The Ultimate Guide to
The Sarbanes-Oxley Act (SOX)
What Is SOX?
The Sarbanes-Oxley Act of 2002 (SOX), passed by Congress and enforced by the Security Exchange Commission (SEC), is designed to protect shareholders and the general public from accounting errors and fraudulent practices used by businesses and to improve the accuracy of corporate disclosures. IT compliance and IT security professionals need to pay close attention to SOX because the regulation has clear implications for data management, reporting, and security.
The Sarbanes-Oxley Act, passed by Congress and enforced by the Security Exchange Commission (SEC), is designed to protect shareholders and the general public from accounting errors and fraudulent practices used by businesses and to improve the accuracy of corporate disclosures. Commonly called SOX, it is really a comprehensive set of regulations called the Public Company Accounting Reform and Investor Protection Act of 2002. It was enacted in response to a number of major corporate and accounting scandals.
Who needs to comply with SOX?
All provisions of SOX apply to publicly traded companies headquartered in the United States, as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States. SOX also applies to any third parties that a publicly traded company outsources financial work to.
In general, private companies, charities, and nonprofits are not required to comply with all SOX provisions. However, certain provisions of SOX also affect privately held companies and nonprofits. For instance, intentionally destroying, altering, or falsifying documents with the intention of impeding or influencing a federal agency investigation or a federal bankruptcy proceeding carries fines and up to twenty years imprisonment. In addition, whistleblower protection applies to these companies, which means that retaliating against someone who provides a law enforcement officer with information relating to a possible federal offense is punishable by up to 10 years imprisonment.
SOX also affects accounting firms; the rule builds a firewall between the auditing function and other services available from accounting firms. Thus, the firm that audits the books of a publicly held company may no longer do the company’s bookkeeping, non-financial audits, or business evaluations, and is also prohibited from designing or implementing an information system, providing investment advisory and banking services, or consulting on other management issues.
SOX also affects HR departments within publicly traded companies. It requires a firm to establish payroll system controls. A company’s workforce, salaries, benefits, incentives, paid time off, and training costs must all be accounted for under Section 404 of SOX.
Although SOX isn’t required for privately held companies, if your company aspires to go through an IPO in the next two to three years, it is beneficial to start planning for SOX compliance sooner rather than later, because it will take a while for your company to set up all necessary processes to fulfill SOX requirements.
What are the Compliance Requirements of SOX?
SOX is arranged into 11 sections, also called titles. Two sections of particular importance are Section 302 and Section 404.
Section 302 pertains to “Corporate Responsibility for Financial Reports”. It establishes, in part, that CEOs and CFOs must review all financial reports and that the reports are “fairly presented” and don’t contain misrepresentations. This section also establishes that CEOs and CFOs are responsible for internal accounting controls.
Section 404 deals with “Management Assessment of Internal Controls” and requires companies to monitor and maintain internal controls related to the company’s accounting and financials. Internal controls include any computer, network hardware, and other electronic infrastructure that financial data passes through. It requires businesses to have an annual audit of these controls conducted by an external CPA firm. This audit assesses the effectiveness of all internal controls and reports its findings back directly to the Security Exchange Commission (SEC).
Other key provisions under SOX include:
SOX also encourages disclosure of corporate fraud by protecting whistleblower employees of publicly traded companies or their subsidiaries who report illegal activities against retaliation, including dismissal and discrimination.
SOX Enforcement and Penalties for Non-Compliance
The Securities and Exchange Commission (SEC) enforces SOX. SOX imposes criminal penalties for certifying a misleading or fraudulent financial report, which can be upwards of $5 million in fines and 20 years in prison when someone willfully certifies misleading or fraudulent financial statements. SOX also makes it a crime for a person to knowingly retaliate against a whistleblower for disclosing truthful information to a law enforcement officer regarding an alleged federal crime. This type of retaliation is punishable by up to 10 years imprisonment.
What Resources Can I Use to Develop and Assess Internal Controls Related to Information Technology?
There are several useful resources you can turn to when setting control objectives and preparing for a SOX compliance audit:
The Public Company Accounting Oversight Board was created to develop auditing standards and train auditors on the best practices for assessing a company’s internal controls. You can visit the PCAOB website to find specific SOX requirements for information security they’ve prepared for auditors. PCAOB publishes updates and changes to the auditing processes when they see fit, so you’ll need to refer to these as you’re preparing for an audit.
Control Objectives for Information and Related Technology is a framework published by ISACA, a leading organization in the production of guidelines for developing and assessing internal controls for IT systems. COBIT outlines best practices for 34 IT processes.
The Committee of Sponsoring Organizations is a joint organization consisting of representatives from the Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), and Financial Executives International (FEI). Since 1992, COSO has published periodic updates to its internal control framework recommendations. This document outlines guidelines for creating and implementing internal controls and serves as the basis for the auditing standards developed by PCAOB.
The Information Technology Governance Institute is dedicated to helping businesses meet their objectives without compromising information security. ITGI has independently published its own framework for SOX compliance, using both COBIT and COSO as guides. Unlike COBIT, however, the ITGI framework deals only with security issues.
Preparing for a SOX Compliance Audit
A SOX compliance audit of a company’s internal controls takes place once a year and must be performed by an independent auditor. It is your company’s responsibility to hire the auditor. Keep in mind that SOX audits must be separate from other internal audits to avoid a conflict of interest. Companies often choose to schedule the audit so that results are available for inclusion in their annual report (to satisfy the requirement that audit findings must be accessible to stockholders).
The first step to an audit is to have your management team meet the accounting firm to discuss the specifics of the audit, including when it will take place, what it will cover, what its purposes are, and what results management expects to see.
SOX Audit of Internal Controls
The biggest portion of a SOX audit is a review of internal controls, including computers, network hardware and other electronic infrastructure that financial data passes through. From an IT perspective, a typical audit will look like this:
Access controls can be physical or electronic; their purpose is to prevent unauthorized users from viewing sensitive information. This includes ensuring that cloud resources and physical servers are secure, effective password controls are being used, and lockout screens and other measures are in place. Implementing the principle of least privilege is considered one of the best methods of access control.
Change management process
Change management involves your internal processes for adding new users or workstations, updating and installing new software, and making any changes to Active Directory databases or other information architecture components. Having a record of what was changed, when it was changed, and who changed it is necessary for a SOX IT audit, and these records will make it much easier to correct problems when they emerge.
A SOX audit will examine the technology, policies, and procedures your organization has put in place to prevent breaches and promptly remediate incidents as they occur.
The auditor will expect to see backup systems in place to protect your sensitive data.
Segregation of duties in the software development cycle
SOX Compliance Checklist
While each audit will be tailored to the organization, there are a few general questions each organization should consider before an audit:
SOX Compliance and Data Security
Although SOX does support good IT control hygiene, not all of your data security risks are fully addressed by SOX. The SOX audit will only cover the internal controls related to a company’s accounting and financials — not other types of sensitive data. These days, many organizations are running their business in the cloud and have put various types of sensitive data in many third-party SaaS applications. The actual scope of a SOX audit leaves out certain key security principles that are imperative for ensuring your cloud environment is secure. While the typical IT scope of SOX covers Access, Security, Change Management, and Backup procedures, there are other important control categories, such as Governance, Change Control, and Identity and Access Management.
If you want to ensure sufficient security across all of your environments (cloud and on-premises) and all types of data, you may want to follow guidelines from other security and cloud security frameworks in addition to SOX, such as Cloud Security Alliance’s Cloud Controls Matrix and NIST SP 800-53.
Hyperproof for SOX Compliance
Hyperproof is a compliance operations software solution that helps organizations get through their SOX compliance audits faster and more cost-effectively. Here are just a few of the ways Hyperproof can be used to make SOX compliance audits more manageable and less stressful:
Hyperproof comes with a SOX starter compliance template designed to help organizations accelerate their journey to compliance. The template comes with all SOX requirements and access to COSO and COBIT controls you can use as a starting point to develop your SOX controls. Once you’ve implemented the template, you can upload your existing evidence files, link them to the right controls and requirements, and iterate from there (e.g., tailor certain controls or collect additional pieces of evidence). For organizations who already have existing controls in place, it’s quite simple to edit the provided controls, add new controls, and remove superfluous ones.
Instead of developing your own file system and using spreadsheets to track updates, you can store all of your evidence in Hyperproof and link each piece of evidence to the right control and requirement. Hyperproof provides the ability to link one evidence file to multiple requirements/controls, so you don’t have to pull the same evidence files again and again if you’re preparing for multiple audits.
Hyperproof also makes it easy for compliance professionals to collect evidence from business stakeholders. A compliance project owner can assign tasks to business stakeholders (e.g. submit this type of evidence) and remind people to complete their tasks on a cadence. Business stakeholders do not need to learn the language of compliance or any new tools. They can receive notifications to complete tasks through the tools they are already using (e.g., Outlook, Slack, Gmail), complete the tasks in those tools, and have information routed back and reflected in Hyperproof in near real-time.
Hyperproof provides real-time feedback on your audit preparedness and control evaluation efforts. It comes with dashboards to help you identify what controls are already in place and what’s missing in real-time so you can put solutions in place to close those gaps well ahead of an auditor’s visit.
When you’re ready to share your work with your auditor, you can invite your auditor to review your work in Hyperproof, so no one has to spend their precious time uploading/downloading files and sending emails back and forth. Additionally, Hyperproof provides a central place for compliance process owners and auditors to communicate with one another.
Hyperproof has partnerships with professional service firms with proven track records and deep expertise in the SOX standard. If you need a referral, we’d love to talk.