Information Technology ("IT") is an essential component in financial business transactions and ranges from hardware, such as computers and databases, to applications, such as trading and reporting systems. (1) Data maintained in these systems are critical to bank operations, including regulatory and financial reporting, that impact financial statements. (2) System failures and disruptions may lead to financial misstatements resulting in shareholders and investors obtaining inaccurate information, which can lead to potential securities violations and law suits. (3)
As a result of the 2008 financial crisis, Congress passed The Wall Street Reform and Consumer Protection Act (4) ("Dodd-Frank Act") for financial regulatory reform in July 2010. The Dodd-Frank Act is complex and requires more transparency, communication, and disclosure by banks. (5) For example, the Federal Reserve is now responsible for overseeing and gathering data from financial firms in order to stabilize the market when necessary. (6) However, this reform will be impossible without incorporating IT compliance standards to ensure complete and reliable information and data. (7) Although many banks currently have IT controls in place, these controls must be enhanced in order mitigate substantial risks. Furthermore, weak system controls can result in fines, lawsuits, disruption in the market, or even the collapse of a company. Hence, with an increase in financial data requirements and the importance of information accuracy, a strong IT control environment and strict IT policies are essential to mitigate financial and legal risks.
II. LEGISLATIVE HISTORY OF FINANCIAL REGULATIONS
A. Financial Regulations--Historical Context
The financial industry is governed by many regulatory agencies including the Federal Reserve System (8) ("Fed"), U.S. Securities and Exchange Commission (9) ("SEC"), Financial Industry Regulatory Authority (10) ("FINRA"), and U.S. Commodity Futures Trading Commission (11) ("CFTC"). Financial companies are required to strictly comply with financial regulations, which were first introduced in the Securities Act of 1933 (12) ("1933 Act"). The 1933 Act was primarily concerned with public offerings of securities to prevent fraud and federally regulate the financial industry in response to the 1929 stock market crash that occurred during the Great Depression. (13) One year later, the government enacted the Securities Exchange Act of 1934 (14) ("1934 Act"), primarily governing the secondary trading market and establishing the SEC. (15) Furthermore, the Banking Act of 1933 (16) ("Glass-Steagall Act") was enacted to reform banking control issues and established the Federal Deposit Insurance Corporation ("FDIC"). (17) However, in 1999, Congress passed the Financial Services Modernization Act (18) ("Gramm-Leach-Bliley Act"), repealing part of the Glass-Steagall Act.(19) Another major federal legislation that passed was the Sarbanes-Oxley Act of 2002 (20) ("SOX"). This was in response to the fraudulent activities by major corporations such as Enron (21) and WorldCom. (22) SOX Section 404 addresses internal control reporting for both financial and non-financial companies. (23) As part of this internal control assessment, public firms were required to identify financial and IT risks and deficiencies, which materially impacted the firms' financial statements, and mitigate those risks with adequate controls. (24) Many companies spent a lot of resources to comply with SOX, especially with Section 404. (25) These companies hired accounting firms, such as PricewaterhouseCoopers (26) and Ernst and Young, (27) to assist in complying with SOX Section 404. (28)
Enron, a large publicly held energy company, collapsed for many reasons, but one of the biggest reasons was a lack of government oversight and auditing for fraud. (29) This resulted in the criminal indictment of Enron executives and the loss of life savings for over 4,000 employees. …