The Sarbanes-Oxley Act of 2002 (SOX) was passed by the United States Congress to protect the public from fraudulent or erroneous practices by corporations or other business entities. The law is named after Paul Sarbanes and Michael Oxley, the two congressmen that drafted it.
The legislation set new and expanded requirements for all U.S. public company boards, management, and public accounting firms with the goal of increasing transparency in financial reporting and formalizing systems for internal controls. In addition, penalties for fraudulent activity are much more severe.
The stated goal of SOX is "to protect investors by improving the accuracy and reliability of corporate disclosures."
As such, public company management must individually certify the accuracy of financial information. SOX also increased the oversight role of boards of directors and the independence of external auditors who review the accuracy of corporate financial statements.
Meeting SOX compliance requirements is not only a legal obligation but a good business practice. All organizations should behave ethically and limit access to their financial data. It also has the added benefit of helping organizations keep sensitive data safe from insider threats, cyber attacks, and security breaches.
The data security framework of SOX compliance can be summarized by five primary pillars:
- Ensure financial data security
- Prevent malicious tampering of financial data
- Track data breach attempts and remediation efforts
- Keep event logs readily available for auditors
- Demonstrate compliance in 90-day cycles
What is the History of the SOX Act?
The Sarbanes-Oxley Act was enacted in 2002 as a reaction to several major financial scandals, including Enron, Tyco International, Adelphia, Peregrine Systems, and WorldCom. These scandals cost investors billions of dollars when the companies' share prices collapsed and impacted public confidence in US securities markets.
The act contains eleven titles covering additional corporate board responsibilities and criminal penalties. The enforcement and implementation of these requirements were left in charge of the Securities and Exchange Commission (SEC).
Harvey Pitt, the 26th chairman of the SEC, led the adoption of the rules and created the Public Company Accounting Oversight Board (PCAOB), which is in charge of overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. SOX also covers auditor independence, corporate governance, internal control assessments, and enhanced financial disclosure.
It was approved in the House by a vote of 423 in favor, 3 opposed, and 8 abstaining, along with a vote of 99 in favor and 1 abstaining in the Senate.
When signing SOX into law, President George W. Bush stated it was "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt. The era of low standards and false profits is over; no boardroom in America is above or beyond the law."
The Act was named after its bill sponsors, U.S. Senator Paul Sarbanes (D-MD) and U.S. Representative Michael G. Oxley (R-OH).
Canada (2002), Germany (2002), South Africa (2002), Turkey (2002), France (2003), Australia (2004), India (2005), Japan (2006), Italy (2006), and Israel (2006) have since followed the United States and introduced their own SOX-like regulations.
Who Must Comply With SOX?
All publicly-traded companies, wholly-owned subsidiaries, and foreign companies that are publicly traded and do business in the United States must comply with SOX. SOX also applies to accounting firms that audit public companies.
SOX places a barrier between the auditing function and accounting firms. The firm that audits the books of a publicly held company may no longer do the company's bookkeeping, audits, or business valuations and is also banned from designing or implementing information systems, providing investment advisory and banking services, or consulting on other management issues.
Private companies, charities, and non-profits generally do not need to comply with all of SOX, however, they shouldn't knowingly destroy or falsify financial information. SOX also imposes penalties on organizations for non-compliance.
In addition, whistleblower protection applies, such as retaliating against someone who provides a law enforcement officer with information about a possible federal offense and is punishable by up to 10 years imprisonment.
Private companies planning their Initial Public Offering (IPO) must comply with SOX before going public.
Finally, SOX contains mandates regarding the establishment of payroll system controls. A company's workforce, salaries, benefits, incentives, paid time off, and training costs must be accounted for. Certain employers must adopt an ethics program that includes a code of ethics, a communication plan, and staff training.
SOX Compliance and IT Departments
The cooperation of IT departments is critical for SOX compliance because their efforts are necessary to ensure financial data security and financial record availability.
IT department must provide documentation proving that the company's internal processes are well within the data security thresholds outlined in the Sarbanes-Oxley Act.
To fulfill their specific compliance obligations, IT departments must:
- Have confident awareness of all privilege access policies
- Understand current log management standards for all financial records
- Be open to increased transparency in financial data security practices
- Strive toward the continuous improvement of security risk remediation processes
- Aspire toward the incorruptibility and continuous reliability of all financial data
Sections 302 and 404 of the SOX act specify reporting parameters for IT departments to prevent internal and external agents from maliciously modifying financial information.
What are the SOX Compliance Requirements for 2023?
To comply with SOX regulations, organizations must conduct a yearly audit of their financial statements. The objective of this audit is to confirm the integrity of all data-handling processes and financial statements. The public company being audited must supply proof of all SOX internal controls ensuring data security and accurate financial reporting.
The most important SOX compliance requirements are considered to be 302, 404, 409, 802, and 906. Compliance in these areas is especially important for organizations engaged in data protection.
Section 302: Corporate Responsibility for Financial Reports
Every public company must file periodic financial statements and the internal control structure with the SEC.
Section 302 states that the Chief Executive Officer (CEO) and Chief Financial Officer (CFO) are directly responsible for the accuracy, documentation, and submission of all financial reports and the internal control structure to the SEC.
In addition, they are responsible for establishing and maintaining internal SOX controls and must validate those controls within 90 days before issuing the report.
Section 404: Management Assessment of Internal Controls
Section 404 is the most complicated, contested, and expensive part of all the SOX compliance requirements. It requires that all annual financial reports include an Internal Control Report stating that management is responsible for an "adequate" internal control structure and an assessment by management of the effectiveness of the control structure.
Any shortcomings must also be reported. In addition, a registered independent auditor must attest to the accuracy of the company management assertion that internal accounting controls and internal control framework are in place, operational, and effective.
Both management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base the scope of its assessment and evidence gathered on risk.
Section 409: Real-Time Issuer Disclosures
The essence of Section 409 is that companies must disclose any material changes in the financial condition or operations on an almost real-time basis. This is designed to protect the interests of investors and the public.
Section 802: Criminal Penalties for Altering Documents
Section 802 imposes penalties of up to 20 years imprisonment for altering, destroying, mutilating, concealing, or falsifying financial records, documents, or tangible objects with the intent to obstruct, impede, or influence legal investigations.
Additionally, it imposes penalties of up to 10 years on any accountant, auditor, or other who knowingly and wilfully violates the requirements of maintenance of all audit or review papers for a period of 5 years.
Section 806: Sarbanes Oxley Whistleblower
Section 806 encourages the disclosure of corporate fraud by protecting employees of publicly traded companies and their subsidiaries who report illegal activities. It authorizes the U.S. Department of Labor to protect whistleblower complaints against employers who retaliate and further authorizes the Department of Justice to criminally charge those responsible for the retaliation.
Section 906: Corporate Responsibility for Financial Reports
The criminal penalty for certifying a misleading or fraudulent financial report can be upwards of $5 million in fines and 20 years in prison.
What are the Penalties for SOX Non-Compliance?
Formal penalties for non-compliance with SOX include fines, removal from delistings from public stock exchanges, and invalidation of D&O insurance policies. Under the Act, CEOs and CFOs who wilfully submit an incorrect certification to a SOX compliance audit can face fines of $5 million and up to 20 years in jail.
What is a SOX Compliance Audit?
A SOX compliance audit is a mandated yearly assessment of how well your company manages its internal controls, and the results are made available to shareholders. The primary purpose of a SOX compliance audit is to verify the authenticity of a company's financial statements, however, cybersecurity is becoming an increasingly important factor in SOX audits.
Companies hire independent auditors to complete the SOX audit as they must be separate from any other audits to prevent conflicts of interest that could result in tampering or other issues.
Auditors can also interview personnel and verify that compliance controls are sufficient to maintain SOX compliance standards. Specifically, SOX sections 302, 404, and 409 require the following parameters and conditions must be monitored, logged, and audited:
- Internal controls
- Network activity
- Database activity
- Login activity (success and failures)
- Account activity
- User activity
- Information Access
Digital transformation is expanding the range of potential pathways to processes handling financial data, making financial processes increasingly vulnerable to cybercriminal compromise. Future SOX audits will likely focus more on the role of internal control and cybersecurity frameworks in maintaining financial data integrity.
To prepare for this inevitable future, finance organizations must implement attack surface monitoring solutions to secure their private data.
How to Prepare for a SOX Compliance Audit in 2023
Update your reporting and internal audit systems so you can pull any report the auditor requests quickly and verify that your SOX compliance software is working as intended, so there are no unforeseen issues.
Your SOX auditor will focus on four main internal controls as part of the yearly audit. To be SOX compliant, your organization will need to demonstrate 4 primary security controls:
1. Secure Access Control Management
By maintaining a robust permissive access model, you can demonstrate that each user only has access to what they need to do their job. Limiting user access to only the necessary controls can greatly prevent the risk of unauthorized access should a breach occur.
2. Demonstrate a Resilient Cybersecurity Framework
Security means that you can demonstrate security controls that prevent data breaches, close data leaks, and mitigate cyber threats. This will generally include vendor risk management, continuous security monitoring, and attack surface management.
UpGuard Vendor Risk can help you continuously assess the external security posture of third-party vendors, and UpGuard BreachSight automatically finds data leaks and attack vectors in your attack surface. They'll also help report to the board, shareholders, and management by creating easy-to-understand security ratings.
3. Demonstrate Data Backup Protocols
SOX requires financial services companies to maintain SOX-compliance off-site backups of all financial records. Any central data center containing backed-up data is also regulated by SOX.
Learn how to mitigate data breaches >
4. Change Management
SOX requires that you have defined processes to add and manage users, install new software, and when you make changes to databases or applications that manage your company's financials.
A good way to document this is through configuration management.
How Does SOX Compliance Relate to Data Security?
For IT departments and executives, compliance with SOX is an important ongoing concern. However, SOX compliance is more than just passing an audit. Appropriate data governance processes and procedures and have a number of tangible benefits on your business.
According to a 2019 survey:
- 57% benefit from improved internal controls over financial reporting structure
- 51% enhanced understanding of control design and control operating effectiveness
- 47% saw the continuous improvement of business processes
What are the Benefits of SOX Compliance?
When SOX was hurriedly passed, many executives wondered why they should be subjected to the same compliance burdens as those that had been dishonest or negligent. Smaller companies complained about the monopolization of executives' time and compliance costs running into millions of dollars.
SOX compliance benefits all publicly-listed companies by communicating a baseline level of financial assurance, promoting investor confidence, stakeholder trust, and market certainty.
SOX provides executives with a reason to divert some company profits to improving financial management processes and capabilities, which protects shareholders, reduces the risk of lawsuits, and improves company operations by helping them avoid bad decisions.
The SOX Act has allowed companies to standardize and consolidate key financial processes, eliminate redundant information systems, minimize inconsistencies in their data loss prevention policy, automate manual processes, reduce the number of handoffs, and eliminate unnecessary controls.
In short, the biggest benefits of SOX compliance are:
- Strengthened control environment
- Improved documentation
- Increased audit committee involvement
- Convergence opportunities
- Standardized processes
- Reduced complexity
- Strengthening of weak links
- Minimization of human error
Common SOX Compliance Challenges
There are two common SOX compliance challenges most organizations face:
1. Spreadsheet and End-User Issues
Spreadsheets continue to be a staple in the SOX workflow, partly due to their ability to link data across different documents and automate basic tasks. However, modern audit projects now require more attributes and details about controls which can lead to version control issues, partial or incomplete data, typos, deleted data, analysis of incomplete data sets, and process owners who are left in the dark.
2. Rising Costs and Resources
While SOX has brought many benefits to financial reporting and data security, remaining SOX compliant continues to rise in cost.
Noteworthy Organizations and Frameworks
The Sarbanes-Oxley Act is over 60 pages and has spawned a number of related concepts, committees, and policies that relate to the auditing process:
- The Public Company Accounting Oversight Board (PCAOB): A nonprofit corporation created by the Sarbanes-Oxley Act to oversee the audits of public companies and other issuers to protect the interests of investors and the public. The PCAOB also oversees the audits of broker-dealers, including compliance reports filed pursuant to federal securities laws, to promote investor protection. All PCAOB rules and standards are approved by the SEC.
- The Committee of Sponsoring Organizations of the Treadway Commission (COSO): A joint initiative to combat corporate fraud that was established in the United States by five private sector organizations, dedicated to guiding executive management and government entities in relevant aspects of organizational governance, business ethics, internal control, business risk management, fraud, and financial reports. COSO has established a common internal control model against which companies and organizations can evaluate their control systems.
- Control Objectives for Information and Related Technologies (COBIT): COBIT is a framework created by ISACA for information technology management and IT governance. The framework defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process-activities, process objectives, performance measures, and an elementary maturity model.
- The Information Technology Governance Institute (ITGI): An IT framework to achieve SOX compliance that uses COBIT and COSO, but focuses on security instead of general compliance.
2023 SOX Compliance Checklist (Free Download)
Your organization's degree of compliance with the Sarbanes-Oxley Act of 2002 can be evaluated with the following set of questions. To conveniently keep track of each addressed item, these questions can be downloaded in the form of an editable PDF by following the link below
- Have you performed a gap analysis against your existing controls and SOX's security requirements?
- Do you have a process for the ongoing measurement of SOX compliance (continuously updating gap analysis)?
- Are you using a commonly accepted framework such as COSO, COBIT, ITGI, or a combination of the three?
- Do you have information security policies outlining how to create, modify, and maintain accounting information systems that handle financial data?
- Have you documented all of the security controls and policies that are in place?
- Are safeguards in place to prevent data tampering and detect data leaks? If so, have they been tested?
- Is there an incident response plan in place for security breaches?
- Is access to sensitive information monitored and recorded?
- Have previous breaches and failures of security safeguards been disclosed to auditors?
- Are systems in place for detecting signs of a security breach taking place?
- Are processes in place for automatically logging security events into incident management systems?
- Do your incident management systems allow security staff to submit details of remediation efforts?
- Is collecting valid SAS 70 reports from all applicable service organizations part of your third-party risk management framework?
- Is your SOX compliance software up to date and clear of any alerts?
- Have you provided SOX auditors with the access needed to do their job?
- Are you maintaining regular SOX compliance status reports?
- Do you have processes to ensure accurate and up-to-date generation of financial reports?
- Do you use data classification to make it easier to monitor and enforce corporate policies for data handling?
- Can you confidently demonstrate to auditors that all necessary controls, processes, and procedures for SOX compliance are in place?
- Have the CEO and CFO signed all financial reports to attest their truthfulness?
- Have all financial reports been submitted to the Security Exchange Commission (SEC)?
- Has a preliminary internal audit been completed to assess any compliance shortcomings?
- Are processes in place for publishing real-time updates about major changes to the company's financial situation and/or ability to effectively operate to investors and the general public?
- Are processes for detecting fraudulent or misleading entries to financial reports?
- Are physical and electronic measures in place to prevent unauthorized access to sensitive information?
- Can you track who accessed and/or modified data relevant to SOX provisions in real time?
- Have staff undergone security awareness training explaining how to detect and report potential cybercriminal activities like phishing emails?
- Are reliable backup processes in place to ensure business continuity in the event of total system compromise, such as during ransomware attacks?
- Are you tracking all sensitive asset login attempts (especially resources housing sensitive financial data)?
- Are you applying timestamps to sessions involving access to financial data relevant to SOX provisions?
- Is all sensitive financial data encrypted (both at rest and in transit)?
- Can you generate reports for select officials outlining the daily efficacy status of all SOX control measures?
- Can you generate security incident reports for SOX auditors outlining which events were successfully addressed and which were not?
- Have you given SOX auditors access to all relevant systems and data streams?
- Is all system access for SOX auditors read-only?