The Sarbanes-Oxley Act (SOX)
The Ultimate Guide to

The Sarbanes-Oxley Act (SOX)

What Is SOX?

The Sarbanes-Oxley Act of 2002 (SOX), passed by Congress and enforced by the Security Exchange Commission (SEC), is designed to protect shareholders and the general public from accounting errors and fraudulent practices used by businesses and to improve the accuracy of corporate disclosures. IT compliance and IT security professionals need to pay close attention to SOX because the regulation has clear implications for data management, reporting, and security. 

Who needs to comply with SOX?

All provisions of SOX apply to publicly traded companies headquartered in the United States, as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States. SOX also applies to any third parties that a publicly traded company outsources financial work to.

In general, private companies, charities, and nonprofits are not required to comply with all SOX provisions. However, certain provisions of SOX also affect privately held companies and nonprofits. For instance, intentionally destroying, altering, or falsifying documents with the intention of impeding or influencing a federal agency investigation or a federal bankruptcy proceeding carries fines and up to twenty years imprisonment. In addition, whistleblower protection applies to these companies, which means that retaliating against someone who provides a law enforcement officer with information relating to a possible federal offense is punishable by up to 10 years imprisonment.

SOX also affects accounting firms; the rule builds a firewall between the auditing function and other services available from accounting firms. Thus, the firm that audits the books of a publicly held company may no longer do the company’s bookkeeping, non-financial audits, or business evaluations, and is also prohibited from designing or implementing an information system, providing investment advisory and banking services, or consulting on other management issues.

SOX also affects HR departments within publicly traded companies. It requires a firm to establish payroll system controls. A company’s workforce, salaries, benefits, incentives, paid time off, and training costs must all be accounted for under Section 404 of SOX.

Although SOX isn’t required for privately held companies, if your company aspires to go through an IPO in the next two to three years, it is beneficial to start planning for SOX compliance sooner rather than later, because it will take a while for your company to set up all necessary processes to fulfill SOX requirements.

What are the Compliance Requirements of SOX?

SOX is arranged into 11 sections, also called titles. Two sections of particular importance are Section 302 and Section 404.

Section 302

Section 302 pertains to “Corporate Responsibility for Financial Reports”. It establishes, in part, that CEOs and CFOs must review all financial reports and that the reports are “fairly presented” and don’t contain misrepresentations. This section also establishes that CEOs and CFOs are responsible for internal accounting controls.

Section 404

Section 404 deals with “Management Assessment of Internal Controls” and requires companies to monitor and maintain internal controls related to the company’s accounting and financials. Internal controls include any computer, network hardware, and other electronic infrastructure that financial data passes through. It requires businesses to have an annual audit of these controls conducted by an external CPA firm. This audit assesses the effectiveness of all internal controls and reports its findings back directly to the Security Exchange Commission (SEC).

Other key provisions under SOX include:

  • Required disclosure of transactions and relationships that are off the balance sheet and could impact financial status;
  • Prohibition of personal loans from a corporation to executives;
  • Establishment of fines and terms of imprisonment for tampering with or destroying documents in the event of investigations or court action; and
  • Requirements for attorneys who represent public companies before the SEC to report security violations to the CEO.

SOX also encourages disclosure of corporate fraud by protecting whistleblower employees of publicly traded companies or their subsidiaries who report illegal activities against retaliation, including dismissal and discrimination.

SOX Enforcement and Penalties for Non-Compliance

The Securities and Exchange Commission (SEC) enforces SOX. SOX imposes criminal penalties for certifying a misleading or fraudulent financial report, which can be upwards of $5 million in fines and 20 years in prison when someone willfully certifies misleading or fraudulent financial statements. SOX also makes it a crime for a person to knowingly retaliate against a whistleblower for disclosing truthful information to a law enforcement officer regarding an alleged federal crime. This type of retaliation is punishable by up to 10 years imprisonment.

What Resources Can I Use to Develop and Assess Internal Controls Related to Information Technology?

There are several useful resources you can turn to when setting control objectives and preparing for a SOX compliance audit:

PCAOB

The Public Company Accounting Oversight Board was created to develop auditing standards and train auditors on the best practices for assessing a company’s internal controls. You can visit the PCAOB website to find specific SOX requirements for information security they’ve prepared for auditors. PCAOB publishes updates and changes to the auditing processes when they see fit, so you’ll need to refer to these as you’re preparing for an audit.

COBIT

Control Objectives for Information and Related Technology is a framework published by ISACA, a leading organization in the production of guidelines for developing and assessing internal controls for IT systems. COBIT outlines best practices for 34 IT processes.

COSO

The Committee of Sponsoring Organizations is a joint organization consisting of representatives from the Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), and Financial Executives International (FEI). Since 1992, COSO has published periodic updates to its internal control framework recommendations. This document outlines guidelines for creating and implementing internal controls and serves as the basis for the auditing standards developed by PCAOB.

ITGI

The Information Technology Governance Institute is dedicated to helping businesses meet their objectives without compromising information security. ITGI has independently published its own framework for SOX compliance, using both COBIT and COSO as guides. Unlike COBIT, however, the ITGI framework deals only with security issues.

Preparing for a SOX Compliance Audit

A SOX compliance audit of a company’s internal controls takes place once a year and must be performed by an independent auditor. It is your company’s responsibility to hire the auditor. Keep in mind that SOX audits must be separate from other internal audits to avoid a conflict of interest. Companies often choose to schedule the audit so that results are available for inclusion in their annual report (to satisfy the requirement that audit findings must be accessible to stockholders).

The first step to an audit is to have your management team meet the accounting firm to discuss the specifics of the audit, including when it will take place, what it will cover, what its purposes are, and what results management expects to see.

SOX Audit of Internal Controls

The biggest portion of a SOX audit is a review of internal controls, including computers, network hardware and other electronic infrastructure that financial data passes through. From an IT perspective, a typical audit will look like this:

Access

Access controls can be physical or electronic; their purpose is to prevent unauthorized users from viewing sensitive information. This includes ensuring that cloud resources and physical servers are secure, effective password controls are being used, and lockout screens and other measures are in place. Implementing the principle of least privilege is considered one of the best methods of access control.

Change management process

Change management involves your internal processes for adding new users or workstations, updating and installing new software, and making any changes to Active Directory databases or other information architecture components. Having a record of what was changed, when it was changed, and who changed it is necessary for a SOX IT audit, and these records will make it much easier to correct problems when they emerge.

Security

A SOX audit will examine the technology, policies, and procedures your organization has put in place to prevent breaches and promptly remediate incidents as they occur.

Backup procedures

The auditor will expect to see backup systems in place to protect your sensitive data.

Segregation of duties in the software development cycle
SOX Compliance Checklist

While each audit will be tailored to the organization, there are a few general questions each organization should consider before an audit:

Am I working from an accepted framework such as COBIT, ITGI, or COSO?

Do we have policies that outline how to create, modify, and maintain accounting systems, including software that handles financial data?

What safeguards do we have to prevent data tampering? Have they been tested and found functional?

Is there a protocol for dealing with security breaches?

Is access to sensitive data being monitored and recorded?

Have previous breaches and failures of security safeguards been disclosed to auditors?

Have we provided SOX auditors with the access needed to do their job?

Do we use data classification to make it easier to monitor and enforce corporate policies for data handling?

SOX Compliance and Data Security

Although SOX does support good IT control hygiene, not all of your data security risks are fully addressed by SOX. The SOX audit will only cover the internal controls related to a company’s accounting and financials — not other types of sensitive data. These days, many organizations are running their business in the cloud and have put various types of sensitive data in many third-party SaaS applications. The actual scope of a SOX audit leaves out certain key security principles that are imperative for ensuring your cloud environment is secure. While the typical IT scope of SOX covers Access, Security, Change Management, and Backup procedures, there are other important control categories, such as Governance, Change Control, and Identity and Access Management.

If you want to ensure sufficient security across all of your environments (cloud and on-premises) and all types of data, you may want to follow guidelines from other security and cloud security frameworks in addition to SOX, such as Cloud Security Alliance’s Cloud Controls Matrix and NIST SP 800-53.

SOX: Frequently Asked Questions

The Sarbanes-Oxley Act (SOX) was created in response to several high-profile corporate scandals that occurred in the early 2000s, including those involving Enron, WorldCom, and Tyco. These scandals revealed significant deficiencies in corporate governance, accounting practices, and financial reporting. The primary objective of SOX was to protect investors by improving the accuracy and reliability of corporate disclosures, thereby restoring public confidence in the financial markets. Enacted in 2002, SOX introduced stringent reforms to enhance transparency, accountability, and integrity in the corporate sector.

The Sarbanes-Oxley Act establishes a comprehensive framework to regulate corporate governance and financial practices. It mandates strict reforms to improve financial disclosures and prevent accounting fraud. Key provisions include:

  1. Enhanced financial disclosures: SOX requires companies to provide accurate and complete financial information, ensuring transparency and accountability in financial reporting.
  2. Internal controls: Companies must establish and maintain robust internal controls to safeguard against financial fraud and inaccuracies.
  3. Oversight of the accounting profession: The Act established the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession, ensuring the independence and competence of auditors.
  4. Executive accountability: Corporate executives, including CEOs and CFOs, must personally certify the accuracy of financial statements, making them directly accountable for any discrepancies.

The main components of SOX compliance include corporate governance, internal controls, financial reporting, audit oversight, and disclosure controls. Key sections of the act, such as Sections 302, 404, and 409, focus on management responsibility for accurate financial reporting and the need for robust internal controls.

  1. Section 302 – Corporate Responsibility for Financial Reports: This section requires the CEO and CFO of a company to personally certify the accuracy and completeness of financial reports. They must attest that the financial statements fairly represent the financial condition and operations of the company.
  2. Section 404 – Management Assessment of Internal Controls: This section mandates that companies must establish, maintain, and regularly evaluate the effectiveness of their internal controls over financial reporting. Additionally, an independent auditor must attest to the effectiveness of these controls. This provision aims to prevent and detect fraud and errors in financial reporting.
  3. Section 409 – Real Time Issuer Disclosures: This section requires companies to disclose material changes in their financial condition or operations within 48 hours, which enhances transparency and ensures that investors have timely access to important information.

SOX controls are specific measures implemented by companies to ensure compliance with the Sarbanes-Oxley Act, particularly Section 404. These controls are designed to safeguard financial data, ensure accurate reporting, and prevent fraud. The four primary types of SOX controls are:

  1. Access controls: These controls regulate who has access to financial systems and data. They ensure that only authorized personnel can access sensitive financial information. This includes measures such as user authentication, role-based access controls, and regular reviews of access permissions.
  2. IT controls: These controls focus on the integrity and security of the IT systems used to process and store financial data. They include measures like data encryption, network security, system backup and recovery procedures, and regular IT audits to identify and address vulnerabilities.
  3. Change management controls: These controls manage and document changes to financial systems and processes. They ensure that any modifications are properly authorized, tested, and implemented without compromising the integrity of financial data. This includes maintaining detailed records of system changes and conducting impact assessments.
  4. Operational controls: These controls are designed to ensure that day-to-day operations align with established financial policies and procedures. They include regular reconciliations, transaction validations, and reviews of financial statements to detect and correct any discrepancies. Operational controls help maintain accuracy and consistency in financial reporting.

SOX compliance is mandatory for all publicly traded companies in the United States, including wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the U.S. Additionally, private companies preparing for an IPO may also need to adhere to SOX requirements.

Section 404 is one of the most important and challenging aspects of SOX compliance. It requires management to assess and report on the effectiveness of the company’s internal control over financial reporting (ICFR). Additionally, it mandates that an external auditor must independently attest to the accuracy of management’s assessment. This section is intended to ensure that the financial data provided by the company is accurate, reliable, and free from material misstatements due to fraud or error.

Penalties for non-compliance with SOX can be severe, including fines, imprisonment for executives, and delisting from stock exchanges. Companies can face penalties for fraudulent financial reporting, inadequate internal controls, and failure to certify financial reports.

Internal controls are processes and procedures implemented by a company to ensure the integrity of financial and accounting information, promote accountability, and prevent fraud. Under SOX, companies must establish and maintain effective internal controls and procedures for financial reporting.

SOX audits are typically conducted annually. Companies must submit annual reports on their internal controls over financial reporting, which are then reviewed by external auditors as part of the company’s financial statement audit.

Best practices for achieving SOX compliance include:

  • Implementing strong internal controls and regularly testing their effectiveness.
  • Ensuring clear documentation of processes and procedures.
  • Conducting regular risk assessments and addressing identified risks.
  • Providing SOX-specific training for employees.
  • Using automated tools and software to manage compliance activities.

Hyperproof for SOX Compliance

Hyperproof is a compliance operations software solution that helps organizations get through their SOX compliance audits faster and more cost-effectively. Here are just a few of the ways Hyperproof can be used to make SOX compliance audits more manageable and less stressful:

SOX

Hit the ground running

Hyperproof comes with a SOX starter compliance template designed to help organizations accelerate their journey to compliance. The template comes with all SOX requirements and access to COSO and COBIT controls you can use as a starting point to develop your SOX controls. Once you’ve implemented the template, you can upload your existing evidence files, link them to the right controls and requirements, and iterate from there (e.g., tailor certain controls or collect additional pieces of evidence). For organizations who already have existing controls in place, it’s quite simple to edit the provided controls, add new controls, and remove superfluous ones.

Streamline the evidence collection and management processes

Instead of developing your own file system and using spreadsheets to track updates, you can store all of your evidence in Hyperproof and link each piece of evidence to the right control and requirement. Hyperproof provides the ability to link one evidence file to multiple requirements/controls, so you don’t have to pull the same evidence files again and again if you’re preparing for multiple audits.

Hyperproof also makes it easy for compliance professionals to collect evidence from business stakeholders. A compliance project owner can assign tasks to business stakeholders (e.g. submit this type of evidence) and remind people to complete their tasks on a cadence. Business stakeholders do not need to learn the language of compliance or any new tools. They can receive notifications to complete tasks through the tools they are already using (e.g., Outlook, Slack, Gmail), complete the tasks in those tools, and have information routed back and reflected in Hyperproof in near real-time.

Know exactly where you stand with an audit

Hyperproof provides real-time feedback on your audit preparedness and control evaluation efforts. It comes with dashboards to help you identify what controls are already in place and what’s missing in real-time so you can put solutions in place to close those gaps well ahead of an auditor’s visit.

When you’re ready to share your work with your auditor, you can invite your auditor to review your work in Hyperproof, so no one has to spend their precious time uploading/downloading files and sending emails back and forth. Additionally, Hyperproof provides a central place for compliance process owners and auditors to communicate with one another.

SOX expertise

Hyperproof has partnerships with professional service firms with proven track records and deep expertise in the SOX standard. If you need a referral, we’d love to talk.

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader