The Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act of 2002 (SOX), passed by Congress and enforced by the Security Exchange Commission (SEC), is designed to protect shareholders and the general public from accounting errors and fraudulent practices used by businesses and to improve the accuracy of corporate disclosures. IT compliance and IT security professionals need to pay close attention to SOX because the regulation has clear implications for data management, reporting, and security.
Hyperproof’s compliance operation software helps organizations reduce SOX audit costs and can reduce time needed to prepare for a SOX compliance audit by 50%. Sign up for a personalized demo to see how we can help you with your SOX compliance effort:
Utilize the pre-built SOX framework to make it easier to to manage the entire process -- from documentation to testing and certification
Keep SOX documentation accurate, consistent, and easily accessible
Automate the collection of evidence for walkthroughs & testing
Collaborate easily with your SOX auditor and ensure a seamless handoff
Assign controls to program participants and keep team members on track
Monitor your entire SOX environment in real time and stay on track with dashboards
What Is SOX?
The Sarbanes-Oxley Act , passed by Congress and enforced by the Security Exchange Commission (SEC), is designed to protect shareholders and the general public from accounting errors and fraudulent practices used by businesses and to improve the accuracy of corporate disclosures. Commonly called SOX, it is really a comprehensive set of regulations called the Public Company Accounting Reform and Investor Protection Act of 2002. It was enacted in response to a number of major corporate and accounting scandals.
Who needs to comply with SOX?
All provisions of SOX apply to publicly traded companies headquartered in the United States, as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States. SOX also applies to any third parties that a publicly traded company outsource financial work to.
In general, private companies, charities, and nonprofits are not required to comply with all SOX provisions. However, certain provisions of SOX also affect privately held companies and nonprofits. For instance, intentionally destroying, altering, or falsifying documents with the intention of impeding or influencing a federal agency investigation or a federal bankruptcy proceeding carries fines and up to twenty years imprisonment. In addition, whistleblower protection applies to these companies, which means that retaliating against someone who provides a law enforcement officer with information relating to a possible federal offense is punishable by up to 10 years imprisonment.
SOX also affects accounting firms; the rule builds a firewall between the auditing function and other services available from accounting firms. Thus, the firm that audits the books of a publicly held company may no longer do the company’s bookkeeping, non-financial audits, or business evaluations, and is also prohibited from designing or implementing an information system, providing investment advisory and banking services, or consulting on other management issues.
SOX also affects HR departments within publicly traded companies. It requires a firm to establish payroll system controls. A company’s workforce, salaries, benefits, incentives, paid time off, and training costs must all be accounted for under Section 404 of SOX.
Although SOX isn’t required for privately held companies, if your company aspires to go through an IPO in the next two to three years, it is beneficial to start planning for SOX compliance sooner rather than later, because it will take a while for your company to set up all necessary processes to fulfill SOX requirements.
What are the Compliance Requirements of SOX?
SOX is arranged into 11 sections, also called titles. Two sections of particular importance are Section 302 and Section 404.
Section 302 pertains to "Corporate Responsibility for Financial Reports". It establishes, in part, that CEOs and CFOs must review all financial reports and that the reports are "fairly presented" and don't contain misrepresentations. This section also establishes that CEOs and CFOs are responsible for the internal accounting controls.
Section 404 deals with "Management Assessment of Internal Controls" and requires companies to monitor and maintain internal controls related to the company’s accounting and financials. Internal controls include any computer, network hardware, and other electronic infrastructure that financial data passes through. It requires businesses to have an annual audit of these controls conducted by an external CPA firm. This audit assesses the effectiveness of all internal controls and reports its findings back directly to the Security Exchange Commission (SEC).
Other key provisions under SOX include:
Required disclosure of transactions and relationships that are off the balance sheet and could impact financial status;
Prohibition of personal loans from a corporation to executives;
Establishment of fines and terms of imprisonment for tampering with or destroying documents in the event of investigations or court action; and
Requirements for attorneys who represent public companies before the SEC to report security violations to the CEO.
SOX also encourages disclosure of corporate fraud by protecting whistleblower employees of publicly traded companies or their subsidiaries who report illegal activities against retaliation, including dismissal and discrimination.
SOX Enforcement and Penalties for Non-Compliance
The Securities and Exchange Commission (SEC) enforces SOX. SOX imposes criminal penalties for certifying a misleading or fraudulent financial report, which can be upwards of $5 million in fines and 20 years in prison when someone willfully certifies misleading or fraudulent financial statements. SOX also makes it a crime for a person to knowingly retaliate against a whistleblower for disclosing truthful information to a law enforcement officer regarding an alleged federal crime. This type of retaliation is punishable by up to 10 years imprisonment.
What Resources Can I Use to Develop and Assess Internal
Controls Related to Information Technology?
There are several useful resources you can turn to when setting control objectives and preparing for a SOX compliance audit:
The Public Company Accounting Oversight Board was created to develop auditing standards and train auditors on the best practices for assessing a company’s internal controls. You can visit the PCAOB website to find specific SOX requirements for information security they’ve prepared for auditors. PCAOB publishes updates and changes to the auditing processes when they see fit, so you’ll need to refer to these as you’re preparing for an audit.
Preparing for a SOX Compliance Audit
A SOX compliance audit of a company’s internal controls takes place once a year and must be performed by an independent auditor. It is your company’s responsibility to hire the auditor. Keep in mind that SOX audits must be separate from other internal audits to avoid a conflict of interest. Companies often choose to schedule the audit so that results are available for inclusion in their annual report (to satisfy the requirement that audit findings must be accessible to stockholders).
The first step to an audit is to have your management team meet the accounting firm to discuss the specifics of the audit, including when it will take place, what it will cover, what its purposes are, and what results management expects to see.
SOX Audit of Internal Controls
The biggest portion of a SOX audit is a review of internal controls, including computers, network hardware and other electronic infrastructure that financial data passes through. From an IT perspective, a typical audit will look like this:
Access controls can be physical or electronic; their purpose is to prevent unauthorized users from viewing sensitive information. This includes ensuring that cloud resources and physical servers are secure, effective password controls are being used, and lockout screens and other measures are in place. Implementing the principle of least privilege is considered one of the best methods of access control.
A SOX audit will examine the technology, policies, and procedures your organization has put in place to prevent breaches and promptly remediate incidents as they occur.
Change management process
Change management involves your internal processes for adding new users or workstations, updating and installing new software, and making any changes to Active Directory databases or other information architecture components. Having a record of what was changed, when it was changed, and who changed it is necessary for a SOX IT audit, and these records will make it much easier to correct problems when they emerge.
Segregation of duties in the software development cycle
The auditor will expect to see backup systems in place to protect your sensitive data.
SOX Compliance Checklist
While each audit will be tailored to the organization, there are a few general questions each organization should consider before an audit:
- Am I working from an accepted framework such as COBIT, ITGI, or COSO?
- Do we have policies that outline how to create, modify, and maintain accounting systems, including software that handles financial data?
- What safeguards do we have to prevent data tampering? Have they been tested and found functional?
- Is there a protocol for dealing with security breaches?
- Is access to sensitive data being monitored and recorded?
- Have previous breaches and failures of security safeguards been disclosed to auditors?
- Have we provided SOX auditors with access needed to do their job?
- Do we use data classification to make it easier to monitor and enforce corporate policies for data handling?
SOX Compliance and Data Security
Although SOX does support good IT control hygiene, not all of your data security risks are fully addressed by SOX. The SOX audit will only cover the internal controls related to a company’s accounting and financials -- not other types of sensitive data. These days, many organizations are running their business in the cloud and have put various types of sensitive data in many third-party SaaS applications. The actual scope of a SOX audit leaves out certain key security principles that are imperative for ensuring your cloud environment is secure. While the typical IT scope of SOX covers Access, Security, Change Management, and Backup procedures, there are other important control categories, such as Governance, Change Control, and Identity and Access Management.
If you want to ensure that sufficient security across all of your environments (cloud and on-premises) and all types of data, you may want to follow guidelines from other security and cloud security frameworks in addition to SOX, such as Cloud Security Alliance’s Cloud Controls Matrix and NIST SP 800-53.
Can I Use Compliance Operations Software to Become SOX Certified Faster?
Hyperproof is a compliance operations software solution that helps organizations get through their SOX compliance audits faster and more cost-effectively. Here are just a few of the ways Hyperproof can be used to make SOX compliance audits more manageable and less stressful:
Hit the ground running
Hyperproof comes with a SOX starter compliance template designed to help organizations accelerate their journey to compliance. The template comes with all SOX requirements and access to COSO and COBIT controls you can use as a starting point to develop your SOX controls. Once you’ve implemented the template, you can upload your existing evidence files, link them to the right controls and requirements, and iterate from there (e.g., tailor certain controls or collect additional pieces of evidence). For organizations who already have existing controls in place, it’s quite simple to edit the provided controls, add new controls, and remove superfluous ones.
Instead of developing your own file system and using spreadsheets to track updates, you can store all of your evidence in Hyperproof and link each piece of evidence to the right control and requirement. Hyperproof provides the ability to link one evidence file to multiple requirements/controls, so you don’t have to pull the same evidence files again and again if you’re preparing for multiple audits.
Hyperproof also makes it easy for compliance professionals to collect evidence from business stakeholders. A compliance project owner can assign tasks to business stakeholders (e.g. submit this type of evidence) and remind people to complete their tasks on a cadence. Business stakeholders do not need to learn the language of compliance or any new tools. They can receive notifications to complete tasks through the tools they are already using (e.g., Outlook, Slack, Gmail), complete the tasks in those tools, and have information routed back and reflected in Hyperproof in near real-time.
Hyperproof provides real-time feedback on your audit preparedness and control evaluation efforts. It comes with dashboards to help you identify what controls are already in place and what’s missing in real-time so you can put solutions in place to close those gaps well ahead of an auditor’s visit.
When you’re ready to share your work with your auditor, you can invite your auditor to review your work in Hyperproof, so no one has to spend their precious time uploading/downloading files and sending emails back and forth. Additionally, Hyperproof provides a central place for compliance process owners and auditors to communicate with one another.