All You Need to Know about SOX Compliance
The Sarbanes-Oxley Act of 2002, more commonly known as SOX or Sarbox, is a US law that aims to protect investors from accounting fraud, particularly in relation to publicly traded companies. Named after the two congressmen who drafted it, Paul Sarbanes and Michael Oxley, the law was enacted after a number of high profile accounting scandals rocked the financial world in the early 2000s. It is enforced by the US Securities and Exchange Commission (SEC).
SOX brought with it stricter rules for corporate financial disclosures, but also covered a number of additional issues such as corporate governance and internal control assessments. It created the Public Company Accounting Oversight Board (PCAOB) to oversee auditors and ensure the preparation of informative, accurate and independent auditing reports as a way of protecting investors.
Despite not including any particular IT requirements within its text, SOX still has a major impact on how publicly traded companies must secure their IT systems. Why? The answer is fairly simple: nowadays, due to digitalization, the financial information that falls under the protection of the Sarbanes-Oxley Act is processed and stored in IT systems.
Section 302 and Section 404
Among the Sarbanes-Oxley Act’s many stipulations, there are two in particular that affect IT due to their clear implications for security and data management.
Section 302 requires that a company’s CEO and CFO personally certify that all financial reports submitted to SEC are complete and accurate. More specifically, they must take personal responsibility for all internal controls and review them in the last 90 days before the submission of the reports. These internal controls inevitably include IT infrastructure and how it protects financial data.
Section 404 goes even further and requires companies to have an annual audit of these internal controls that must be performed by an outside firm. The audit’s goal is to assess the effectiveness of the controls and its findings are reported back directly to SEC.
In an effort to clarify these SOX requirements, the PCAOB selected the Committee of Sponsoring Organizations (COSO) framework to act as guidance for companies in the creation and implementation of internal controls. However, many organizations have chosen to also use the more IT specific Control Objectives for Information and related Technology (COBIT) framework to ensure full compliance. COBIT covers 34 IT processes which it classifies into different categories such as monitoring, acquisition and implementation and delivery and support.
The recommendations listed in the two frameworks form an excellent starting point for the development of good practices for governance and the management of enterprise IT, incorporating widely accepted concepts and international standards.
Penalties under SOX
When it comes to penalties, SOX is no joking matter. CEOs and CFOs are required to submit periodic financial reports to SEC along with a written statement that certifies that the information inside them is accurate.
Should any irregularities be detected in these reports, under section 906 of SOX, those that certify them face dire consequences: if they are found to have knowingly certified an inaccurate report, they can be fined up to $1,000,000 or imprisoned for up to 10 years, or both. Those found to have willfully certified a false report on the other hand, risk significantly more: up to $5,000,000 in fines or 20 years in prison, or both.
At the same time, under section 802, anyone who knowingly alters financial documents is subject to fines and potential imprisonment of up to 20 years, or both.
Data Loss Prevention and SOX Compliance
Data security is essential for SOX compliance: financial information should not be accessed by unauthorized personnel or be vulnerable to tampering or theft from malicious outsiders or disgruntled insiders. The possibility of data being lost or stolen undermines the integrity of sound financial records. It is therefore essential that, along with standard firewalls and antivirus software, companies look to Data Loss Prevention (DLP) solutions that can significantly decrease the possibility of such security incidents.
DLP tools such as Endpoint Protector can scan entire networks for financial information and encrypt it when it is found in an unauthorized location. It can also block transfers of predefined types of data and ensure that all information being copied onto portable USB devices is safely encrypted and secure from potential theft or carelessness. Its data tracking logs and reports also make excellent supporting documentation for auditing purposes.