The Sarbanes-Oxley Act of 2002 (SOX) was passed by the United States Congress to protect the public from fraudulent or erroneous practices by corporations or other business entities.
The legislation set new and expanded requirements for all U.S. public company boards, management, and public accounting firms with the goal to increase transparency in financial reporting and to require formalized systems for internal controls. In addition, penalties for fraudulent activity are much more severe.
The stated goal of SOX is "to protect investors by improving the accuracy and reliability of corporate disclosures."
As such, public company management must individually certify the accuracy of financial information. SOX also increased the oversight role of boards of directors and the independence of external auditors who review the accuracy of corporate financial statements.
Meeting SOX compliance requirements is not only a legal obligation but good business practice. All organizations should behave ethically and limit access to financial data. It also has the added benefit of helping organizations keep sensitive data safe from insider threats, cyber-attacks, and security breaches.
In short, many SOX requirements overlap with the principles of data security.
Table of contents
- What is the history of the SOX Act?
- Who must comply with SOX?
- What are the SOX compliance requirements?
- What are the penalties for SOX non-compliance?
- What is a SOX compliance audit?
- How to prepare for a SOX compliance audit
- How does SOX compliance relate to data security?
- What are the benefits of SOX compliance?
- Common SOX compliance challenges
- Other organizations and frameworks you should be familiar with
- SOX compliance checklist
- How UpGuard can help with SOX compliance
What is the history of the SOX Act?
The Sarbanes-Oxley Act was enacted in 2002 as a reaction to a number of major financial scandals including Enron, Tyco International, Adelphia, Peregrine Systems, and WorldCom.
These scandals cost investors billions of dollars when the companies' share prices collapsed and impacted public confidence in US securities markets.
The Act contains eleven titles that cover additional corporate board responsibilities to criminal penalties. The enforcement and implementation of these requirements were given to the Securities and Exchange Commission (SEC).
Harvey Pitt, the 26th chairman of the SEC led the adoption of the rules and created the Public Company Accounting Oversight Board (PCAOB) which is in charge of overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies.
SOX also covers issues such as auditor independence, corporate governance, internal control assessments, and enhanced financial disclosure.
It was approved in the House by a vote of 423 in favor, 3 opposed, and 8 abstaining and in the Senate with a vote of 99 in favor and 1 abstaining.
When signing SOX into law, President George W. Bush stated it was "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt. The era of low standards and false profits is over; no boardroom in America is above or beyond the law."
The Act is named after bill sponsors U.S. Senator Paul Sarbanes (D-MD) and U.S. Representative Michael G. Oxley (R-OH).
Canada (2002), Germany (2002), South Africa (2002), Turkey (2002), France (2003), Australia (2004), India (2005), Japan (2006), Italy (2006), and Israel (2006) have since followed the United States and introduced their own SOX like regulations.
Who must comply with SOX?
All publicly-traded companies, wholly-owned subsidiaries, and foreign companies that are publicly traded and do business in the United States must comply with SOX. SOX also applies accounting firms that audit public companies.
SOX places a barrier between the auditing function and accounting firms. The firm that audits the books of a publicly held company may no longer do the company's bookkeeping, audits, or business valuations, and is also banned from designing or implementing an information system, providing investment advisory and banking services, or consulting on other management issues.
Private companies, charities, and non-profits generally do not need to comply with all of SOX, however, they shouldn't knowingly destroy or falsify financial information, and SOX does impose penalties on organizations for non-compliance. In addition, whistleblower protection applies, such as retaliating against someone who provides a law enforcement officer with information relating to a possible federal offense and is punishable by up to 10 years imprisonment.
Private companies planning their Initial Public Offering (IPO) must comply with SOX before going public.
Finally, SOX contains mandates regarding the establishment of payroll system controls. A company's workforce, salaries, benefits, incentives, paid time off, and training costs must be accounted for and certain employers must adopt an ethics program that includes a code of ethics, a communication plan, and staff training.
What are the SOX compliance requirements?
The most important SOX compliance requirements are considered to be 302, 404, 409, 802, and 906:
- Section 302: Corporate Responsibility for Financial Reports – Every public company must file periodic financial statements and the internal control structure with the SEC. Section 302 states that the Chief Executive Officer (CEO) and Chief Financial Officer (CFO) are directly responsible for the accuracy, documentation, and submission of all financial reports and the internal control structure to the SEC. In addition, they are responsible for establishing and maintaining internal SOX controls and must validate those controls within 90 days prior to issuing the report.
- Section 404: Management Assessment of Internal Controls – Section 404 is the most complicated, most contested, and most expensive part of all the SOX compliance requirements. It requires that all annual financial reports include an Internal Control Report stating that management is responsible for an "adequate" internal control structure, and an assessment by management of the effectiveness fo the control structure. Any shortcomings must also be reported. In addition, a registered independent auditor must attest to the accuracy of the company management assertion that internal accounting controls and internal control framework are in place, operational, and effective. Both management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base the scope of its assessment and evidence gathered on risk.
- Section 409: Real Time Issuer Disclosures – The essence of Section 409 is that companies are required to disclose, on an almost real-time basis, any material changes in the financial condition or operations. This is designed to protect the interests of investors and the public.
- Section 802: Criminal Penalties for Altering Documents – Section 802 imposes penalties of up to 20 years imprisonment for altering, destroying, mutilating, concealing, falsifying financial records, documents, or tangible objects with the intent to obstruct, impeded, or influence legal investigations. Additionally, it imposes penalties of up to 10 years on any accountant, auditor, or other who knowingly and willfully violates the requirements of maintenance of all audit or review papers for a period of 5 years.
- Section 806: Sarbanes Oxley Whistleblower – Section 806 encourages the disclosure of corporate fraud by protecting employees of publicly traded companies or their subsidiaries who report illegal activities. It authorizes the U.S. Department of Labor to protect whistleblower complaints against employers who retaliate and further authorizes the Department of Justice to criminally charge those responsible for the retaliation.
- Section 906: Corporate Responsibility for Financial Reports – The criminal penalty for certifying a misleading or fraudulent financial report can be upwards of $5 million in fines and 20 years in prison.
What are the penalties for SOX non-compliance?
Formal penalties for non-compliance with SOX can include fines, removal from delistings from public stock exchanges, and invalidation of D&O insurance policies. Under the Act, CEOs and CFOs who willfully submit an incorrect certification to a SOX compliance audit can face fines of $5 million and up to 20 years in jail.
What is a SOX compliance audit?
A SOX compliance audit is a mandated yearly assessment of how well your company is managing its internal controls and the results are made available to shareholders. The primary purpose of a SOX compliance audit is to verify the company's financial statements, however, cybersecurity is increasingly important. This is because internal controls are any type of protocol that deals with the infrastructure handling financial data, which are increasing information systems managed by IT departments.
Companies hire independent auditors to complete the SOX audit as they must be separate from any other audits to prevent conflicts of interest that could result in tampering or other issues.
Auditors can also interview personnel and verify that compliance controls are sufficient to maintain SOX compliance standards. Specifically, SOX sections 302, 404, and 409 require the following parameters and conditions must be monitored, logged, and audited:
- Internal controls
- Network activity
- Database activity
- Login activity (success and failures)
- Account activity
- User activity
- Information Access
How to prepare for a SOX compliance audit
Update your reporting and internal audit systems so you can pull any report the auditor requests quickly and verify that your SOX compliance software is working as intended so there are no unforeseen issues.
Your SOX auditor will focus on four main internal controls as part of the yearly audit. To be SOX compliant, you will need to be able to demonstrate that you have adequate controls for:
- Access control: Access control means physical controls like doors, badges, and locks, and electronic controls like role-based access control, the principle of least privilege, and permission audits. By maintaining a robust permissive access model you can demonstrate that each user only has access to what they need to do their job. Read our guide on access control for more information.
- Security: Security means that you can demonstrate security controls that prevent data breaches, close data leaks, and mitigate cyber threats. This will generally include some form of vendor risk management, continuous security monitoring, and attack surface management. UpGuard Vendor Risk can help you continuously assess the external security posture of third-party vendors and UpGuard BreachSight automatically finds data leaks and attack vectors in your attack surface. They'll also help with reporting to the board, shareholders, and management by creating easy-to-understand security ratings.
- Data backup: SOX requires financial services companies to maintain SOX compliant off-site backups of all financial records.
- Change management: SOX requires that you have defined processes to add and manage users, install new software, and when you make changes to databases or applications that manage your company's financials. A good way to document this is through configuration management.
How does SOX compliance relate to data security?
For IT departments and executives, compliance with SOX is an important ongoing concern. However, SOX compliance is more than just passing an audit. Appropriate data governance processes and procedures and have a number of tangible benefits on your business.
According to a 2019 survey:
- 57% benefit from improved internal controls over financial reporting structure
- 51% enhanced understanding of control design and control operating effectiveness
- 47% saw the continuous improvement of business processes
What are the benefits of SOX compliance?
When SOX was hurriedly passed, many executives wondered why they should be subjected to the same compliance burdens as those that had been dishonest or negligent. Smaller companies complained about the monopolization of executives' time and compliance costs running into millions of dollars.
SOX compliance benefits all publicly-listed companies by communicating a baseline level of financial assurance, promoting investor confidence, and market certainty.
SOX provides executives with a reason to divert some company profits to improving financial management processes and capabilities which protects shareholders, reduces the risk of lawsuits, and improves company operations by helping them avoid bad decisions.
SOX has allowed companies to standardize and consolidate key financial processes, eliminate redundant information systems, minimize inconsistencies in their data loss prevention policy, automate manual processes, reduce the number of handoffs, and eliminate unnecessary controls.
In short, the benefits of SOX compliance are:
- A strengthened control environment
- Improved documentation
- Increased Audit Committee involvement
- Convergence opportunities
- Standardized processes
- Reduced complexity
- Strengthening of weak links
- Minimization of human error
Common SOX compliance challenges
There are two common SOX compliance challenges most organizations face:
- Spreadsheet and end-user issues: Spreadsheets continue to be a staple in the SOX workflow, partly due to their ability to link data across different documents and automate basic tasks. However, modern audit projects now require more attributes and details about controls which can lead to version control issues, partial or incomplete data, typos, deleted data, analysis of incomplete data sets, and process owners who are left in the dark.
- Rising costs and resources: While SOX has brought many benefits to financial reporting and data security, remaining SOX compliant continues to rise in cost.
Other organizations and frameworks you should be familiar with
The Sarbanes-Oxley Act is over 60 pages and has spawned a number of related concepts, committees, and policies that relate to the auditing process:
- The Public Company Accounting Oversight Board (PCAOB): A nonprofit corporation created by the Sarbanes-Oxley Act to oversee the audits of public companies and other issuers to protect the interests of investors and the public. The PCAOB also oversees the audits of broker-dealers, including compliance reports filed pursuant to federal securities laws, to promote investor protection. All PCAOB rules and standards are approved by the SEC.
- The Committee of Sponsoring Organizations of the Treadway Commission (COSO): A joint initiative to combat corporate fraud that was established in the United States by five private sector organizations, dedicated to guiding executive management and government entities in relevant aspects of organizational governance, business ethics, internal control, business risk management, fraud, and financial reports. COSO has established a common internal control model against which companies and organizations can evaluate their control systems.
- Control Objectives for Information and Related Technologies (COBIT): A framework created by ISACA for information technology management and IT governance. The framework defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process-activities, process objectives, performance measures, and an elementary maturity model.
- The Information Technology Governance Institute (ITGI): An IT framework to achieve SOX compliance that uses COBIT and COSO, but focuses on security instead of general compliance.
SOX compliance checklist
Every organization and audit is different, so a universal SOX compliance checklist isn't necessarily helpful. There are however a few general questions every business should consider:
- Are you using a commonly accepted framework such as COSO, COBIT, ITGI, or a combination of the three?
- Do you have information security policies in place that outline how to create, modify, and maintain accounting information systems that handle financial data?
- Are safeguards in place to prevent data tampering and to detect data leaks? If so, have they been tested?
- Is there an incident response plan in place for security breaches?
- Is access to sensitive information monitored and recorded?
- Have previous breaches and failures of security safeguards been disclosed to auditors?
- Is collecting valid SAS 70 reports from all applicable service organizations part of your third-party risk management framework?
- Is your SOX compliance software up to date and clear of any alerts?
- Have you provided SOX auditors with access needed to do their job?
- Are you maintaining regular SOX compliance status reports?
- Do you use data classification to make it easier to monitor and enforce corporate policies for data handling?
How UpGuard can help with SOX compliance
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar, and NASA use UpGuard's security ratings to protect their data, prevent data breaches and assess their security operations.
For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos, and more.
UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.
We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.
You can read more about what our customers are saying on Gartner reviews.
If you'd like to see your organization's security rating, click here to request your free Cyber Security Rating.