Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What is SOX Compliance? Requirements, Checklist & Benefits

SOX Compliance

What is SOX Compliance? A Definition

The Sarbanes-Oxley Act was introduced in the USA in 2002. Congressmen Paul Sarbanes and Michael Oxley put the compliance act together to improve corporate governance and accountability. This was done as a response to some of the large financial scandals that had taken place over the previous years.

The details of SOX compliance are complex. SOX compliance refers to annual audits that take place within public companies, within which they are bound by law to show evidence of accurate, secured financial reporting.

Public companies are required to comply with SOX both financially and in IT. IT departments found themselves affected by SOX as the Act changed the way that corporate electronic records were stored and handled. SOX internal security controls require data security practices and processes and complete visibility over interactions with financial records over time.

Adhering to SOX compliance requirements is not only the law, it is also best practice for a more ethical and secure operation. Implementing SOX financial security controls, aside from being the right thing to do, also has the added benefit of helping to defend against data security threats and attacks.

Who Must Comply with SOX Compliance?

All publicly traded companies in the USA must comply with SOX, as well as any wholly-owned subsidiaries and foreign companies that are both publicly traded and do business with the USA. Any accounting firms that are auditing companies bound by SOX compliance are also, by proxy, obliged to comply.

Other companies, including private ones and non-profits, generally do not have to comply with SOX, although adhering to it anyway is good business practice. There are other reasons, beside good business sense, to comply with SOX even if you are not publicly traded. SOX does have some articles that state if any company knowingly destroys or falsifies financial data they could face punishment under the Act.

Companies that are planning on going public, perhaps via an IPO (Initial Public Offering) should prepare to be bound by SOX.

SOX Compliance Requirements

Here are a few major requirements to implement SOX compliance:

  1. Submission of audited financial reports to the SEC
  2. Curation and implementation of a formal Data security policy
  3. Real-time disclosure of significant changes to the public
  4. Development, implementation, and frequent testing of internal controls

Internal Controls Requirements for SOX IT Audits

Auditing the company’s internal security controls is often the largest, most complex and time-consuming part of a SOX compliance audit. This is because internal controls include all of the company’s IT assets, such as computers, hardware, software, and all the other electronic devices that can access financial data.

SOX IT audits are focused on the following key areas:

1. IT Security: Ensure that you can locate sensitive data, see who has access to it, and monitor user interactions. If an incident occurs, you should be able to take effective and timely action to remediate it. Achieving this typically requires strict policies and procedures, combined with auditing and monitoring technology.

2. Access Controls: Make sure that only authorized people have access to sensitive financial information, both online and offline. Limit access and implement controls, such as securing servers behind biometric doors and enforcing password policies

3. Data Backup: Ensure that all data is backed up so that, in the event of an incident, data loss is minimized. Any data center containing backed-up data is also subject to SOX regulations.

4. Change Management: Keep records of changes in your IT environment, such as new employees, new computers, and updated software. Ensure that appropriate security measures are maintained throughout these changes.

Important Sections of SOX Compliance

The Sarbanes-Oxley Act of 2002 (SOX) is a comprehensive legislation aimed at safeguarding investors by enhancing the precision and dependability of financial reporting. It imposes several obligations on publicly traded companies, which include:

  1. Section 302 of SOX necessitates management to personally certify the accuracy of their financial statements and internal controls over financial reporting. This implies that the CEO and CFO must personally vouch for the reliability of the company’s financial data and the effectiveness of its internal controls.
  2. Section 404 of SOX mandates companies to establish and maintain an efficient system of internal controls over financial reporting (ICFR). This encompasses controls over the following domains:
    • Financial reporting: This entails controls over the preparation of financial statements, encompassing the accuracy and completeness of accounting records, and the protection of assets.
    • Internal accounting controls: This encompasses controls over the authorization, recording, processing, and reporting of financial transactions.
    • Information and communication: This includes controls over the identification, capture, and communication of financial information.
    • Monitoring: This encompasses controls over the continuous evaluation and testing of the effectiveness of internal controls.
  3. Section 409 of SOX compels companies to promptly disclose any significant changes in their financial condition or operations. This means that companies must disclose material information to the public as soon as it becomes known, rather than waiting for the next quarterly or annual report.
  4. Section 802 of SOX prohibits insider trading by company executives and directors. This signifies that these individuals are forbidden from trading their company’s stock based on non-public information.
  5. Section 906 of SOX necessitates the CEO and CFO to certify that the company’s financial statements are accurate and that they have complied with all relevant SEC requirements. This certification must be signed by the CEO and CFO and submitted to the SEC.

In addition to the aforementioned specific requirements, the Sarbanes-Oxley Act (SOX) also enforces several general principles that companies are obligated to adhere to. These principles include:

  • The independence of auditors: Audit firms are prohibited from providing certain non-audit services to their audit clients. This measure ensures that auditors maintain objectivity and independence when evaluating a company’s financial statements.
  • The protection of whistleblowers: Employees who report suspected fraud or other illegal activities are safeguarded from any form of retaliation. This protection encourages individuals to come forward and disclose any wrongdoing without fear of negative consequences.
  • The reinforcement of corporate governance: Companies are mandated to establish a robust board of directors that operates independently from management. This separation of powers ensures effective oversight and accountability within the organization. Complying with the provisions of SOX can be a complex and demanding undertaking for companies.

However, there are various resources available to assist companies in comprehending and adhering to the requirements of this law.

SOX Compliance Checklist

There is no one-size-fits-all checklist for SOX compliance, as each organization looks different. However, some general guidelines are as follows:

  1. Review & monitor access controls – Ensure that you regularly review and monitor access controls and get real-time alerts following permission changes that could affect access to sensitive financial information. Ensure that you track anomalous logon attempts, and any tampering of financial records. As always, strictly adhere to the Principal of Least Privilege (PoLP).
  2. Install updates – Ensure that all of your systems are up to date, including (and especially) your logging and monitoring software.
  3. Investigate alerts – Ensure that any alerts you receive through your SOX audit solution are dealt with immediately and investigated appropriately.
  4. Classify your sensitive data – Ensure that you regularly classify your sensitive financial data and know whenever financial data is created.
  5. Monitor user behavior – Ensure you are monitoring user behavior and can spot anomalies that may lead to breaches in SOX compliance. For example, users should not be copying financial data to unsecured locations.
  6. Maintain a SOX compliance status report – Maintain a regular and up to date SOX compliance status report. This will help you produce the required information in the event of a SOX audit.
  7. Be transparent with the auditors – Grant SOX auditors access to the systems and data they need to do their job. Send activity reports directly to the auditors via email or some other method. Any technical difficulties relating to the security measures applied to financial data should be reported to the auditors.
  8. Train staff – Ensure that all employees, old and new, are regularly trained on how best to handle financial data, including the SOX requirements.
  9. Define breach notification procedures – Report security incidents and breaches in a timely manner and with as much detail as possible.
  10. Maintain historical data – Keep an immutable record of all events surrounding data breaches and other security incidents. This will enable the security team to conduct a forensic investigation and demonstrate this knowledge to the auditors.
  11. Prevent data loss – Have a robust data loss prevention strategy in place, which includes taking regular backups, monitoring suspicious file and folder activity and outbound network traffic.

Benefits of SOX Compliance

SOX compliance provides companies with a way of improving their data security whilst simultaneously helping to restore public confidence in big business. Stockholders are happy that financial reporting is regulated and predictable, and it makes it easier for businesses to raise capital.

Companies adhering to SOX compliance will find that their ability to detect and react to security threats is greatly improved, which means that they are less likely to suffer devastating data breaches.

The amount of inter-departmental communication that SOX compliance requires can also help to improve company culture and drive growth and collaboration.

SOX Compliance for Data Protection

We have touched upon it a few times, but it bears repeating. SOX compliance is a great way to improve data protection and reduce your chances of falling victim to a data breach.

This is because, to comply with SOX, you will effectively have to model your security on the Data-Centric Audit and Protection model. This model requires you to understand where your sensitive data is, who has access to it, and what users are doing with it.

If you would like to see how the Lepide Data Security Platform can help you to pass SOX compliance audits, schedule a demo with one of our engineers today.