The United States Congress passed the Sarbanes-Oxley Act in 2002 and established rules to protect the public from fraudulent or erroneous practices by corporations and other business entities. The goal of the legislation is to increase transparency in the financial reporting by corporations and to require a formalized system of checks and balances in each company.
SOX compliance is not just a legal obligation but also a good business practice. Of course, companies should behave ethically and limit access to internal financial systems. But implementing SOX financial security controls has the side benefit of also helping to protect the company from data theft by insider threat or cyberattack. SOX compliance can encompass many of the same practices as any data security initiative.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
History of SOX Compliance
Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH-4) wrote this bill in response to several high profile corporate sandals – Enron, Worldcom, and Tyco in particular.
The stated goal of SOX is “to protect investors by improving the accuracy and reliability of corporate disclosures.” The bill established responsibilities for Boards and officers of publicly traded companies and set criminal penalties for failure to comply. The bill passed by overwhelming majorities in both the House and Senate – only three members voted to oppose.
Who Must Comply with SOX?
SOX applies to all publicly traded companies in the United States as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States. SOX also regulates accounting firms that audit companies that must comply with SOX.
Private companies, charities, and non-profits are generally not required to comply with all of SOX. Private organizations shouldn’t knowingly destroy or falsify financial data, and SOX does have language to penalize those companies that do. Private companies that are planning an Initial Public Offering (IPO) should prepare to comply with SOX before they go public.
SOX Compliance Requirements
Here are the most important SOX requirements:
- CEOs and CFOs are directly responsible for the accuracy, documentation, and submission of all financial reports as well as the internal control structure to the SEC. Officers risk jail time and monetary penalties for compliance failures – intentional or not.
- SOX requires an Internal Control Report that states management is responsible for an adequate internal control structure for their financial records. Any shortcomings must be reported up the chain as quickly as possible for transparency.
- SOX requires formal data security policies, communication of data security policies, and consistent enforcement of data security policies. Companies should develop and implement a comprehensive data security strategy that protects and secures all financial data stored and utilized during normal operations.
- SOX requires that companies maintain and provide documentation proving they are compliant and that they are continuously monitoring and measuring SOX compliance objectives.
SOX Compliance Audits
SOX mandates companies complete yearly audits and make those results easily available to any stakeholders. Companies hire independent auditors to complete the SOX audits, which must be separate from any other audits to prevent a conflict of interest.
The primary purpose of the SOX compliance audit is the verification of the company’s financial statements. Auditors compare past statements to the current year and determine if everything is copasetic. Auditors can also interview personnel and verify that compliance controls are sufficient to maintain SOX compliance standards.
Preparing for a SOX Compliance Audit
Make sure to update your reporting and internal auditing systems so you can pull any report the auditor requests quickly. Verify that your SOX compliance software systems are currently working as intended so there will be no surprises with those systems.
SOX Internal Controls Audit
Your SOX auditor will investigate four internal controls as part of the yearly audit. To be SOX compliant, it is crucial to demonstrate your capability in the following controls:
- Access: Access means both physical controls (doors, badges, locks on file cabinets) and electronic controls (login policies, least privileged access, and permissions audits). Maintaining a least permissive access model means each user only has the access necessary to do their jobs and is a requirement of SOX compliance.
- Security: Security in this context means that you can demonstrate protections against data breaches. How you choose to implement this control is up to you.
- Data Backup: Maintain SOX compliant off-site backups of all of your financial records.
- Change Management: Have defined processes to add and maintain users, install new software, and make any changes to databases or applications that manage your company financials.
Benefits of Compliance Software for a SOX Audit
One of the better ways to demonstrate SOX compliance is by implementing a data-centric software security platform. Modern data-security platforms can help you identify permissions issues, find and tag your sensitive financial data, and protect you from data breaches or ransomware attacks.
Pro tip: Varonis does all of that and more.
It’s never a bad idea to make a SOX compliance checklist. Here are some suggestions and compliance best practices:
- Verify your SOX compliance software is up to date and clear of any alerts, and investigate any alerts as soon as possible. This is a whole checklist in of itself.
- Maintain regular SOX compliance status reports. The last thing you want is to have a surprise fire drill the day of the scheduled audit. Stay on top of the situation year round.
- Provide SOX auditors with the access they need to do their job.
- Report any security breaches or compliance issues as soon as you can.
Benefits of SOX Compliance
SOX provides the framework that companies need to follow to be better stewards of their financial records, which in turn improves many other aspects of the company.
SOX compliant companies report that their financials are more predictable, which makes stockholders happy. Companies also report that they have easier access to capital markets due to their improved financial reporting.
By implementing SOX, companies are safer from cyberattack and the expensive, embarrassing aftermath of a data breach. Data breaches are expensive to manage and clean up, and companies might never recover the damage to their brand.
SOX compliance builds a cohesive internal team and improves communication between teams involved with the audits. The benefits of a companywide program like SOX can have other tangible effects on the company – like improved cross-functional communication and cooperation.
Other Organizations and Frameworks to Be Familiar With
SOX sprouted several other concepts you should know about while you work on your SOX journey.
- PCAOB: The Public Company Accounting Oversight Board develops auditing standards and trains auditors on best practices to perform a successful SOX audit.
- COSO: The Committee of Sponsoring Organizations updates their recommendations for internal controls to achieve SOX compliance. These recommendations inform the PCAOB auditing standards.
- COBIT: The Control Objectives for Information and Related Technology is another framework to implement SOX compliance developed by ISACA. It is a comprehensive list of 34 best practices for IT security.
- ITGI: The Information Technology Governance Institute is another IT framework to achieve SOX compliance. ITGI uses standards from both COBIT and COSO, but ITGI focuses on security instead of just focusing on general compliance.
SOX compliance doesn’t have to be difficult. Varonis automates many SOX data security controls. With Varonis, you can resolve permissions issues, find hidden SOX data, and detect abnormal access to your financial files.
Check out the Inside Out Security Show podcast featuring Varonis CFO Guy Melamed to hear how Varonis approaches SOX compliance!