What is SOX compliance?
After several large corporate accounting scandals in the early 2000s that led to investors losing billions of dollars, the US government passed the Sarbanes-Oxley Act of 2002. Commonly referred to as SOX, the bill established and expanded financial and auditing requirements for publicly traded companies in order to protect investors and the public from fraudulent accounting practices.
SOX requires accurate and transparent financial disclosures as well as corporate responsibility at the highest levels. The law lays out provisions regarding the relationship between auditors and the companies they audit to help prevent conflicts of interest. It also includes criminal penalties for noncompliance, protection for whistleblowers, and mandated reporting of security violations to the CEO.
The two main organizations responsible for implementing SOX are the Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB). The SEC is responsible for enforcing the act and implemented dozens of new rules to do so. One of these rules is that all public companies have to hire independent auditors to verify their accounting practices. The PCAOB was created to oversee these audits. All accounting firms that perform audits for public companies are required to register with the PCAOB.
Who needs to comply with SOX?
The majority of the act is aimed at publicly traded companies. This includes any wholly-owned subsidiaries and foreign companies that are publicly traded in the US. Private companies that are preparing to go public must also comply with some aspects of SOX.
Private companies, nonprofit companies and charities don’t have to comply with most of SOX. However, some provisions do affect them, including criminal penalties for falsifying documents and civil penalties for retaliation against whistleblowers.
With SOX, there is an emphasis on corporate accountability and transparency from top management and the board of directors. The CEO and the CFO must sign all financial reports, verifying that they are accurate. There are significant penalties for signing a misleading report, including fines and imprisonment. Board members are also accountable to SOX regulations. While board members aren’t required to sign financial reports, they are subject to financial and criminal penalties for falsifying or concealing documents, and they can’t discriminate against employees who report problems with accounting.
SOX penalties and fines
The SEC’s Division of Enforcement is responsible for responding to noncompliance. In drastic cases, the Department of Justice may file criminal charges for serious misconduct. The SEC can leverage a variety of sanctions, including:
- Issuing fines
- Freezing transactions
- Placing permanent bans on serving as an officer or director of a publicly traded company
- Removing companies from public stock exchanges
- Invalidating Directors and Officers (D&O) insurance policies
Fines for noncompliance with SOX are high. Knowingly certifying a report that doesn’t meet SOX compliance guidelines is punishable by a fine of up to one million dollars, 10 years in prison or both. Penalties for willingly certifying a report that doesn’t comply with SOX are even harsher — up to five million dollars, 20 years in prison or both.
Companies that discriminate against whistleblowers are also subject to civil penalties, such as financial compensation for any damages, back pay with interest, and reinstatement at the same seniority level the whistleblower would have had if not for the discrimination.
What data is protected under SOX?
The SOX Act requires companies to protect all financial data to ensure its integrity. This encompasses not just the financial data itself but also everyone who has access to the data. To meet SOX requirements for protecting data, you have to monitor, log and audit all:
- Internal controls
- Network and database activity
- Account activity
- Information access
- User activity, including login attempts and failures
SOX compliance requirements
The SOX Act contains 11 titles that cover the following areas:
Title I: Public Company Accounting Oversight Board
Title I established the PCAOB to manage the audits required under SOX. It also specifies the standards for auditing reports and for investigating and enforcing compliance.
Title II: Auditor Independence
Title II is designed to prevent conflicts of interest between companies and auditors. One of its restrictions is that auditing companies are not allowed to provide other services to the companies they audit.
Title III: Corporate Responsibility
Title III requires the CEO and the CFO to personally certify the correctness of financial statements used in the auditing process. It also requires that companies establish an audit committee made up of independent board members with no financial ties to the company.
Section 302 specifically requires the CEO and CFO to accept personal responsibility for all internal controls and to verify that they have reviewed the controls in the past 90 days. They have to include any known deficiencies in their controls as well as any acts of fraud.
Title IV: Enhanced Financial Disclosures
Title IV increases the number of financial disclosures that a company must provide. These include transactions and relationships that are not included in the balance sheet but that could affect the company’s finances. Section 404 of this title requires that companies establish, maintain and assess internal controls over accounting and financial practices.
Section 404 is the most critical one for IT directors since it requires companies to annually assess and report on the effectiveness of their internal controls that impact financial reporting. This is the most complicated section, and often the most expensive one to implement. The internal testing must be reviewed by management. All failures of controls are to be classified as a deficiency, significant deficiency or material weakness and must be reported. Additionally, an independent auditor has to inspect and report on the company’s internal control practices.
Four internal controls will be reviewed by the auditor, including:
- Access — This includes physical and electronic security. You should maintain a least-permissions model so that users have only the access necessary to do their jobs.
- Security — This includes your protection against data breaches.
- Data backup — Your backup data must also be SOX compliant and maintained off-site.
- Change management — Secure processes are required to add new users, install new software, update databases or make any other changes related to your financial controls.
Title V: Analyst Conflicts of Interest
Title V aims to ensure that analysts who make recommendations about buying securities are objective and independent. Analysts must report any conflicts of interest, such as a financial stake in a company.
Title VI: Commission Resources and Authority
Title VI addresses the SEC’s role and authority in ensuring compliance.
Title VII: Studies and Reports
Title VII outlines the studies the SEC will perform and the reports it will produce.
Title VIII: Corporate and Criminal Fraud Accountability
Title VIII covers the criminal consequences of falsifying, destroying or concealing documents or otherwise trying to interfere with a federal investigation. It states that anyone complicit in defrauding shareholders can be subject to criminal charges, fines and imprisonment. All documents related to an audit must be maintained for five years. Title VIII also protects whistleblowers from discrimination.
Title IX: White Collar Crime Penalty Enhancement
Title IX increases the penalties for white-collar crimes. This is the title that mandates that the CEO and CFO sign financial reports made to the SEC. It also gives the SEC the right to freeze payments and bar anyone convicted of securities fraud from being an officer or director of a publicly-traded company.
Title X: Corporate Tax Returns
Title X requires the CEO to sign the company’s tax returns.
Title XI: Corporate Fraud Accountability
Title XI makes tampering with records and interfering with official proceedings a crime punishable by a fine, up to 20 years in jail or both. It also allows the SEC to freeze unusually large payments during an investigation.
What are SOX compliance audits?
SOX compliance audits are a check on your internal controls to ensure your company’s financial data is secure and accurate. During an audit, an independent external auditor will examine all of your company’s controls, policies and procedures related to financial data. This will include talking to personnel to find out if they have the necessary training to securely access the financial information that they need and that their job duties match their job description.
The steps in a SOX compliance audit
While every auditor will have their own procedures that will take into account the specifics of the business being audited, all SOX compliance auditors will:
- Identify the scope of the audit based on risk assessment
- Identify what accounts are important to the financial reports, where they are located and the processes involved in recording them
- Identify risks that could prevent the correct recording
- Identify and test SOX controls, including checks and balances, and identify and classify any defective controls
- Assess the risk of fraud, including evaluating controls in place to detect, prevent and report fraudulent activity
- Assess how SOX controls documentation is managed, including speed, accuracy and scalability
- Issue a final report on SOX controls
Preparing for a SOX Compliance Audit
Before an auditor reviews your internal controls, here are some steps you can take to get ready:
- Make sure your staff is trained and up to date on SOX compliance procedures.
- Clear any alerts from your SOX compliance software and make sure it’s up to date.
- Make sure your data is organized and accessible.
- Ensure that auditors will have the physical and electronic access they need to examine and test controls.
- Check for any unreported breaches or compliance issues.
- Complete your Internal Controls Report.
- Have year-end financial disclosure reports available.
SOX frameworks
Control frameworks like COBIT and COSO can help corporations manage their financial reporting controls according to best practices in order to ensure SOX security compliance. COBIT and COSO work together to integrate internal controls and risk management: COSO focuses on the big picture in financial reporting compliance while COBIT specifically addresses the IT environment.
COBIT 5
The SOX Act mandates that companies establish and certify the effectiveness of internal controls. However, the legislation itself doesn’t dictate how that can be accomplished. COBIT is a widely recognized and accepted framework that can help you establish the IT processes needed to comply with SOX guidelines.
It provides a clear path for developing good processes and practices, and helps you understand connections between IT processes and business goals. It can also help you document your controls.
COBIT outlines seven criteria for IT governance: effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability. It also provides a model for measuring the maturity of your IT management:
- Level 0: Nonexistent
- Level 1: Initial/Ad hoc
- Level 2: Repeatable but intuitive
- Level 3: Defined process
- Level 4: Managed and measurable
- Level 5: Optimized
COSO
While COBIT provides specific guidance on IT governance, COSO is a broader risk management framework that provides guidance on internal controls for businesses. Its benefits include:
- Better risk mitigation due to enhanced understanding of risks
- Better decision-making due to higher data quality
- Improved ability to comply with data protection mandates
- Reduced risk of hefty expenses for data breach recovery, fines, lawsuits and lost business
The COSO framework includes five components:
- Control over the environment
- Risk assessment
- Control over activities
- Information and communication
- Monitoring of activities
SOX compliance checklist
Preparing for a SOX audit can feel overwhelming. Some major considerations in getting ready for an audit include:
- Create a timeline to plan for your audit, including quarterly reviews.
- Create a list of all stakeholders, including those who need to participate in the audit as well as their roles and responsibilities.
- Prepare SEC 10K and 10Q disclosures, making sure they are complete and reliable.
- Start by focusing on the big picture regarding risks and controls relevant to sections 302 and 404. Make sure to include risks that have caused failures in the past.
- Inventory all IT assets.
- Consolidate information sources regarding risk and controls, such as quarterly reviews, corporate policy statements, internal testing and external assessments.
- Identify key controls.
- Document the current risk situation with existing controls.
- Develop an action plan to address all unacceptable risks.
- Disclose security breaches and failures of control to auditors.
How Netwrix solutions help with SOX compliance
Achieve, maintain and prove compliance with SOX requirements by choosing Netwrix compliance solutions. Here are some benefits you can expect:
- Streamlined compliance auditing — Automate many of the tedious and time-consuming tasks associated with audits, freeing up your team to focus on more strategic initiatives.
- Customizable reporting — Quickly generate the reports you need to meet specific compliance requirements and satisfy auditors.
- Proactive alerting — Continually monitor your IT infrastructure and get notified in real time about changes or issues that could impact your compliance posture.
- Easy deployment and management — Start getting value quickly with solutions that are quick to implement and easy to learn and use.
- Complete coverage — Get a multi-layered approach that provides comprehensive coverage for not just SOX, but a wide range of other standards and regulations: HIPAA, PCI DSS, GDPR and more.
- Future-proof compliance strategy — Be ready to quickly comply with new regulations and changing requirements.