| The Sarbanes--Oxley (SOX) Act of 2002 was the U.S. government's response to financial scandals at Enron, WorldCom, Tyco, and other large companies under the horizon of the U.S. Securities and Exchange Commission. The primary goal of SOX is to protect investors from fraudulent activities of publicly traded organizations. SOX compliance implicitly impacts Information Technology (IT) security strategies. The real problem facing IT departments is the lack of direction in complying with section 404, which addresses the requirement of effective internal controls regarding financial statement reporting. This exploratory single-case study investigated the impact of SOX section 404 on information security in large-cap public companies located in the United States. In addition, the research examined the strategic elements required to ensure a sustainable and SOX-compliant IT strategy that ensures information security. This case study was mainly qualitative but substantiated with quantitative data. Individual interviews with executive leadership were conducted using both structured and unstructured questionnaires. Employee surveys along with internal and external auditors' reports were utilized for data triangulation purposes. Results indicated that SOX section 404 has a positive impact on organizations' information security policies, and that risk management, constant training, and automation are key factors in establishing a sustainable and SOX-compliant IT strategy that ensures information security. |
