The U.S. faced several disheartening and frustrating scandals in the earliest part of the century. Without regulations guiding them to be transparent, corporations were regularly falsifying financial records or defrauding their investors. To curb this issue, Congress passed the Sarbanes-Oxley Act. This act, also known as SOX, codified a set of reporting and auditing standards into law to force corporations to provide truthful and accurate financial information and avoid further fraud issues.
Here we discuss some of the implications of SOX and how you can approach compliance for your publicly traded company.
What is the Sarbanes-Oxley Act?
While it seems like ancient history, it’s important to begin this discussion with some context of the financial industry in the early 2000s. During the late 1990s and early 2000s, the U.S. saw many high-profile fraud cases involving millions, sometimes billions, of dollars where lack of oversight or regulations contributed. Some primary examples include:
- The Enron Scandal: The Enron Corporation, an energy, commodities and services company in Texas, had systematically hidden the details of a poor financial positioning through years of institutional and complex financial fraud. In 2001, the company filed for what was then the largest Chapter 11 bankruptcy in history at $11B in losses.
- The Tyco Corporate Scandal: In 2002, investigations revealed that CEO Dennis Kozlowski and CFO Mark Swartz stole a combined $150M from Tyco and attempted to pass the theft off as compensation.
- The WorldCom Scandal: In 2002, WorldCom, the second-largest provider of long-distance phone services in the U.S., suffered a massive scandal when auditors revealed that senior executives inflated earnings to boost company stock prices. The executives were found to have operated a fraudulent balance sheet above $11B.
At the time, public confidence in U.S. corporations and the government’s willingness to regulate them were at an all-time low. In response, Congress passed the Sarbanes-Oxley Act in 2002. Sponsored by Sen. Paul Sarbanes and Rep. Michael Oxley, the Sarbanes-Oxley Act attempted to launch reforms of laws and regulations by emphasizing corporate responsibility, financial protections, accounting regulation and increased penalties and criminal punishments for offenders.
One of the major components of the law is that it instituted a compliance framework for accounting and reporting that all corporations must abide by, colloquially known as “SOX” compliance.
How is SOX Different From Other Compliance Frameworks?
Unlike traditional cybersecurity compliance frameworks, SOX isn’t dedicated to security. While security is part of the framework as a whole, its larger intent is to force corporations to meet rigorous logs, documents, and data related to business, technical and financial systems.
SOX compliance applies to all publicly traded companies, wholly-owned subsidiaries, and foreign companies traded and doing business in the U.S. This law does not apply to privately-owned companies or non-profits. This is an important distinction because private companies that step into public markets with an Initial Public Offering (IPO) must demonstrate Cox compliance prior to completing that process.
Following that, SOX applies primarily to corporate responsibility regarding financials. There are a few primary sections of the law that impact businesses. These include:
- Section 302 stipulates that public companies must file regular financial statements and documentation of financial control structure with the U.S. Securities and Exchange Commission (SEC). Furthermore, senior corporate officers must certify this documentation under penalty of law for falsifying financial statements.
- Section 404 applies to internal controls and reporting measures, including management’s efforts to maintain the integrity of those controls. Corporations must report on the adequacy of their structure and assess and verify the effectiveness of that structure (including reports on any gaps or shortcomings). This includes attestation from an independent, third-party auditor who, upon performing an audit, cannot serve in any financial or bookkeeping capacity with the audited organization.
- Section 409 requires corporations to report any changes to an organization’s financial situation to stockholders and the public.
- Section 802 defines criminal penalties for falsifying documents or financial records, including up to 20 years in prison for altering, destroying or concealing financial documents.
- Section 806 sets up protections for corporate whistleblowers, stemming from the authority of the U.S. Department of Labor and implements legal consequences for employers who retaliate against whistleblowers.
The law covers much more than this, but it becomes clear from this selection that compliance focuses mainly on truthful, transparent, regular documentation, reporting, and audits.
How Can I Be Compliant with SOX?
While SOX focuses on financial reporting, the integrity and reliability of that reporting falls upon an IT infrastructure that meets requirements. Fortunately, auditing and documentation can often be automated using advanced technologies. The most important part of technical compliance is demonstrating the capability to guarantee immutable, secure and reliable documentation verified by internal systems and auditors.
Some of the ways that you can achieve and maintain SOX compliance include:
- Implement Access Control: You must show that reports and documents are accurate and remain free from tampering. Access controls help you manage access to records with role-based security and user access event logging. Additionally, it would help if you had an access policy in place that controls how users are managed, software is installed and how apps or records are changed.
- Deploy Data Backups: SOX calls for off-site backups for all financial records, and as such you must have a solution in place to do so.
- Security and Event Logging: Your system must have in place documentation, reporting and logging for the purposes of audits. This includes logs for any attempted breaches, document versioning, change history, and IT and executive leadership verifications.
- System Integrity Audits: Alongside record and documentation audits, you must also have a clear report on your IT systems and how they support SOX transparency, which means performing internal audits on any IT and related operations as well as implementing risk management controls on all relevant security and documentation measures and technologies.
Continuum GRC: Automating SOX Compliance
The fortunate side of SOX compliance is that security professionals can automate audits and ease reporting. Like other cybersecurity frameworks, SOX operates with a set of templates and assumptions about how to demonstrate compliance.
Continuum GRC provides the platform and the expertise to help you automate your SOX audits. Furthermore, we are an independent, certified SOX auditor, meaning that you can work with us without worrying about conflicts of interest. Finally, our expertise in cybersecurity more broadly makes us more than capable of helping you on your compliance journey, whether you are just starting out or maintaining certification year after year.
Are You Preparing for SOX Audits?
Call Continuum GRC at 1-888-896-6207 or complete the form below.