时候都不能就潜在的内部控制情况达成一致意见；相反，SOX 404团队可能会发现重大缺陷，并“教育”管理层和内部审计团队这些控制缺陷的重要性。SOX认证在识别来自意外披露、物理损失、黑客和恶意软件的控制弱点方面表现不佳。危险和占用模型表明，SOX 302和404部分审计都提供了违规频率的信息，其中SOX 404的信息量是第302部分报告的三倍。危险模型发现，当SOX 302控制措施有效时，违规行为预计减少2.88%；管理层的“重大缺陷”证明在此结构模型中未提供任何信息，而当存在重大缺陷时，违约发生率将增加约1%。SOX 404证明的信息量最大，消极的SOX 404证明预计将使违约频率增加约8.5%。
---
分类信息：

一级分类：Quantitative Finance 数量金融学
二级分类：General Finance 一般财务
分类描述：Development of general quantitative methodologies with applications in finance
通用定量方法的发展及其在金融中的应用
--

---
PDF下载：
-->