After a series of fraud violations by high-profile companies, the Sarbanes-Oxley Act or SOX came into effect in 2002 to change how enterprises manage their accounting and disclosure procedures. The idea was to create regulations to protect investors in the US from falling victim to fraudulent accounting practices.
What is SOX?
SOX is a set of accounting and disclosure regulations that determines how publically-traded companies govern, report, and conduct financial affairs. These regulations have been designed to promote a system of internal checks and balances, and to increase transparency.
While SOX compliance is a legal necessity, the security controls inherent to the regulations also help enterprises to protect sensitive data from unauthorized access. In other words, ensuring compliance with SOX makes business-sense because greater internal controls lead to increased protection.
SOX applies to all public companies in the US and any non-US companies that do business in the US. Private organizations and charities don’t need to comply with SOX, unless a private organization is preparing for an initial public offering or IPO.
What are the Penalties for Non-Compliance
Falling foul of the regulations comes with harsh penalties ranging from fines, to removal from public stock exchanges and the voiding of directors and officers (D&O) insurance policies. Individuals who make the decision to submit deliberately incorrect information or destroy company documents are committing a criminal offense. Punishments range from fines of up to $5 million and up to 20 years in jail.
The harsh nature of the punishments means that it is essential for enterprises to make a genuine effort to record accurate accounting information and comply with SOX regulations.
SOX Compliance Checklist
SOX is divided into 11 titles. Each of these titles has different sections with smaller requirements. The information included in each section is too vast to be included here, but you can view the full details here. However, the most important sections to familiarize yourself with are as follows:
- Section 302: Corporate Responsibility for Financial Reports
- Section 404: Management Assessment of Internal Controls
- Section 409: Real-Time Issue Disclosures
- Section 802: Criminal Penalties for Altering Documents
- Section 906: Corporate Responsibility for Financial Reports
Section 302: Corporate Responsibility for Financial Reports
Section 302 specifies the responsibilities that enterprises have for safeguarding data and developing accurate financial reports. This section states that the CEO and CFO have a responsibility to ensure that there exists detailed documentation of financial reports and internal controls.
They must also certify that the information included in an annual or quarterly review is correct and take personal responsibility for all internal controls used to protect sensitive data. They must also have reviewed these controls within the last 90 days.
Section 404: Management Assessment of Internal Controls
Section 404 stipulates that companies have systems in place to provide the necessary data to an independent auditor. It outlines how annual reports should be completed and outlines a requirement to report security breaches.
Section 404 also states that you need the safeguards mentioned in section 302 to be verified by an independent auditor. The independent auditor assesses whether there are any security issues that shareholders need to be aware of.
Section 409: Real-Time Issue Disclosures
Section 409 outlines that enterprises have a responsibility to disclose to the public “Additional information concerning material changes in the financial condition or operations of the issue, in plain English.”
Real-time issue disclosures can be supported by qualitative information and graphical presentations to help the public understand the situation better. The core intent behind this section is for organizations to stay transparent for the public and investors. Information on financial condition must be in clear terms so that it can be easily understood by the reader.
Section 802: Criminal Penalties for Altering Documents
Section 802 includes a variety of data retention and protection guidelines that enterprises need to follow. The type of data that should be stored includes email, EDI, bank statements, invoices, bills, checks, letters, publications, and memos. The section also lists how long these records should be maintained:
|Type of Business Record||Length of Time Required to Retain|
|Employment applications||3 years|
|Invoices to customers||5 years|
|Receivable or payable ledgers||7 years|
|Tax returns||7 years|
|Contracts and leases||Forever|
The section notes that the alteration, destruction, falsification, or concealment of these records will be met with severe consequences. Individuals who unlawfully interact with business records will be subject to penalties, fines and up to 20 years imprisonment.
Section 906: Corporate Responsibility for Financial Reports
Section 906 requires a written statement from the CEO and CFO declaring that the financial report “fairly presents, in all material respects, the financial condition and results of operations of the issuer.” The section also outlines that there are criminal penalties for failing to produce a report that matches these requirements and potential prison time for those who deliberately attempt to obfuscate information.
The SOX Compliance Audit
Once you’ve implemented measures to comply with the act you will need to do a compliance audit. The audit will be used to assess the suitability of the security measures in place. You are required by federal law to hire an independent auditor to complete the audit.
At the start of the audit the auditor will notify key stakeholders about what will be accessed, and when the audit will take place. It is common for auditors to interview staff to develop a better understanding of who is responsible for what in the workplace.
Auditors will review the internal controls within the company to make sure that sensitive information is being protected. They will check that you are physically securing resources like servers and maintaining general best practices like passwords and lockout screens to further protect devices.
They will also check through your documentation to make sure that you are recording access. For example, if an individual interacts with a database then there should be a record so you can see who made the changes and when.
Software for SOX Compliance
Having the right internal controls and monitoring procedures in place is a vital component of SOX compliance. To make sure that you comply it is advisable to use software platforms that have been designed to comply with SOX regulations. In this section, we’re going to look at some of the top software offerings you can use to monitor SOX compliance.
SolarWinds Security Event Manager is an event and log management tool that can be used to monitor for SOX violations. The software can analyze events on devices and applications to scrutinize over user activity. There are built-in report templates designed specifically for SOX regulations. However, users can also generate their own customizable reports if they wish to provide further details about an event.
SOX report can be produced manually or scheduled for a future date. Scheduling reports ensures that you always have some form of documentation to record events in your infrastructure. Likewise, the log analysis capabilities of SolarWinds Security Event Manager double up to help prevent cyber threats from putting your network offline.
Tools like SolarWinds Security Event Manager are excellent for helping you to maintain documentation and manage user activity. SolarWinds Security Event Manager starts at a price of $4,665 (£3,834). You can download the 30-day free trial version.
Workiva is a SOX compliance management tool built to map internal controls. Through a real-time dashboard, the user can monitor data and narrative updates within an enterprise. There is also the option to track the history of changes made to documents. The software maintains data security procedures validated with SOC 1, SOC 2, and FedRAMP to keep your data safe from being compromised.
In terms of access controls, you can assign role-based permissions to each user to determine who has access to what information. Those who do have access to sensitive files benefit from integration with Microsoft Office 365 so that they can interact with files without the need to download them.
For simplifying internal controls Workiva is an excellent tool. The software is easy to use and gives you a layer of transparency that can protect you during an audit. However, you’ll need to contact the sales team for a quote. You can also request a demo.
LogicManager is a SOX management platform designed to help enterprises ensure compliance with SOX regulations. The program allows the user to create to-do lists and view real-time alerts to keep on top of documentation requirements. Information can be viewed in the form of dashboards and reports, with the option to sign-off on information to certify that it has been verified.
Reports are customizable so you have complete control over the information you see on the screen. In addition, there is customizable testing with optional sampling and user instructions to make sure that you stay on top of important information.
There are three main versions of LogicManager available to purchase: Essentials, Professional, and Enterprise. The Essentials version starts at $10,000 (£8,219) per year, Professional starts at $30,000 (£24,658) per year, and Enterprise starts at $150,000 (£123,300) per year. The difference in price depends on the number of users you need to support and the complexity of the use case. You can request a demo here.
SOX Compliance Number One Goal: Transparency!
The burdens of regulatory compliance produce a minefield for many enterprises that aren’t equipped with the right information and processes. It is critical for enterprises to raise their awareness of the requirements of SOX to avoid being left open to legal liabilities.
Complying with SOX comes down to enshrining transparency at the heart of your organization. If you set about creating internal controls to make sure that the information used to fill out a report is reliable then you can.