In 2002, Congress passed the Sarbanes-Oxley Act, named after its sponsors Senator Paul Sabanes (D-MD) and Representative Michael G. Oxley (R-OOH-4). Instituted “to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws,” the Sarbanes-Oxley Act (commonly referred to as SOX) established a stricter protocol for internal controls that affect financial reporting and security within publicly traded companies.
The Act passed in the wake of notorious financial scandals. Corporate giants Enron, WorldCom, and Tyco faced charges of significant fraud, with WorldCom folding in a $104-billion-dollar bankruptcy. According to FiveThirtyEight, the damages associated with the burst of the dot-com bubble beginning in 2000, an event to which many of these fraud scandals contributed, “[destroyed] $6.2 trillion in household wealth over the next two years.”
Given the massive deleterious impact of financial securities fraud in publicly traded companies, Congress recognized the need for stricter oversight, better internal controls, and more meticulous auditing practices in corporate regulation.
The Basics of SOX Compliance
What is SOX compliance? While the details of the Sarbanes-Oxley Act are complex, “SOX compliance” refers to the annual audit in which a public company is obligated to provide proof of accurate, data-secured financial reporting.
To this end, while SOX measures seek to govern the financial operations and disclosures of corporate entities and any of their contracted financial service providers, the regulations pertain to a breadth of departments, and a few to IT. SOX reporting specifically involves IT departments because adequate SOX internal controls require complete file safety and full visibility into financial record history—conditions which require each IT employee to understand his or her role in demonstrating SOX compliance.
What SOX Compliance Means for Business IT
In a SOX IT audit, the IT department proves compliance by providing documentation showing that its employer has met mandated financial transparency and data security thresholds.
To align with SOX regulation law, IT departments must be familiar with the security, access privilege, and log management standards required for their financial records. The first step in cementing SOX internal controls is creating a “control environment,” which should:
- Acknowledge the need for increased transparency, internal balances, and regulation.
- Strive to perform control actions that mitigate risk and ensure the inviolability and reliability of financial information.
In previous cases of corporate fraud, organizational stakeholders had tampered with high-clearance files to intentionally misrepresent the financial status of their company—misleading investors and costing the stock market trillions when they had to reissue their reports.
To prevent fraudulent agents (whether internal or external) from tampering with sensitive financial information in the future, SOX issued Act Sections 302 and 404 to specify the parameters of reporting regulations as they apply to IT departments.
SOX Act Section 302
Section 302 dictates that the principal executive officer and chief financial officer sign and review their annual or quarterly report testifying to SOX compliance. In so doing, they must certify that the information included is wholly true and representative of the company’s financial status, to the best of their knowledge. To this end, these agents must do the following:
- Establish and maintain internal controls: This refers to putting systems in place which protect financial information, determine privileged access, track potential threats, catalogue change history, and identify security weaknesses.
- Maintain transparency among personnel: Section 302 states that the organization must design “such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities.” Basically, it’s crucial to ensure transparency among all personnel to whom financial and data security is pertinent.
- Regularly assess the controls: Organizations should be able to prove they “have evaluated the effectiveness of the issuer’s internal controls” within the last 90 days.
- Provide reports: Compliancy reports should present this evaluation, note system weaknesses, and assess overall efficacy.
To sum up, Section 302 obliges organizational stakeholders—namely, senior-level executives and financial officers—to ensure the security of financial data, to stay informed, and to honestly represent the state of their finances and security systems to SOX auditors.
SOX Act Section 404
Relatedly, Section 304 mandates that all organizations under the Act have systems in place to provide the data required by a compliance audit. It stipulates the rules of required annual reports, which must:
- “…state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting,” and;
- “…contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.”
This speaks to the actionability of SOX internal controls reporting: it’s not enough for companies to issue a report claiming that they have ensured file security and financial transparency. When faced with a SOX compliance audit, companies must be able to demonstrate that they’ve complied with regulations for at least the past 90 days with reliable documentation. Because of this SOX requirement, system data must be both secure and available for reference when independent auditors conduct their assessments.
This renders tracking and cataloging functions necessary because companies must report successful or attempted security breaches and their resolutions. In other words, security information and event management (SIEM) is crucial. Auditors must have a paper trail to evaluate, so they must be able to access event log data to verify security systems are effective, documents are unaltered, and access is properly restricted.
What Types of Software Can Assist with SOX Compliance
Understandably, providing extensive documentation of SOX compliance and keeping fastidious records of change management in privileged financial information for an entire company can be an overwhelming—if not impossible—task when done manually.
Further, the organizational stakes of noncompliance are incredibly high. According to Section 906 of the Sarbanes-Oxley Act, companies bear the responsibility for inaccurate reporting, regardless of intentionality. As it pertains to the “failure of corporate officers to certify financial reports,” false information reported accidentally is punishable by a fine up to $1 million or a prison sentence up to 10 years in length. When misinformation is reported “willfully,” officers face up to 20 years in prison and a fine up to $5 million.
Due to the burdensome, confusing, and high-stakes nature of compliance reporting, it’s important to choose sophisticated software that automates many auditing responsibilities. SOX compliance software is capable of tracking relevant data, flagging security threats, generating compliance reports in accordance with common templates, or populating easily individualized reports with cataloged data and computer-executed analyses.
SIEM software is most helpful in its ability to consolidate log management to analyze trends and flag the most salient information. Many SIEM tools automatically detect security threats with intelligence feeds that identify malware, hackers, and unauthorized personnel. Additionally, these tools recognize familiar suspicious activity and push notifications or set alarms to indicate potential sources of trouble.
Of course, cybersecurity entails more than policing, or offensively detecting data loss, and who has breached secure data—it’s preventative as well, regulating who has access to data in the first place. To identify unauthorized users who have tampered with financial records, for example, IT departments must have already systematically secured files by giving full access to privileged users, endowing others with read-only access, and restricting access entirely for some.
Access rights management tools provide a holistic view of access across servers and locations, preparing information for compliance reports, minimizing guesswork, demanding auditing operations, and reducing data loss.
Preparing for a SOX Compliance Audit
Whether a SOX IT audit is impending or months away, corporations should have a long-term strategy for demonstrating SOX compliance requirements. While software decreases the labor of log management, intelligent threat detection, and form generation, it’s critical that publicly traded companies understand how to implement software effectively.
Educating the IT team ensures that all employees handle data securely, stay cognizant of security threats, and use SOX compliance software correctly to optimize the ease and accuracy of financial reporting. For this to happen, responsible organizations must facilitate a productive dialogue between their respective departments such that financial personnel and senior-level executives communicate their needs with the IT department, which in turn can provide their high-level cybersecurity insights.
Used properly, SOX compliance software facilitates the process of establishing internal controls, streamlines the preparation of compliance documentation, and positions corporations for continued success.
 CERTIFICATION OF PRINCIPAL EXECUTIVE OFFICER PURSUANT TO SECTION 302 OF THE SARBANES-OXLEY ACT OF 2002, https://www.sec.gov/Archives/edgar/data/1582982/000149315218011173/ex31-1.htm
15 U.S. Code § 7262. Management assessment of internal controls, https://www.law.cornell.edu/uscode/text/15/7262