The Business Forum

"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."         Thomas Mann, 1896

Internal Computer Investigations
Critical Control Activity under Sarbanes-Oxley

By John Patzakis and Victor Limongelli
Contributed by Guidance Software Inc.




In response to a wave of high-profile corporate crime such as the Enron debacle, [ii] Congress passed the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”), and President Bush signed the act into law on July 30, 2002.  Sarbanes-Oxley was enacted to protect investors by combating corporate crime and improving corporate governance. [iii]  As many commentators have noted, Sarbanes-Oxley requires companies to implement extensive corporate governance policies to prevent and timely respond to fraudulent activity within the company. [iv]  For example, Sarbanes-Oxley expressly requires publicly traded companies to create anonymous hotlines for the reporting of fraud, and it requires executives to certify that their financial statements are accurate. 

These and other provisions require companies to closely review their policies and procedures regarding internal investigations, and implement the necessary processes and tools to respond timely and effectively to reports of fraudulent activity.  With the vast majority of information now generated in digital format, [v] the recovery and analysis of digital data is the primary process for internal corporate investigations. In other words, for effective self-policing, including the timely detection and response to reports of fraudulent activity, companies must have the ability to acquire, search and preserve electronic data related to fraudulent activity.

Many companies, however, are ill-equipped to acquire the necessary electronic data that is central to identifying and responding to incidents of fraud.  While companies have spent considerable time adopting and amending policies in response to Sarbanes-Oxley, relatively few have implemented the information technology infrastructure that will enable companies to turn anti-fraud policies into concrete results.  This paper addresses the critical importance of internal computer investigations as a central component to maintaining adequate corporate financial controls under Sarbanes-Oxley, and why companies must establish a technical and procedural infrastructure to perform such investigations.  The paper also explains the current challenges companies face in creating an infrastructure that is adequately equipped to fulfill the intent of Sarbanes-Oxley, and the steps companies can take to create an effective and compliant infrastructure.

Sarbanes-Oxley Requires Effective Internal Controls To Prevent and Detect Fraud

A major component of the Congressional response to “the shenanigans . . .that ha[d] been going on in corporate America[vi] was to reaffirm the primary responsibility of the Board of Directors and senior management for any misstatements in a company’s SEC filings, while increasing penalties for securities fraud. [vii]  Section 302 of Sarbanes-Oxley broadened the scope of accountability for CEOs and CFOs by requiring them to personally “certify their companies’ financial reports and disclosure controls and procedures, with a potential $5 million fine and up to 20 years in prison as penalties for violations.” [viii]  Section 404 of Sarbanes-Oxley requires companies to institute effective “internal controls.”  Importantly, this responsibility encompasses more than mere accounting practices.  In June 2003 the SEC issued its final rules under Section 404 of Sarbanes-Oxley.  The SEC noted that “internal control is a broad concept that extends beyond the accounting functions of a company.” [ix]  Under the SEC’s rules, the internal controls process must include policies and procedures that: 

Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the [company’s] assets that could have a material effect on the financial statements. [x]

Section 302 also specifically identifies internal fraud as an event that would require disclosure by senior management. Put simply, an adequate internal control structure must include “controls related to the prevention, identification and detection of fraud.” [xi] (Emphasis added).  Clearly, then, the necessary controls involve much more than proper accounting. Insider trading and other internal financial fraud, theft of intellectual property and large-scale misappropriation of customer information are incidents that would require disclosure.

In fact, in order for a CEO or CFO to properly attest that proper internal controls are in place, the executive must certify under 302 that he or she has disclosed “any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls.” In addition to these 302 requirements, Sarbanes-Oxley places increased responsibility on senior management and the Board of Directors for any misstatements in a company’s SEC filings. As such, the board and senior management may be potentially liable for failing to disclose incidents of internal fraud, such as intellectual property theft or misappropriation of customer information.

Sarbanes-Oxley also addresses corporate fraud from another direction:  by providing protection for employees of public companies who report fraud.  Section 806 of Sarbanes-Oxley is entitled “Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud.”  The “Whistleblower” protections of Section 806 include protections for employees who provide information concerning “any conduct which the employee reasonably believes constitutes [fraud, wire fraud, bank fraud, or securities fraud], any rule or regulation of the Securities and Exchange Commission, or any provision of Federal law relating to fraud against shareholders.” [xii] (Emphasis added). 

As a result, if the employee reasonably believes that fraud is occurring, the reporting of the activity is protected, whether or not any fraud is in fact taking place.  The protection applies not only when the employee provides information to law enforcement, but also where the employee provides information to “a person with supervisory authority over the employee (or such other person working for the employer who has the authority to investigate, discover, or terminate misconduct).[xiii] Thus, Section 806 covers every situation in which an employee reasonably believes that wrongdoing is occurring, and reports such alleged wrongdoing to the appropriate channels within the company.

The strong protections afforded to whistleblowers encourage such reporting without fear of retaliation. In turn, companies must thoroughly investigate reports from whistleblowers as a control activity. For instance, because senior executives must disclose relevant instances of fraud under section 302, the failure to diligently act upon reports from whistleblowers would likely violate the reporting requirements under 302 as well as the internal controls provisions under section 404.  Moreover, if a company is convinced that an employee’s reported belief about possible fraud is unreasonable, the company nevertheless needs to conduct a thorough investigation to support its assessment of the situation.  Only then can the company have the confidence to reject a whistleblower report as unfounded.

Sarbanes-Oxley also directly involves the Board of Directors in setting policy for the handling of whistleblower complaints.  Section 301 of Sarbanes-Oxley requires the Board’s audit committee to “establish procedures for (A) the receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and (B) the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.” [xiv]  Thus, as is the case for other provisions of Sarbanes-Oxley, the responsibility for the proper treatment of whistleblower complaints is squarely placed at the highest levels of each public company.

These and other provisions of Sarbanes-Oxley make it essential that companies have the ability to respond to allegations of fraud.  According to Greg Schaffer, Director of Cybercrime Prevention and Response for PriceWaterhouseCoopers, Sarbanes-Oxley’s requirements “are causing many public companies to hire investigators, including computer forensic experts, far more regularly to review allegations of wrongdoing or indications of potential fraudulent activity detected by internal company control structures.  Just detecting possible instances of internal fraud is not enough in today’s environment; those instances must be properly investigated and addressed.” In order to investigate such allegations quickly and effectively, whether the investigation is handled internally or outsourced, all relevant evidence must be gathered, preserved, and analyzed.  For publicly traded companies, this can only be done by ensuring that the company has the necessary technology and training to acquire, search and preserve its electronic data.

Enterprise Computer Forensics Required for Effective Internal Investigations

Even prior to Sarbanes-Oxley, courts recognized the importance of preserving electronic data in connection with litigation, including securities fraud investigations.  For example, in In re Bristol-Myers Squibb Securities Litigation, [xv] the court determined that the discovery of computer evidence was critical to ensure a proper investigation of alleged corporate fraud.  The court noted that as the vast majority of documentation now exists in electronic form, electronic evidence discovery should be considered a standard and routine practice going forward. [xvi]  The provisions of Sarbanes-Oxley will certainly induce courts and auditors to look closely at a company’s ability to forensically preserve and analyze electronic data.

Other agencies and groups have also adopted standards regarding computer forensics.  The leading international information security best practices standard, ISO 17799, calls on enterprises to use computer forensics to preserve the admissibility of evidence: 

For information on computer media: copies of any removable media, information on hard disks or in memory should be taken to ensure availability.  The log of all actions during the copying process should be kept . . . [xvii]

The mere focus upon computer data, however, is not enough. Computer evidence must be properly collected, verified and handled under accepted computer forensic procedures to ensure its accuracy and admissibility in court. As recognized by the courts [xviii], if a company does not have the tools necessary to collect evidence in a manner that preserves its admissibility in court, the inability to prosecute or otherwise institute disciplinary action will likely have diminished impact on employee behavior, and the company risks compromising its legal (and hence its financial) position:

When an incident is first detected, it may not be obvious that it will result in possible court action.  Therefore, the danger exists that necessary evidence is destroyed accidentally before the seriousness of the incident is realized. [xix]

An enterprise can minimize this danger by utilizing the best computer forensics tools available for response to security incidents so that collecting data will be quick and easy. 

Under Sarbanes-Oxley, management is required to include in the company’s annual report an assessment of the effectiveness of the company’s relevant internal controls. [xx]  Thus, at the end of each fiscal year, management must evaluate the effectiveness of the company’s internal controls. [xxi] This evaluation must be based on a “suitable, recognized control framework.” [xxii] Although the rules do not mandate the usage of a particular framework, [xxiii] the “report of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), titled Internal Control - Integrated Framework, contains the suitable criteria most commonly used in the United States. [xxiv]  In the release issuing the final rules for Section 404, the SEC specifically noted that “[t]he COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management’s annual internal control evaluation and disclosure requirements.” [xxv]  As a result, at this time nearly all companies subject to Sarbanes-Oxley will be using the COSO Framework to evaluate the effectiveness of their internal controls.

The COSO Framework recognizes that one of the “temptations” for employee fraud is “nonexistent or ineffective controls,” as well as “high decentralization that . . . reduces the chances of getting caught.” [xxvi]  Thus, in order to prevent employee fraud, a company should have in place effective controls that increase the likelihood of getting caught.

The ability to identify and detect fraud is likewise enhanced by computer forensics. COSO specifically recognized the risks of internal fraud:  “Former or disgruntled employees can be more of a threat to a system than hackers.” [xxvii]  In addressing this risk, a company utilizing the COSO Framework needs to deploy a computer investigation framework for effective risk management of internal fraud.  Of course, the COSO Framework was not addressing computer forensics when it was published in 1992.  However, COSO recognizes that “[i]nternal control systems change over time.” [xxviii]  Indeed, “the assessment of risks not only influences the control activities, but may also highlight a need to reconsider information and communication needs.” [xxix] 

When assessing a company’s ability to gather and access the necessary information regarding internal fraud (or any computer security incident), the quality of the information is thus paramount.  Only an effective computer forensics capability allows a company to gather accurate, timely information concerning the incident, and permits the ready access to that information.  COSO does not itself mandate specific technology infrastructure or software.  Instead, it recognizes that the “complexity of an entity, and the nature and scope of its activities, affect its control activities.” [xxx]  Indeed, the COSO Framework notes, “factors that influence an entity’s complexity and therefore, the nature of its controls include: location and geographical dispersion, the extensiveness and sophistication of operations, and information processing methods.” [xxxi]  For many companies, given the breadth of their operations, only an enterprise-wide, network-enabled computer forensics capability will satisfy the “Information and Communication” aspects of COSO (and, thus, Sarbanes-Oxley) with respect to computer security incidents.

Incident Response Capability for Rapid Investigations Necessitated By Sarbanes-Oxley

Section 409 of Sarbanes-Oxley underscores the fact that the law does not tolerate delay with respect to investigations.  Entitled “Real Time Issuer Disclosure” Section 409 requires disclosure to the public “on a rapid and current basis [any] information concerning material changes in the financial condition or operations” of the company. [xxxii]  Although the SEC has not yet promulgated regulations under Section 409, [xxxiii] the statute itself is clear:  each reporting company must communicate timely information to the public.  In order to do so, a company must effectively and rapidly respond to internal incidents (such as financial fraud) and external attacks that can have a material effect on the company.

When it comes to penalties, Sarbanes-Oxley reserves the most severe sanctions for those guilty of destroying records, including electronic data.  Under Section 802 of Sarbanes-Oxley, fines of up to $5 million and imprisonment of up to twenty years can be imposed upon “[w]hoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence” any government investigation or official proceeding. [xxxiv]  Given the genesis of Sarbanes-Oxley in the Enron/Andersen fiasco, it is not surprising that evidence destruction now carries heavy penalties. 

In order to guard against employee malfeasance in the face of a pending or threatened government investigation, a company needs to have the ability to preserve potentially relevant evidence, and quickly respond to instances of electronic data destruction through a network-enabled computer forensics capability. Although under Section 802 the employee who destroys evidence would face criminal penalties, the company needs to be able to defend itself from claims that the employee misconduct was performed with the official sanction of or at the direction of management (such as was alleged in the Andersen case). In order to do so, the company should have the capability to rapidly and thoroughly restore, collect, and preserve the relevant evidence. A network-enabled computer forensics capability provides a company with the ability to rapidly undelete, analyze, and preserve all of the digital evidence associated with a government investigation, thereby blunting any subsequent claim that any destruction of evidence by employees was authorized or overseen by management.

Even before the passage of Sarbanes-Oxley, the SEC’s official position regarding internal investigations was that effective self-policing and cooperation with law enforcement could reduce or even eliminate a corporation’s liability for violation of the federal securities laws.  For instance, the SEC’s investigation into Seaboard Corporation found that the controller of one of Seaboard’s divisions had caused Seaboard’s books and records to overstate assets and understate expenses, and had subsequently actively concealed such misstatements. [xxxv]  Although the SEC ordered relief against the controller, it took no enforcement action against Seaboard, due to the company’s prompt and thorough response to the incident, as well as its cooperation with the SEC. [xxxvi]  The SEC noted that the public at large benefits when “businesses seek out, self-report and rectify illegal conduct.” [xxxvii]  The SEC, in deciding “whether, and how much, to credit self-policing, self-reporting, remediation and cooperation,” [xxxviii] established four broad measures for it to assess:  

  •   Self-policing prior to the discovery of the misconduct . . .

  •                Self-reporting of misconduct when it is discovered, including conducting a thorough review of the nature, extent, origins and consequences of the misconduct . .

  •                 Remediation . . . modifying and improving internal controls . . .

  •                Cooperation with law enforcement authorities, including providing the [SEC] staff with all information relevant to the underlying violations . . . [xxxix]

Indeed, in order to cooperate effectively with the SEC and law enforcement, a company must be able to “identify . . .  evidence with sufficient precision to facilitate prompt enforcement actions against those who violated the law.” [xl]  A network-enabled computer forensic capability enables a company to capture, preserve, analyze and turn over to investigators all of the available digital evidence relevant to an investigation.  As a result, this capability enables self-policing, self-reporting, and effective cooperation with law enforcement, thereby strongly supporting a company facing an SEC investigation.

Developing an Adequate and Compliant IT Infrastructure To Support Internal Investigations

From the standpoint of determining best practices and due diligence for internal investigations, computer forensics is a standard practice in enforcement investigations for agencies such as the FBI, United States Secret Service and the Securities and Exchange Commission. When these agencies investigate public companies, collecting and analyzing the computer evidence is central to their efforts. Corporations can and should adopt similar internal capabilities for effective internal fraud investigations.  

EnCase, [xli] developed by Guidance Software, is the leading computer software program utilized by law enforcement, regulatory agencies, and corporate computer forensic specialists.  EnCase Enterprise Edition is specifically designed to provide on-demand enterprise-wide incident response and forensic analysis, thus enabling immediate, thorough, and non-disruptive computer forensic investigation of desktops and servers anywhere on a wide-area-network from a centralized location. This powerful capability dramatically facilitates the handling and management of internal fraud investigations throughout the organization, which greatly facilitates compliance with the internal investigation mandates of Sarbanes-Oxley.


Congress passed Sarbanes-Oxley to combat financial crimes and fraud committed by corporate insiders. These crimes are compelling internal incidents that warrant immediate response and investigation. Network-enabled computer forensics tools such as EnCase Enterprise Edition are an ideal methodology for timely detecting the “unauthorized acquisition, use or disposition” of company assets and provide an important component of an internal framework for internal investigations.  Further, a company’s management can feel confident that including such tools in its assessment of the company’s internal controls will pass muster with regulators, since the SEC and numerous other federal agencies use the leading computer forensic software in their own internal incidents, as well as enforcement investigations.


[i] Victor Limongelli is General Counsel of Guidance Software, Inc.

[ii] Congress acted “in response to Enron, Global Crossing and other bankruptcies.  Representative Oxley, 148 Cong. Rec. H5462-02, at *H5462.  See also “The events of the past months have underscored the importance of transparency in corporate governance. While many believed that Enron was an isolated occurrence, the failures of Tyco, Global Crossing, and WorldCom have eroded confidence in the markets, both here and overseas”  Representative Jones, 148 Cong. Rec. H5462-02, at *H5469.

[iii] According to Senator Sarbanes, “[t]he bill sets significantly higher standards for corporate responsibility governance.  .  . . There are also extensive criminal penalties contained in this legislation . . . These provisions, among other things, require the CEOs and CFOs to certify their company's financial statements under penalty of potentially severe punishments.  Senator Sarbanes, 148 Cong. Rec. S7350-04, at *S7351.

[iv] One of the central themes underlying Sarbanes-Oxley is that public companies need to institute and maintain adequate internal controls to prevent and timely detect fraudulent activities.  Another galvanizing factor was the rampant destruction of computer evidence that occurred in the Arthur Andersen/Enron case.  See the Arthur Andersen indictment, which alleges that “an unparalleled initiative was undertaken to . . . delete computer files” available at:

[v] See In re Bristol-Myers Squibb Securities Litigation, 205 F.R.D. 437, 440, fn2 (2002).

[vi] Representative Bentsen, 148 Cong. Rec. H5462-02, at *H5467.

[vii] “Sarbanes-Oxley increased criminal penalties for securities fraud to up to 25 years in jail and $2 million in fines.”  The Sarbanes-Oxley Act:  The First Year, House Committee on Financial Services, at 14.

[viii] The Sarbanes-Oxley Act:  The First Year, House Committee on Financial Services, at 5.

[ix] 68 FR 36636, 36638, June 18, 2003.

[x] 68 FR 36636, 36640, June 18, 2003.

[xi] 68 FR 36636, 36643, June 18, 2003.

[xii] 18 U.S.C. 1514A(a)(1).

[xiii] 18 U.S.C. 1514A(a)(1)(C).

[xiv] 15 U.S.C. 78f(m).

[xv] 205 F.R.D. 437 (2002)

[xvi] 205 F.R.D. at 440, fn2

[xvii] ISO 17799,

[xviii] State v. Cook, 777 N.E.2d 882, 2002 WL 31045293 (2002 Ohio App.); Gates Rubber Co. v. Bando Chemical, Indus., Ltd 167 F.R.D. 90, 112 (D.C. Col., 1996)  

[xix] ISO 17799,

[xx] 68 FR 36636, 36642, June 18, 2003.

[xxi] 17 CFR 240.15d-15(c).

[xxii] 17 CFR 240.15d-15(c).

[xxiii] “A suitable framework must:

1.        Be free from bias

2.        Permit reasonably consistent qualitative and quantitative measurements of a company’s internal control;

3.        Be sufficiently complete so as not to omit factors that would alter a conclusion about the effectiveness of a company’s internal control; and

4.        Be relevant to an evaluation of internal control over financial reporting.” The Sarbanes-Oxley Act of 2002:  SEC Issues Final Rules Regarding Internal Control Over Financial Reporting Under Section 404, Cooley Godward LLP, Aug. 4, 2003, at 5.

[xxiv] KPMG’s Defining Issues, No. 03-13, June 2003, at 4.

[xxv] 68 FR 36636, 36642, June 18, 2003.

[xxvi] COSO Framework, at 25.

[xxvii] COSO Framework, at 53.

[xxviii] COSO Framework, at 69.

[xxix] COSO Framework, at 18.

[xxx] COSO Framework, at 55.

[xxxi] COSO Framework, at 56.

[xxxii] 15 U.S.C. 78m(l).

[xxxiii] As of September 19, 2003, the SEC did not cover Section 409 under its “Summary of SEC Actions and SEC Related Provisions Pursuant to the Sarbanes-Oxley Act of 2002”, available at:

[xxxiv] 18 U.S.C. 1519.

[xxxv] In the Matter of Gisela de Leon-Meredith, Exchange Act Release No. 44970 (October 23, 2001).

[xxxvi] Exchange Act Release No. 44969 (October 23, 2001).

[xxxvii] Id.

[xxxviii] Id.

[xxxix] SEC Release 2001-117 (October 23, 2001).

[xl] Exchange Act Release No. 44969 (October 23, 2001).

[xli] EnCase is a registered trademark of Guidance Software, Inc.

The Business Forum
Beverly Hills, California, United States of America

Email:  [email protected]
Graphics by DawsonDesign

   Copyright The Business Forum Institute - 1982 - 2015  ** All rights reserved.
 The Business Forum Institute is not responsible for  the content of external sites.

Read more