What Is SOX Compliance?
The Sarbanes-Oxley Act of 2002, known as SOX, is a law passed to help protect investors from fraudulent financial reporting by publicly traded companies. SOX mandated strict reforms to existing regulations and imposed tough new penalties that can hold CEOs and CFOs liable for a failure to comply. In addition, these reforms established a more stringent protocol for internal controls that affect financial reporting and data security.
Because SOX compliance changed how corporate electronic records are stored and handled, IT departments are under increased pressure to implement and manage robust data security systems. SOX compliance includes having internal security controls and requires not only that data security practices and processes be in place, but that there is complete visibility into all interactions with financial records over time, including relevant communications.
The new law set out reforms and additions in four principal areas:
- Accounting regulation
- Corporate responsibility
- Increased criminal punishment
- New protections
The Sarbanes-Oxley Act took its name from its two sponsors: Sen. Paul S. Sarbanes (D-Md.) and Rep. Michael G. Oxley (R-Ohio). |
Let’s jump in and learn:
SOX Compliance Fundamentals
SOX governs the financial operations and disclosures of public companies. These regulations impact entire organizations, especially IT. The biggest area of focus for IT is internal controls, which require systems for data security and to provide visibility into financial record history.
Specifically, SOX contains 11 titles that set forth the rules included in the legislation. Three of these have sections that are of particular relevance for SOX compliance:
- Title III—Corporate Responsibility
- Section 302, Corporate Responsibility for Financial Reports
- All public companies must file financial statements, including internal control structure (i.e., data security systems to protect specific information)
- Senior corporate officers (e.g., CEO, CFO) must personally certify in writing that the company’s financial statements “comply with SEC disclosure requirements and fairly present in all material aspects the operations and financial condition of the issuer”
- Inaccurate financial statements are subject to criminal penalties, including prison terms
- Section 302, Corporate Responsibility for Financial Reports
- Title IV—Enhanced Financial Disclosures
- Section 404, Management Assessment of Internal Controls
- Establish internal controls for data security and reporting methods to ensure and prove the adequacy of those controls
- Section 409, Deliver Timely Disclosure
- Ensure that systems are in place to enable timely disclosure of any information that could affect a public company’s financial performance
- Section 404, Management Assessment of Internal Controls
- Title VIII—Corporate and Criminal Fraud Accountability
- Section 802, Criminal Penalties for Altering Documents
- Data security systems must be in place to prevent the destruction, mutilation, concealment, or falsification of any material information
- Relevant information must be securely saved for a proscribed time
- Specified business records, including electronic communications, must be securely stored and kept accessible
- Section 802, Criminal Penalties for Altering Documents
Who Must Comply?
SOX compliance applies to all publicly traded companies in the United States as well as wholly-owned subsidiaries and foreign companies that are publicly traded and conduct business in the United States. In addition, accounting firms that audit companies are also required to maintain SOX compliance.
SOX Compliance and IT Departments
As noted above, IT has a role to play in SOX compliance. In fact, it is an important role that has the attention of the C-suite. Following are a few areas where SOX compliance and IT departments intersect.
- SOX Section 302, Corporate Responsibility for Financial Reports
IT is prepared to deliver real-time reporting on their internal controls related to SOX compliance that executives and auditors can easily understand. - SOX Section 404, Management Assessment of Internal Controls
IT implements and manages IT systems and processes to ensure accurate and complete financial data and protect this information from unauthorized access. - SOX Section 409, Deliver Timely Disclosure
IT uses mechanisms to trigger alerts, enabling executives to respond in an appropriate amount of time. - SOX Section 802, Criminal Penalties for Altering Documents
IT ensures that security systems meet requirements to preserve records, including using automated backup processes, maintaining the proper function of document management systems, and preserving electronic communications.
SOX Compliance Software
Software plays a critical role in SOX compliance for most organizations. SOX compliance solutions provide internal controls and the means to prove to an auditor that SOX-compliant systems are in place. These solutions minimize the risk of non-compliance by addressing vulnerabilities, testing controls for efficacy, and offering ready access to data for auditors and regulators.
Features of SOX compliance software include:
- Provides a centralized repository for data related to SOX compliance
- Captures and tracks requests for information
- Supports integration with multiple frameworks, such as COSO, COBIT, and ITGI
- Identifies SOX compliance gaps and risks
- Supports mitigation of risk
- Monitors compliance stance
- Generates reports required for audits
- Proves SOX compliance to auditors and regulators
Standards and best practices that can support SOX compliance by prescribing how to manage specific IT functions are found in several frameworks, including:
- COSO—the Committee of Sponsoring Organizations
Recommendations for internal controls to achieve SOX compliance that also inform the Public Company Accounting Oversight Board (PCAOB) auditing standards - COBIT—the Control Objectives for Information and Related Technology
A framework to implement SOX compliance developed by ISACA (known by acronym only, which stands for Information Systems Audit and Control Association) and focused on IT security - ITGI— the Information Technology Governance Institute
An IT framework to achieve SOX compliance that uses standards from both COBIT and COSO and focuses on security
SOX Compliance Audits
Part of SOX compliance is completing an annual audit and making the results publicly available. To avoid any conflict of interest, SOX compliance audits must be performed by independent auditors. The objective of the SOX compliance audit is to verify the company’s financial statements and evaluate internal controls.
As part of this independent SOX compliance audit, IT must demonstrate that it has the following controls in place and that they are working effectively.
- Access—users have the access they need to do their jobs, including:
- Physical controls (e.g., doors, badges, locks on file cabinets)
- Electronic controls (e.g., login policies, least privileged access, permissions policies)
- Security—protection against data breaches, including:
- Ability to locate where sensitive data is stored
- Audit trail of sensitive data access
- Monitoring system for sensitive information
- Response plan for unauthorized access or breach
- Data Backup—copies of all financial records stored offsite
- Change Management—established protocols for:
- Adding and removing users from systems (i.e., applications, networks)
- Installation of new software
- Updating or modifying databases or applications that have financial data
SOX Compliance IT Rules Double as Data Security Best Practices
SOX compliance is more than a legal obligation. It should also be viewed as guidance for how to follow data security best practices.
A side benefit of implementing the controls required for SOX compliance is that these systems help protect the company’s data from malicious insiders and external threats. And because SOX compliance requires participation from most parts of the company, it improves communication and cooperation amongst teams.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 23rd December, 2021