What is SOX Compliance? 2023 Requirements, Controls and More

The Sarbanes-Oxley Act of 2002 (SOX) was passed by the United States Congress to protect the public from fraudulent or erroneous practices by corporations or other business entities. The law is named after Paul Sarbanes and Michael Oxley, the two congressmen that drafted it.

The legislation set new and expanded requirements for all U.S. public company boards, management, and public accounting firms with the goal of increasing transparency in financial reporting and formalizing systems for internal controls. In addition, penalties for fraudulent activity are much more severe.

The stated goal of SOX is "to protect investors by improving the accuracy and reliability of corporate disclosures."

As such, public company management must individually certify the accuracy of financial information. SOX also increased the oversight role of boards of directors and the independence of external auditors who review the accuracy of corporate financial statements.

Meeting SOX compliance requirements is not only a legal obligation but a good business practice. All organizations should behave ethically and limit access to their financial data. It also has the added benefit of helping organizations keep sensitive data safe from insider threats, cyber attacks, and security breaches.

The data security framework of SOX compliance can be summarized by five primary pillars:

  1. Ensure financial data security
  2. Prevent malicious tampering of financial data
  3. Track data breach attempts and remediation efforts
  4. Keep event logs readily available for auditors
  5. Demonstrate compliance in 90-day cycles

What is the History of the SOX Act?

The Sarbanes-Oxley Act was enacted in 2002 as a reaction to several major financial scandals, including Enron, Tyco International, Adelphia, Peregrine Systems, and WorldCom. These scandals cost investors billions of dollars when the companies' share prices collapsed and impacted public confidence in US securities markets.

The act contains eleven titles covering additional corporate board responsibilities and criminal penalties. The enforcement and implementation of these requirements were left in charge of the Securities and Exchange Commission (SEC).

Harvey Pitt, the 26th chairman of the SEC, led the adoption of the rules and created the Public Company Accounting Oversight Board (PCAOB), which is in charge of overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. SOX also covers auditor independence, corporate governance, internal control assessments, and enhanced financial disclosure.

It was approved in the House by a vote of 423 in favor, 3 opposed, and 8 abstaining, along with a vote of 99 in favor and 1 abstaining in the Senate.

When signing SOX into law, President George W. Bush stated it was "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt. The era of low standards and false profits is over; no boardroom in America is above or beyond the law."

The Act was named after its bill sponsors, U.S. Senator Paul Sarbanes (D-MD) and U.S. Representative Michael G. Oxley (R-OH).

Canada (2002), Germany (2002), South Africa (2002), Turkey (2002), France (2003), Australia (2004), India (2005), Japan (2006), Italy (2006), and Israel (2006) have since followed the United States and introduced their own SOX-like regulations.

Who Must Comply With SOX?

All publicly-traded companies, wholly-owned subsidiaries, and foreign companies that are publicly traded and do business in the United States must comply with SOX. SOX also applies to accounting firms that audit public companies.

SOX places a barrier between the auditing function and accounting firms. The firm that audits the books of a publicly held company may no longer do the company's bookkeeping, audits, or business valuations and is also banned from designing or implementing information systems, providing investment advisory and banking services, or consulting on other management issues.

Private companies, charities, and non-profits generally do not need to comply with all of SOX, however, they shouldn't knowingly destroy or falsify financial information. SOX also imposes penalties on organizations for non-compliance.

In addition, whistleblower protection applies, such as retaliating against someone who provides a law enforcement officer with information about a possible federal offense and is punishable by up to 10 years imprisonment.

Private companies planning their Initial Public Offering (IPO) must comply with SOX before going public.

Finally, SOX contains mandates regarding the establishment of payroll system controls. A company's workforce, salaries, benefits, incentives, paid time off, and training costs must be accounted for. Certain employers must adopt an ethics program that includes a code of ethics, a communication plan, and staff training.

SOX Compliance and IT Departments

The cooperation of IT departments is critical for SOX compliance because their efforts are necessary to ensure financial data security and financial record availability.

IT department must provide documentation proving that the company's internal processes are well within the data security thresholds outlined in the Sarbanes-Oxley Act.

To fulfill their specific compliance obligations, IT departments must:

  • Have confident awareness of all privilege access policies
  • Understand current log management standards for all financial records
  • Be open to increased transparency in financial data security practices
  • Strive toward the continuous improvement of security risk remediation processes
  • Aspire toward the incorruptibility and continuous reliability of all financial data

Sections 302 and 404 of the SOX act specify reporting parameters for IT departments to prevent internal and external agents from maliciously modifying financial information.

Learn about the best practices for compliance monitoring.

What are the SOX Compliance Requirements for 2022?

To comply with SOX regulations, organizations must conduct a yearly audit of their financial statements. The objective of this audit is to confirm the integrity of all data-handling processes and financial statements. The public company being audited must supply proof of all SOX internal controls ensuring data security and accurate financial reporting.

The most important SOX compliance requirements are considered to be 302, 404, 409, 802, and 906. Compliance in these areas is especially important for organizations engaged in data protection.

Section 302: Corporate Responsibility for Financial Reports

Every public company must file periodic financial statements and the internal control structure with the SEC.

Section 302 states that the Chief Executive Officer (CEO) and Chief Financial Officer (CFO) are directly responsible for the accuracy, documentation, and submission of all financial reports and the internal control structure to the SEC.

In addition, they are responsible for establishing and maintaining internal SOX controls and must validate those controls within 90 days before issuing the report.

Section 404: Management Assessment of Internal Controls

Section 404 is the most complicated, contested, and expensive part of all the SOX compliance requirements. It requires that all annual financial reports include an Internal Control Report stating that management is responsible for an "adequate" internal control structure and an assessment by management of the effectiveness of the control structure.

Any shortcomings must also be reported. In addition, a registered independent auditor must attest to the accuracy of the company management assertion that internal accounting controls and internal control framework are in place, operational, and effective.

Both management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base the scope of its assessment and evidence gathered on risk.

Section 409: Real-Time Issuer Disclosures

The essence of Section 409 is that companies must disclose any material changes in the financial condition or operations on an almost real-time basis. This is designed to protect the interests of investors and the public.

Section 802: Criminal Penalties for Altering Documents

Section 802 imposes penalties of up to 20 years imprisonment for altering, destroying, mutilating, concealing, or falsifying financial records, documents, or tangible objects with the intent to obstruct, impede, or influence legal investigations.

Additionally, it imposes penalties of up to 10 years on any accountant, auditor, or other who knowingly and wilfully violates the requirements of maintenance of all audit or review papers for a period of 5 years.

Section 806: Sarbanes Oxley Whistleblower

Section 806 encourages the disclosure of corporate fraud by protecting employees of publicly traded companies and their subsidiaries who report illegal activities. It authorizes the U.S. Department of Labor to protect whistleblower complaints against employers who retaliate and further authorizes the Department of Justice to criminally charge those responsible for the retaliation.

Section 906: Corporate Responsibility for Financial Reports

The criminal penalty for certifying a misleading or fraudulent financial report can be upwards of $5 million in fines and 20 years in prison.

What are the Penalties for SOX Non-Compliance?

Formal penalties for non-compliance with SOX include fines, removal from delistings from public stock exchanges, and invalidation of D&O insurance policies. Under the Act, CEOs and CFOs who wilfully submit an incorrect certification to a SOX compliance audit can face fines of $5 million and up to 20 years in jail.

What is a SOX Compliance Audit?

A SOX compliance audit is a mandated yearly assessment of how well your company manages its internal controls, and the results are made available to shareholders. The primary purpose of a SOX compliance audit is to verify the authenticity of a company's financial statements, however, cybersecurity is becoming an increasingly important factor in SOX audits.

Companies hire independent auditors to complete the SOX audit as they must be separate from any other audits to prevent conflicts of interest that could result in tampering or other issues.

Auditors can also interview personnel and verify that compliance controls are sufficient to maintain SOX compliance standards. Specifically, SOX sections 302, 404, and 409 require the following parameters and conditions must be monitored, logged, and audited:

  • Internal controls
  • Network activity
  • Database activity
  • Login activity (success and failures)
  • Account activity
  • User activity
  • Information Access

Digital transformation is expanding the range of potential pathways to processes handling financial data, making financial processes increasingly vulnerable to cybercriminal compromise. Future SOX audits will likely focus more on the role of internal control and cybersecurity frameworks in maintaining financial data integrity.

To prepare for this inevitable future, finance organizations must implement attack surface monitoring solutions to secure their private data.

How to Prepare for a SOX Compliance Audit in 2022

Update your reporting and internal audit systems so you can pull any report the auditor requests quickly and verify that your SOX compliance software is working as intended, so there are no unforeseen issues.

Your SOX auditor will focus on four main internal controls as part of the yearly audit. To be SOX compliant, your organization will need to demonstrate 4 primary security controls:

SOX audit controls

1. Secure Access Control Management

Access control means physical controls like doors, badges, and locks, and electronic controls like role-based access control (RBAC), the principle of least privilege, and permission audits.

By maintaining a robust permissive access model, you can demonstrate that each user only has access to what they need to do their job. Limiting user access to only the necessary controls can greatly prevent the risk of unauthorized access should a breach occur.

Read our guide on access control for more information.

2. Demonstrate a Resilient Cybersecurity Framework

Security means that you can demonstrate security controls that prevent data breaches, close data leaks, and mitigate cyber threats. This will generally include vendor risk management, continuous security monitoring, and attack surface management.

UpGuard Vendor Risk can help you continuously assess the external security posture of third-party vendors, and UpGuard BreachSight automatically finds data leaks and attack vectors in your attack surface. They'll also help report to the board, shareholders, and management by creating easy-to-understand security ratings.

3. Demonstrate Data Backup Protocols

SOX requires financial services companies to maintain SOX-compliance off-site backups of all financial records. Any central data center containing backed-up data is also regulated by SOX.

4. Change Management

SOX requires that you have defined processes to add and manage users, install new software, and when you make changes to databases or applications that manage your company's financials.

A good way to document this is through configuration management.

How Does SOX Compliance Relate to Data Security?

For IT departments and executives, compliance with SOX is an important ongoing concern. However, SOX compliance is more than just passing an audit. Appropriate data governance processes and procedures and have a number of tangible benefits on your business.

According to a 2019 survey:

  • 57% benefit from improved internal controls over financial reporting structure
  • 51% enhanced understanding of control design and control operating effectiveness
  • 47% saw the continuous improvement of business processes

What are the Benefits of SOX Compliance?

When SOX was hurriedly passed, many executives wondered why they should be subjected to the same compliance burdens as those that had been dishonest or negligent. Smaller companies complained about the monopolization of executives' time and compliance costs running into millions of dollars.

SOX compliance benefits all publicly-listed companies by communicating a baseline level of financial assurance, promoting investor confidence, stakeholder trust, and market certainty.

SOX provides executives with a reason to divert some company profits to improving financial management processes and capabilities, which protects shareholders, reduces the risk of lawsuits, and improves company operations by helping them avoid bad decisions.

The SOX Act has allowed companies to standardize and consolidate key financial processes, eliminate redundant information systems, minimize inconsistencies in their data loss prevention policy, automate manual processes, reduce the number of handoffs, and eliminate unnecessary controls.

In short, the biggest benefits of SOX compliance are:

  • Strengthened control environment
  • Improved documentation
  • Increased audit committee involvement
  • Convergence opportunities
  • Standardized processes
  • Reduced complexity
  • Strengthening of weak links
  • Minimization of human error

Common SOX Compliance Challenges

There are two common SOX compliance challenges most organizations face:

1. Spreadsheet and End-User Issues

Spreadsheets continue to be a staple in the SOX workflow, partly due to their ability to link data across different documents and automate basic tasks. However, modern audit projects now require more attributes and details about controls which can lead to version control issues, partial or incomplete data, typos, deleted data, analysis of incomplete data sets, and process owners who are left in the dark.

2. Rising Costs and Resources

While SOX has brought many benefits to financial reporting and data security, remaining SOX compliant continues to rise in cost.

Noteworthy Organizations and Frameworks

The Sarbanes-Oxley Act is over 60 pages and has spawned a number of related concepts, committees, and policies that relate to the auditing process:

  • The Public Company Accounting Oversight Board (PCAOB): A nonprofit corporation created by the Sarbanes-Oxley Act to oversee the audits of public companies and other issuers to protect the interests of investors and the public. The PCAOB also oversees the audits of broker-dealers, including compliance reports filed pursuant to federal securities laws, to promote investor protection. All PCAOB rules and standards are approved by the SEC.
  • The Committee of Sponsoring Organizations of the Treadway Commission (COSO): A joint initiative to combat corporate fraud that was established in the United States by five private sector organizations, dedicated to guiding executive management and government entities in relevant aspects of organizational governance, business ethics, internal control, business risk management, fraud, and financial reports. COSO has established a common internal control model against which companies and organizations can evaluate their control systems.
  • Control Objectives for Information and Related Technologies (COBIT): A framework created by ISACA for information technology management and IT governance. The framework defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process-activities, process objectives, performance measures, and an elementary maturity model.
  • The Information Technology Governance Institute (ITGI): An IT framework to achieve SOX compliance that uses COBIT and COSO, but focuses on security instead of general compliance.

2022 SOX Compliance Checklist

Every organization and audit is different, so a universal SOX compliance checklist isn't necessarily helpful. There are however a few general questions every business should consider:

🔲 Are you using a commonly accepted framework such as COSO, COBIT, ITGI, or a combination of the three?

🔲 Do you have information security policies in place that outline how to create, modify, and maintain accounting information systems that handle financial data?

🔲 Are safeguards in place to prevent data tampering and to detect data leaks? If so, have they been tested?

🔲 Is there an incident response plan in place for security breaches?

🔲 Is access to sensitive information monitored and recorded?

🔲 Have previous breaches and failures of security safeguards been disclosed to auditors?

🔲 Is collecting valid SAS 70 reports from all applicable service organizations part of your third-party risk management framework?

🔲 Is your SOX compliance software up to date and clear of any alerts?

🔲 Have you provided SOX auditors with access needed to do their job?

🔲 Are you maintaining regular SOX compliance status reports?

🔲 Do you use data classification to make it easier to monitor and enforce corporate policies for data handling?  

How UpGuard Can Help Your Business Become SOX-Compliant

UpGuard can protect your business from data breaches, identify all of your data leaks, and help you continuously monitor the security posture of all your vendors.

Get a free evaluation of your organization’s data breach risk, click here to request your instant security score now!


UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating