What Is SOX Compliance? Everything You Need to Know in 2024
Theย Sarbanes-Oxley Actย (SOX for short) is a US federal law that was enacted in 2002 toย ensure the accuracy of financial reportsย from publicly traded companies. Congress passed the SOX Act in response to majorย accounting scandalsย that took place in the early 2000s, including Enron, WorldCom and Tyco International. These scandals led toย significant lossesย of assetsย among shareholders of these companies. Read on to learn more aboutย SOX compliance requirementsย and what you can do to best prepare your company for aย SOX compliance audit.
What Is SOX Compliance?
The Sarbanes-Oxley Act (SOX) was established as a means to improve financial disclosures and to protect investors and clients from accounting errors and fraudulent practices in corporations and thus ensure that scandals like Enron or WorldCom can never happen again. The act also addresses auditor independence, corporate governance and internal control assessment.
To achieve SOX compliance, companies must undergo and pass a SOX compliance audit in which the company, its financial statements and, most importantly, its internal controls are assessed by external auditors. Not only is meeting SOX compliance requirements a legal obligation, it is also a standard for good business practice.
Is SOX Compliance IT Compliance?
While SOX does not stipulate any IT requirements per se, the act has forever changed the way in which IT departments of publicly traded companies handle and store data and electronic records โ the reason being that the financial information the law covers is processed and stored in IT systems. Auditors will therefore review and assess the companyโs control of IT infrastructure and whether it is appropriate and correct.
Our article on the subject offers additional information on how to achieve SOX compliance, the specific IT requirements of the SOX act and which software solutions can help you prepare for your yearly SOX audit.
Why SOX Compliance? A Brief History Lesson
One of the accounting scandals that triggered the creation of SOX was the famous Enron scandal of 2001, where the use of accounting loopholes and poor financial reporting allowed the company to hide billions of dollars in debt, which ultimately resulted in bankruptcy and the loss of billions in pensions and stocks for Enronโs employees and shareholders.
Enron took its accounting firm, Arthur Andersen, down with it by pressuring it to ignore the issues despite being aware of them. Arthur Andersen faced a conflict of interest on the matter, given they were responsible for managing Enronโs books and for auditing the company at the same time. The scandal eventually led to Arthur Andersenโs dissolution.
The same accounting firm was also involved with the WorldCom scandal that followed one year later and in fact outdid Enron, ultimately becoming the largest case of accounting fraud in American history to that date. In an attempt to escape the effects of the bursting dot-com bubble, WorldComโs leaders used fraudulent accounting methods to hide the companyโs decline in earnings, inflate its assets and artificially maintain the companyโs stock prices โ until the whole thing collapsed, resulting in grave financial losses.
Although WorldCom agreed to pay a civil penalty of 2.25 billion dollars to the SEC and, after resurfacing from bankruptcy in 2004, had 6 million dollars in cash available that was supposed to be used to pay back claims and settlements, most stockholders either came out empty-handed or did not get back even half of what they were owed.
SOX Compliance Today
Recognizing the enormous impact of these and other scandals around the time, the US Congress decided that stricter financial governance laws and internal controls, as well as more thorough regulation of auditing practices were long overdue. In an attempt to achieve this and to restore investor confidence and resuscitate the stock market, the Sarbanes-Oxley Act was passed.
Achieving SOX compliance today is a closely-monitored, multi-faceted and complex undertaking that demands strict cooperation from various departments and entities within organizations.
Which Companies Must Comply With SOX?
Not all organizations are required to achieve SOX compliance. The SOX Act applies to all companies that are publicly traded in the United States, including wholly-owned subsidiaries (i.e. companies whose common stock is 100% owned by a parent company).
SOX also covers accounting firms that are responsible for auditing businesses who are required to comply with SOX. This means accounting firms who do a companyโs bookkeeping cannot at the same time audit these books (as was the case with Arthur Andersen in the early 2000s).
Is SOX Compliance International?
The Sarbanes-Oxley Act also applies to foreign companies that are publicly traded and do business in the US.
Is SOX Compliance Mandatory?
Private companies and companies that have less than $100 million in annual revenue are not required to comply with SOX. However, private companies who are planning to go public should prepare to comply with SOX before they enter the stock market.
SOX Compliance Requirements
The Sarbanes-Oxley Act is a complex and lengthy piece of legislation that demands many, many things from corporate management and various departments. It consists of 11 titles, each of which comprises numerous sections that cover aspects ranging from auditor independence, corporate responsibility and fraud accountability to internal controls. It also dictates criminal penalties and fines for fraud, tampering with documentation and non-compliance.
โSOX complianceโ generally refers to the yearly audit during which public companies are obligated to submit financial reports and prove the accuracy and security of their financial data. The act also requires all financial reports to include an Internal Controls Report that must be assessed by an external auditor.
The responsibility of overseeing and enforcing rulings on requirements to comply with the law belongs to the Securities and Exchange Commission (SEC). For this purpose, the SEC established the nonprofit Public Company Accounting Oversight Board (PCAOB), which is in charge of overseeing the audit of public companies in order to โprotect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports for [public] companies.โ
SOX Sections Relevant to IT Compliance
Sections 302 and 404 are generally considered to be the most central provisions for SOX compliance in terms of IT, but also sections 401, 409, 802, 902 and 906 are of importance. Click on a section below to learn what it entails.
CEOs and CFOs mustย certifyย that they haveย reviewedย the report being submitted and that it โdoes not contain any untrue statementsโ.
Signing officersย must establishย internal controlsย to ensure that any information provided by the company isย accurateย andย available to auditors.
Signing officersย are required toย evaluateย these controls and ensure they have beenย effectiveย withinย 90 daysย leading up to the report and that
any โdeficienciesโ in theย design or operationย of these internal controls have beenย identified and communicatedย to the issuerโs auditors.
Auditorsย must be informed regarding anyย changesย made to the internal controls after the report has been submitted.
This section demands that companies ensure that periodic financial reports are prepared in accordance with generally accepted accounting principles (GAAP) and do not contain untrue statements or omit any material facts.
This section mandates that:
management establish โadequate internal control structure and procedures for financial reportingโ and
management is responsible forย assessing theย effectivenessย of these controls and procedures during theย most recent fiscal year.
eachย registered public accounting firmย that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer.
Section 409 stipulates that companies must immediately inform the public of any material changes in their financial condition or operations. This means companies are obligated to disclose information such as data breaches or other forms of cyberattacks immediately.
Whoever knowinglyย alters, destroys or falsifies recordsย faces significant fines, imprisonment, or both.
All audit or review workpapers must beย retainedย for a period ofย 5 yearsย after the audit, including bothย electronic and non-electronic records. Failing to do so can result in fines, imprisonment, or both.
This section addresses an amendment of Chapter 63 of title 18, United States Code, which covers various fraud offenses from radio or television fraud, to bank fraud and health care fraud. It states that โany person who attempts or conspires to commit any offense under this chapter shall be subject to the same penalties as those prescribed for the offense.โ This means any attempt to commit a criminal fraud offense can result in up to 20 years imprisonment for individuals and a fine of up to 500,000 dollars for organizations.
While Section 302 of the same title represents a civil provision, 906 is the criminal provision. It requires that each periodic report filed by an issuer must be accompanied by a written statement in which the chief executive officer and chief financial officer certify that the report โfully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act pf 1934 (15 U.S.C. 78m or 78o(d)) and that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer.โ
Failure to do so or falsifying the report can result in fines of up to 5 million dollars and/or 20 years in prison.
SOX 404 Compliance
Of all sections, 404 is the most complicated and difficult for companies to achieve โ and also the most expensive to implement. It is therefore also the section that has been faced with the most resistance. It demands that internal controls be put in place and maintained to ensure financial data is protected from fraud or error and it requires external auditors to review these controls and attest that they are appropriate.
It is not enough for companies to simply submit a report stating that they have the appropriate controls in place. They must be able to pull any document the auditor demands and thereby demonstrate that they have complied with SOX regulations. This means they must have systems which not only log data securely, but also make this data available on demand for auditors to view.
What Are the Consequences of Non-Compliance with SOX?
The stakes for failing to meet SOX compliance demands are high. For CEOs and CFOs who purposefully submit incorrect documentation to SOX compliance auditors, consequences may include fines of up to 5 million dollars, imprisonment of up to 20 years, or both. Incorrect certification that was submitted mistakenly can result in a fine of up to 1 million dollars and 10 years in prison. Companies who fail to comply also face being delisted from public stock exchanges.
SOX Compliance Audit โ What Does It Encompass?
โSOX Complianceโ refers to the mandatory annual audit public companies must undergo. They must hire an external auditor who will review whether:
theย numbersย provided in the financial statement are accurate and
theย internal controlsย put in place by management are adequate and designed to sufficiently protect financial data against fraud.
Auditors may also interview staff to verify that their duties match their job description and whether they have received proper training to safely access financial information.
The findings of these audits are then made available to shareholders and the public. SOX compliance therefore is not only about the numbers in the financial statement, it is increasingly about the controls, policies and procedures set up by companies to ensure that data is correct and sufficiently protected.
And this is where SOX compliance overlaps with cybersecurity and all things IT. Because what is the use of having great financial controls when you are not keeping track of who has access to systems that allow them to tamper with data?
SOX IT Controls
Sections 302, 404 and 409 of SOX require that public companies must closely monitor, log and audit the following IT parameters:
Internal activity
Network activity
Database activity
Login activity
Account activity
User activity
Information access
SOX auditors will investigate the following four core items:
IT security: Organizations must ensure that they know exactlyย who has access to what dataย and resourcesย and demonstrate that they have theย appropriate toolsย toย prevent data breachesย from occurring. How companies choose to implement IT security measures is left up to them. They must invest in equipment, tools and services that are designed toย monitor and protectย their financial databases.
Access controls: Companies must ensure theirย sensitive informationย canย onlyย be accessed and viewed by people and users who haveย permissionย to do so. This includes bothย physical accessย (doors, file cabinets) andย electronic accessย (login controls), which must be protected by appropriate measures (principle of least privilege, password control).
Data backup: All financial records and other sensitive data must beย backed upย using appropriate storageย systems, both on-site and off-site.
Change management: Companies must haveย defined processesย forย adding and removing usersย or devices, as well as for installing and updating software.ย Change trackingย must be used to documentย whoย made the change,ย whatย was changed andย whenย the change was made.
Systems for logging and monitoring such activities must provide an audit trail of access to sensitive data. The internal control review therefore often makes up the largest portion of a SOX compliance audit. During the assessment, IT resources such as PCs and any other forms of hardware used to process financial data are thoroughly evaluated.
Preparing for a SOX Compliance Audit
Achieving SOX compliance and passing the audit is not something you can prepare for quickly (nor is it necessary that you achieve compliance within days or weeks). It requires a long-term strategy from organizations and they are usually given several years to become fully SOX compliant. Your best bet is to invest in sophisticated software that takes much of the time-consuming, error-prone and laborious manual work off your hands and keeps your data safe from unauthorized access.
You must have controls in place to ensure your internal auditing and reporting systems are up-to-date and tested so that you are able to provide any documentation your auditor asks for right away.
SOX Compliance Checklist
There are indeed compliance checklists out there that sort of summarize what SOX wants you to do. However, the problem with these checklists is that they donโt tell you how to complete these steps. This is because, in reality, every company is different and every audit will be different. Therefore, there is no one-size-fits-all checklist that can be applied to every company and simply ticked off. Sorry, but thatโs the truth.
There are, however, some general questions that you can ask yourself to get a good idea of whether you are on the right track to achieving SOX compliance:
Are yourย systems, especially for logging and monitoring, up-to-date and have they been tested?
Do you knowย whoย in your organization hasย accessย to financial or otherย critical data?
Are you ensuring strict segregation of duties to guarantee functioning internal controls?
Are youย monitoring user behaviorย in order to detect potential breaches in time?
Are you performing regularย user access reviewsย to monitor changes in permissions?
Can your SOX auditorsย accessย theย files and resourcesย they need to adequately perform their jobs?
Are your staffย trainedย in how best to handle financial data? Do they knowย which filesย theyโre allowed to access and which not?
Achieving SOX Compliance With IAM
While securing physical access to data is usually a pretty straightforward process, many companies struggle with managing user access rights across increasingly complex digital systems that involve both on-premise software and cloud-based platforms like Microsoft 365. Luckily, there are tools and software solutions available that are specifically designed to manage access rights, provide audit trails and help you reach your compliance goals.
Whether you are trying to reach SOX compliance for the first time or reduce the amount of effort needed to complete your yearly SOX audit, an identity and access management solution covers many of the requirements and controls outlined in the Sarbanes-Oxley-Act.
IAM solutions like tenfold allow companies to manage users and permissions for different systems and applications within one central platform.
Advantages of SOX compliance
Besides not ending up in jail or paying huge fines for non-compliance, companies who have made the effort to comply with SOX will experience the following improvements:
Reduction of costs thanks to stronger control environment:ย Companies who demonstrate a strong control environment, with a good sense of discipline, structure and ethical values spanning all departments including โ first and foremost โ managerial departments, have been able to reduce the scope of their internal control audits. This in turnย means fewer internal testsย are necessary to reach compliance, and this again significantlyย reduces costs.
Better insight due to better documentation:ย The efforts of bringing all documentation up to speed after SOX was first enacted cost companies many, many hours of work โ but in the end, these efforts paid off.ย Clearerย job descriptionsย and exact definitions of who is responsible for covering which business processes allow for a muchย smoother onboardingย process. Employees are also able to better understand operations and how they are accomplished. Basically, it helps everyone understand the exact scope of their job responsibility.
No more conflicts of interestย = happier stockholders:ย Remember Arthur Andersen? Yeah, well that doesnโt happen anymore. Members of theย audit committeeย must beย free of most financial and personal ties to the companyย they are auditing and at least one committee member should be a โfinancial expertโ. This means you canโt sign off on a false report anymore and ask your auditor, who also happens to be your accountant, to turn a blind eye (potentially resulting in a stock crash and you as well as your stockholders losingย billions).
Standardization of processes:ย Instead of using many different processes for different tools or departments (such as inputting financial transactions into various systems), it is better to follow justย one or two standardized processesย across all your systems, departments and offices. Not only does thisย reduceย the likelihood of errors, it also helps companiesย excel at auditsย because standardized processes are easier and quicker to evaluate (making the audit much cheaper).
Reduced complexity = more efficiency:ย Simplification is key to achieving SOX compliance. Rather than using different accounting practices, for instance, it is better to use aย centralized system and follow best practicesย to unify processes and thereby make them more efficient. This helps managers and everyone else to maintain a better overview of the situation. Processes can be conducted quicker and fewer errors occur.
Minimization of human error through process automation:ย Manual processes are theย weakest linkย of internal controls. Ask anyone. (Ask your auditor!). Humans can be distracted, tired, ill or just mean.ย Automated controlsย that are well thought through and implemented doย not make mistakes. Automation helps companiesย excel at auditsย andย reduces auditing costs, since just one or two trial runs of an automated system are enough to demonstrate its functionality. Also, according to the PCAOB, some automated controls only require testingย every three yearsย instead of every year (provided the control has not been changed since the last audit and the company can prove this).
Predictable financials:ย All of these advantages make it easier for companies toย predict their financials, which gives them easier access toย capital marketsย and is another factor in keepingย shareholders happy.
Fewer data breaches:ย Process automation, limiting user access and minimizing human errors reduce the likelihood of your company falling victim toย employee data theftย or aย data breach.
SOX Compliance
Download our white paper for a deep dive into the Sarbanes-Oxley Act, its purpose and the role of IT in achieving compliance.