It has been more than 10 years since the initial passage of the Sarbanes-Oxley Act (SOX) of 2002 and, even today, many organizations still struggle to fulfill their auditing and compliance requirements. If not done smartly, meeting your obligations as a publicly traded company can be expensive, time-consuming and ultimately counterproductive for your business goals. It doesn’t have to be that way. The more you know ahead of planning for an audit, the more seamless and effective the process will be. In this article, we attempt to answer the question, “What is SOX compliance?” in the most straightforward, accessible and pragmatic way possible.
SOX at a Glance
Let’s review some of the basics about this federal act.
- Full name: Sarbanes-Oxley Act of 2002, known in US Senate as the “Public Company Accounting Reform and Investor Protection Act” and in the House of Representatives as the “Corporate and Auditing Accountability and Responsibility Act.” Commonly referred to as Sarbanes’Oxley, Sarbox or SOX.
- Signed into law: July 30, 2002.
- Sponsors: Sen. Paul Sarbanes (D-MD) and Rep. Michael G. Oxley (R-OH-4)
SOX was designed with the goal of implementing accounting and disclosure requirements that:
- Increase transparency in corporate governance and financial reporting
- Formalize a system of internal checks and balances
SOX is applicable to:
- All publically held American companies
- Any international companies that have registered equity or debt securities with the U.S. Securities and Exchange Commission (SEC)
- Any accounting firm or other third party that provides financial services to either of the above
Penalties for non-compliance: Formal penalties for non-compliance with SOX can include fines, removal from listings on public stock exchanges and invalidation of D&O insurance policies. Under the Act, CEOs and CFOs who willfully submit an incorrect certification to a SOX compliance audit can face fines of $5 million and up to 20 years in jail.
History and Background
Some historical context is useful when discussing SOX. The act arose as a result of a specific set of incidents, and understanding them can help your organization integrate SOX compliance with your overall security goals and priorities. The act was passed on July 30, 2002, in the wake of the Enron, Worldcom, Tyco International and other high profile corporate scandals. While much of it deals with financial governance and accountability, sections of the act have clear implications for data storage and transmission, as well as information security.
The stated goal of SOX is “to protect investors by improving the accuracy and reliability of corporate disclosures.” Given that an organization’s IT infrastructure is the backbone of how it communicates, it makes sense that compliance with SOX should require introducing broad information accountability measures.
SOX Compliance and Data Security
For IT managers and executives setting out high-level data security goals, compliance with SOX is an important ongoing concern. But SOX compliance is about more than just being able to pass an audit – when appropriate data governance procedures are properly implemented, they can have a number of tangible benefits for your business. In fact, in a 2015 survey of more than 450 executives, conducted by Protiviti, it was found that:
- 78% of organizations leverage SOX compliance initiatives to drive continuous improvement around financial reporting
- 52% of organizations reported “significant” or “moderate” improvements in internal control over their financial reporting since the implementation of SOX
Ultimately, the report concluded, “this is a good indicator that these companies are proceeding on the right path with regard to treating SOX work not as a compliance exercise, but as a long-term process to create greater value in the organization. This is one of the outcomes the framers of the SOX legislation intended.”
With that in mind, how can SOX compliance benefit you? Aside from eliminating the threat of fines and other penalties, smart organizations are using SOX as a framework for:
- Auditing existing IT infrastructure, identifying inefficiencies, redundancies and superfluous controls.
- Streamlining reporting and auditing processes, increasing productivity and reducing costs.
- Managing security risks more effectively and responding quicker in the event of a breach.
Beginning Steps to Compliance
The first thing an IT manager must do to prepare their organization for SOX compliance is to understand which sections of the act have clear implications for data management, reporting and security. These are:
- Section 302: SOX Section 302 relates to a company’s financial reporting. The act requires a company’s CEO and CFO to personally certify that all records are complete and accurate. Specifically, they must confirm that they accept personal responsibility for all internal controls and have reviewed these controls in the past 90 days. These internal controls include a company’s information security infrastructure inasmuch as its accounting and reporting is performed electronically in other words, for almost all modern businesses there is a clear mandate to ensure high security standards are enforced.
- Section 404: Section 404 stipulates further requirements for the monitoring and maintenance of internal controls related to the company’s accounting and financials. It requires businesses to have an annual audit of these controls performed by an outside firm. This audit assesses the effectiveness of all internal controls and reports its findings back directly to the SEC.
A SOX compliance audit is a measure of how well your company manages its internal controls. While SOX doesn’t specifically mention information security, for practical purposes, an internal control is understood to be any type of protocol dealing with the infrastructure that handles your financial data. Indeed, one of the biggest criticisms of SOX is that, particularly for smaller firms, this requirement that all accounting systems must be subject to auditing is prohibitively expensive.
Later on, we’ll attempt to dispel this notion, but for now let’s continue to look at what SOX compliance is and what it means for businesses of any size.
Other Things to Know Before You Begin
The Sarbanes-Oxley Act is over 60 pages long. Beyond that, it has spawned a number of related concepts, committees and policies related to the auditing process. Some acronyms you need to know before beginning to assess your organization’s SOX compliance requirements include:
- PCAOB: The Public Company Accounting Oversight Board was created to develop auditing standards and train auditors on the best practices for assessing a company’s internal controls. It is here that the specific SOX requirements for information security are spelled out. PCAOB publishes periodic recommendations and changes to the auditing process. For obvious reasons, being aware of the most recent iteration of these guidelines is essential to passing an audit.
- COSO: COSO is the Committee of Sponsoring Organizations, a joint organization consisting of representatives from the Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA) and Financial Executives International (FEI). Since 1992, COSO has published periodic updates to their internal control framework recommendations this document outlines guidelines for creating and implementing internal controls, and serves as the basis for the auditing standards developing by PCAOB.
- COBIT: COBIT (Control Objectives for Information and Related Technology) is a framework published by ISACA. Formally known as the Information Systems Audit and Control Association, ISACA covers guidelines for developing and assessing internal controls related to corporate information technology. Effectively a more specific version of the COSO framework, it outlines best practices for 34 IT processes. Many organizations will rely on both frameworks when developing a roadmap to SOX compliance.
- ITGI: The Information Technology Governance Institute (ITGI) is dedicated to helping businesses meet their objectives without compromising information security. ITGI has independently published its own framework for SOX compliance, using both COBIT and COSO as guides. Unlike COBIT, however, the ITGI framework deals only with security issues.
While it isn’t necessary to be intimately familiar with any of the above organizations or frameworks, they are valuable resources that should be turned to when setting control objectives and preparing for an audit. In fact, we’ve drawn extensively from all of the above to develop our own brief SOX compliance guide, which will take up the remainder of this article.
SOX Compliance Audits
A SOX compliance audit of a company’s internal controls takes place once a year. An independent auditor must conduct SOX audits. It is the company’s responsibility to find and hire an auditor, and to arrange all necessary meetings prior to when the audit takes place. To avoid a conflict of interest, SOX audits must be separate from other internal audits undertaken by the company. Many companies will time the audit so that results are available for inclusion in their annual report, thus satisfying the requirement of making findings easily accessible to stockholders.
The first step in a SOX audit usually involves a meeting between management and the auditing firm. In this meeting, both parties will discuss the specifics of the audit, including when it will take place, what it will look at, what its purposes are and what results management expects to see.
A key portion of a SOX audit will involve a review of your company’s financials. Auditors will inspect previous financial statements to confirm their accuracy while ultimately it is the auditor’s discretion whether or not a company’s financials pass, any variance in the numbers more than 5% either way is likely to set off red flags. An audit will also look at personnel and may interview staff to confirm that their regular duties match their job description, and that they have the training necessary to access financial information safely.
SOX Auditing of Internal Controls
A review of internal controls comprises one of the largest components of a SOX compliance audit. As noted above, internal controls include any computers, network hardware and other electronic infrastructure that financial data passes through. From the IT side of things, a typical audit will look at four things:
Access: Access refers to both the physical and electronic controls that prevent unauthorized users from viewing sensitive information. This includes keeping servers and data centers in secure locations, but also making sure effective password controls, lockout screens and other measures are in place. Implementing the principle of least privilege (POLP) is generally considered one of the best methods of organization-wide access control.
Security: IT security is, of course, a broad topic. In this case, it means making sure appropriate controls are in place to prevent breaches and having tools to remediate incidents as they occur. Taking steps to manage risk is a good policy regardless of SOX compliance status. Investing smartly in services or appliances that will monitor and protect your financial database is the best way to avoid compliance and security issues altogether.
Change management: Change management involves your IT department’s processes for adding new users or workstations, updating and installing new software, and making any changes to Active Directory databases or other information architecture components. Having a record of what was changed, in addition to when it was changed and who changed it, simplifies a SOX IT audit and makes it easier to correct problems when they arise.
Backup procedures: Finally, backup systems should be in place to protect your sensitive data. Data centers containing backed-up data including those stored off site or by a third party are subject to the same SOX compliance requirements as those hosted on-premises.
SOX and SAS
SOX applies not only to any publicly traded company, but also to any third parties they outsource financial work to. These companies which can include data centers, accounting firms and more ‘ are known as service organizations. To save time and simplify matters for all parties involved, service organizations can exempt themselves from continuous auditing by submitting a Type 2 SAS No. 70 service auditor’s report. This report confirms that the organization has independently passed a thorough review of their internal control processes and protocol, including those related to information technology and security.
One important task when preparing for a SOX compliance audit is to obtain a current and valid SAS 70 report from each of the service organizations employed by the company. If a SAS 70 report is not available, that service organization may require additional auditing to confirm SOX compliance, a process that both takes time and costs money.
SOX Compliance Checklist
Every organization and every audit is different, which is why the idea of a universal SOX compliance checklist isn’t a particularly useful one. There are, however, a few general questions every business should consider. Before an audit, ask yourself:
- Am I working from an accepted framework, whether it’s COSO, COBIT, ITGI or a combination of all 3?
- Have policies been established that outline how to create, modify and maintain accounting systems, including computer programs handling financial data?
- Are safeguards in place to prevent data tampering? Have they been tested and found operational?
- Is there protocol for dealing with security breaches?
- Is access to sensitive data being monitored and recorded?
- Have previous breaches and failures of security safeguards been disclosed to auditors?
- Have I collected valid, recent SAS 70 reports from all applicable service organizations?
SOX Compliance on a Budget
There’s no question SOX compliance is a complex topic, one that can demand a considerable investment of time and money from unprepared firms. That’s where BlackStratus comes in. We offer powerful security solutions that increase the effectiveness of your internal IT controls. Key products include LOGStorm, an affordable and easy-to-deploy virtual appliance for log management and monitoring, SIEMStorm, our enterprise-level solution for larger organizations working in distributed networks, and our newest offering, the cloud-based, security-as-a-service CYBERShark platform. All our SOX compliance software products are scalable to grow with your organization and come with built-in SOX templates that make passing an audit easy.
Contact us today to see which BlackStratus solution best fits your needs.
Author: Rich Murphy, Vice President of Products (read more about Rich Murphy and the rest of the BlackStratus Leadership team)