What Is SOX Compliance? Everything You Need to Know in 2023
The Sarbanes-Oxley Act (SOX for short) is a US federal law that was enacted in 2002 to ensure the accuracy of financial reports from publicly traded companies. Congress passed the SOX Act in response to major accounting scandals that took place in the early 2000s, including Enron, WorldCom and Tyco International. These scandals led to significant losses of assets among shareholders of these companies. Read on to learn more about SOX compliance requirements and what you can do to best prepare your company for a SOX compliance audit.
What Is SOX Compliance?
The Sarbanes-Oxley Act (SOX) was established as a means to improve financial disclosures and to protect investors and clients from accounting errors and fraudulent practices in corporations and thus ensure that scandals like Enron or WorldCom can never happen again. The act also addresses auditor independence, corporate governance and internal control assessment.
To achieve SOX compliance, companies must undergo and pass a SOX compliance audit in which the company, its financial statements and, most importantly, its internal controls are assessed by external auditors. Not only is meeting SOX compliance requirements a legal obligation, it is also a standard for good business practice.
Is SOX Compliance IT Compliance?
While SOX does not stipulate any IT requirements per se, the act has forever changed the way in which IT departments of publicly traded companies handle and store data and electronic records – the reason being that the financial information the law covers is processed and stored in IT systems. Auditors will therefore review and assess the company’s control of IT infrastructure and whether it is appropriate and correct.
Our article on the subject offers additional information on how to achieve SOX compliance, the specific IT requirements of the SOX act and which software solutions can help you prepare for your yearly SOX audit.
Why SOX Compliance? A Brief History Lesson
One of the accounting scandals that triggered the creation of SOX was the famous Enron scandal of 2001, where the use of accounting loopholes and poor financial reporting allowed the company to hide billions of dollars in debt, which ultimately resulted in bankruptcy and the loss of billions in pensions and stocks for Enron’s employees and shareholders.
Enron took its accounting firm, Arthur Andersen, down with it by pressuring it to ignore the issues despite being aware of them. Arthur Andersen faced a conflict of interest on the matter, given they were responsible for managing Enron’s books and for auditing the company at the same time. The scandal eventually led to Arthur Andersen’s dissolution.
The same accounting firm was also involved with the WorldCom scandal that followed one year later and in fact outdid Enron, ultimately becoming the largest case of accounting fraud in American history to that date. In an attempt to escape the effects of the bursting dot-com bubble, WorldCom’s leaders used fraudulent accounting methods to hide the company’s decline in earnings, inflate its assets and artificially maintain the company’s stock prices – until the whole thing collapsed, resulting in grave financial losses.
Although WorldCom agreed to pay a civil penalty of 2.25 billion dollars to the SEC and, after resurfacing from bankruptcy in 2004, had 6 million dollars in cash available that was supposed to be used to pay back claims and settlements, most stockholders either came out empty-handed or did not get back even half of what they were owed.
SOX Compliance Today
Recognizing the enormous impact of these and other scandals around the time, the US Congress decided that stricter financial governance laws and internal controls, as well as more thorough regulation of auditing practices were long overdue. In an attempt to achieve this and to restore investor confidence and resuscitate the stock market, the Sarbanes-Oxley Act was passed.
Achieving SOX compliance today is a closely-monitored, multi-faceted and complex undertaking that demands strict cooperation from various departments and entities within organizations.
Which Companies Must Comply With SOX?
Not all organizations are required to achieve SOX compliance. The SOX Act applies to all companies that are publicly traded in the United States, including wholly-owned subsidiaries (i.e. companies whose common stock is 100% owned by a parent company).
SOX also covers accounting firms that are responsible for auditing businesses who are required to comply with SOX. This means accounting firms who do a company’s bookkeeping cannot at the same time audit these books (as was the case with Arthur Andersen in the early 2000s).
Is SOX Compliance International?
The Sarbanes-Oxley Act also applies to foreign companies that are publicly traded and do business in the US.
Is SOX Compliance Mandatory?
Private companies and companies that have less than $100 million in annual revenue are not required to comply with SOX. However, private companies who are planning to go public should prepare to comply with SOX before they enter the stock market.
SOX Compliance Requirements
The Sarbanes-Oxley Act is a complex and lengthy piece of legislation that demands many, many things from corporate management and various departments. It consists of 11 titles, each of which comprises numerous sections that cover aspects ranging from auditor independence, corporate responsibility and fraud accountability to internal controls. It also dictates criminal penalties and fines for fraud, tampering with documentation and non-compliance.
“SOX compliance” generally refers to the yearly audit during which public companies are obligated to submit financial reports and prove the accuracy and security of their financial data. The act also requires all financial reports to include an Internal Controls Report that must be assessed by an external auditor.
The responsibility of overseeing and enforcing rulings on requirements to comply with the law belongs to the Securities and Exchange Commission (SEC). For this purpose, the SEC established the nonprofit Public Company Accounting Oversight Board (PCAOB), which is in charge of overseeing the audit of public companies in order to “protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports for [public] companies.”
SOX Sections Relevant to IT Compliance
Sections 302 and 404 are generally considered to be the most central provisions for SOX compliance in terms of IT, but also sections 401, 409, 802, 902 and 906 are of importance. Click on a section below to learn what it entails.
CEOs and CFOs must certify that they have reviewed the report being submitted and that it “does not contain any untrue statements”.
Signing officers must establish internal controls to ensure that any information provided by the company is accurate and available to auditors.
Signing officers are required to evaluate these controls and ensure they have been effective within 90 days leading up to the report and that
any “deficiencies” in the design or operation of these internal controls have been identified and communicated to the issuer’s auditors.
Auditors must be informed regarding any changes made to the internal controls after the report has been submitted.
This section demands that companies ensure that periodic financial reports are prepared in accordance with generally accepted accounting principles (GAAP) and do not contain untrue statements or omit any material facts.
This section mandates that:
management establish “adequate internal control structure and procedures for financial reporting” and
management is responsible for assessing the effectiveness of these controls and procedures during the most recent fiscal year.
each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer.
Section 409 stipulates that companies must immediately inform the public of any material changes in their financial condition or operations. This means companies are obligated to disclose information such as data breaches or other forms of cyberattacks immediately.
Whoever knowingly alters, destroys or falsifies records faces significant fines, imprisonment, or both.
All audit or review workpapers must be retained for a period of 5 years after the audit, including both electronic and non-electronic records. Failing to do so can result in fines, imprisonment, or both.
This section addresses an amendment of Chapter 63 of title 18, United States Code, which covers various fraud offenses from radio or television fraud, to bank fraud and health care fraud. It states that “any person who attempts or conspires to commit any offense under this chapter shall be subject to the same penalties as those prescribed for the offense.” This means any attempt to commit a criminal fraud offense can result in up to 20 years imprisonment for individuals and a fine of up to 500,000 dollars for organizations.
While Section 302 of the same title represents a civil provision, 906 is the criminal provision. It requires that each periodic report filed by an issuer must be accompanied by a written statement in which the chief executive officer and chief financial officer certify that the report “fully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act pf 1934 (15 U.S.C. 78m or 78o(d)) and that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer.”
Failure to do so or falsifying the report can result in fines of up to 5 million dollars and/or 20 years in prison.
SOX 404 Compliance
Of all sections, 404 is the most complicated and difficult for companies to achieve – and also the most expensive to implement. It is therefore also the section that has been faced with the most resistance. It demands that internal controls be put in place and maintained to ensure financial data is protected from fraud or error and it requires external auditors to review these controls and attest that they are appropriate.
It is not enough for companies to simply submit a report stating that they have the appropriate controls in place. They must be able to pull any document the auditor demands and thereby demonstrate that they have complied with SOX regulations. This means they must have systems which not only log data securely, but also make this data available on demand for auditors to view.
What Are the Consequences of Non-Compliance with SOX?
The stakes for failing to meet SOX compliance demands are high. For CEOs and CFOs who purposefully submit incorrect documentation to SOX compliance auditors, consequences may include fines of up to 5 million dollars, imprisonment of up to 20 years, or both. Incorrect certification that was submitted mistakenly can result in a fine of up to 1 million dollars and 10 years in prison. Companies who fail to comply also face being delisted from public stock exchanges.
SOX Compliance Audit – What Does It Encompass?
“SOX Compliance” refers to the mandatory annual audit public companies must undergo. They must hire an external auditor who will review whether:
the numbers provided in the financial statement are accurate and
the internal controls put in place by management are adequate and designed to sufficiently protect financial data against fraud.
Auditors may also interview staff to verify that their duties match their job description and whether they have received proper training to safely access financial information.
The findings of these audits are then made available to shareholders and the public. SOX compliance therefore is not only about the numbers in the financial statement, it is increasingly about the controls, policies and procedures set up by companies to ensure that data is correct and sufficiently protected.
And this is where SOX compliance overlaps with cybersecurity and all things IT. Because what is the use of having great financial controls when you are not keeping track of who has access to systems that allow them to tamper with data?
SOX IT Controls
Sections 302, 404 and 409 of SOX require that public companies must closely monitor, log and audit the following IT parameters:
SOX auditors will investigate the following four core items:
IT security: Organizations must ensure that they know exactly who has access to what data and resources and demonstrate that they have the appropriate tools to prevent data breaches from occurring. How companies choose to implement IT security measures is left up to them. They must invest in equipment, tools and services that are designed to monitor and protect their financial databases.
Access controls: Companies must ensure their sensitive information can only be accessed and viewed by people and users who have permission to do so. This includes both physical access (doors, file cabinets) and electronic access (login controls), which must be protected by appropriate measures (principle of least privilege, password control).
Data backup: All financial records and other sensitive data must be backed up using appropriate storage systems, both on-site and off-site.
Change management: Companies must have defined processes for adding and removing users or devices, as well as for installing and updating software. Change tracking must be used to document who made the change, what was changed and when the change was made.
Systems for logging and monitoring such activities must provide an audit trail of access to sensitive data. The internal control review therefore often makes up the largest portion of a SOX compliance audit. During the assessment, IT resources such as PCs and any other forms of hardware used to process financial data are thoroughly evaluated.
Preparing for a SOX Compliance Audit
Achieving SOX compliance and passing the audit is not something you can prepare for quickly (nor is it necessary that you achieve compliance within days or weeks). It requires a long-term strategy from organizations and they are usually given several years to become fully SOX compliant. Your best bet is to invest in sophisticated software that takes much of the time-consuming, error-prone and laborious manual work off your hands and keeps your data safe from unauthorized access.
You must have controls in place to ensure your internal auditing and reporting systems are up-to-date and tested so that you are able to provide any documentation your auditor asks for right away.
SOX Compliance Checklist
There are indeed compliance checklists out there that sort of summarize what SOX wants you to do. However, the problem with these checklists is that they don’t tell you how to complete these steps. This is because, in reality, every company is different and every audit will be different. Therefore, there is no one-size-fits-all checklist that can be applied to every company and simply ticked off. Sorry, but that’s the truth.
There are, however, some general questions that you can ask yourself to get a good idea of whether you are on the right track to achieving SOX compliance:
Are your systems, especially for logging and monitoring, up-to-date and have they been tested?
Do you know who in your organization has access to financial or other critical data?
Are you monitoring user behavior in order to detect potential breaches in time?
Are you performing regular user access reviews to monitor changes in permissions?
Can your SOX auditors access the files and resources they need to adequately perform their jobs?
Are your staff trained in how best to handle financial data? Do they know which files they’re allowed to access and which not?
Achieving SOX Compliance With IAM
While securing physical access to data is usually a pretty straightforward process, many companies struggle with managing user access rights across increasingly complex digital systems that involve both on-premise software and cloud-based platforms like Microsoft 365. Luckily, there are tools and software solutions available that are specifically designed to manage access rights, provide audit trails and help you reach your compliance goals.
Whether you are trying to reach SOX compliance for the first time or reduce the amount of effort needed to complete your yearly SOX audit, an identity and access management solution covers many of the requirements and controls outlined in the Sarbanes-Oxley-Act.
Advantages of SOX compliance
Besides not ending up in jail or paying huge fines for non-compliance, companies who have made the effort to comply with SOX will experience the following improvements:
Reduction of costs thanks to stronger control environment: Companies who demonstrate a strong control environment, with a good sense of discipline, structure and ethical values spanning all departments including – first and foremost – managerial departments, have been able to reduce the scope of their internal control audits. This in turn means fewer internal tests are necessary to reach compliance, and this again significantly reduces costs.
Better insight due to better documentation: The efforts of bringing all documentation up to speed after SOX was first enacted cost companies many, many hours of work – but in the end, these efforts paid off. Clearer job descriptions and exact definitions of who is responsible for covering which business processes allow for a much smoother onboarding process. Employees are also able to better understand operations and how they are accomplished. Basically, it helps everyone understand the exact scope of their job responsibility.
No more conflicts of interest = happier stockholders: Remember Arthur Andersen? Yeah, well that doesn’t happen anymore. Members of the audit committee must be free of most financial and personal ties to the company they are auditing and at least one committee member should be a “financial expert”. This means you can’t sign off on a false report anymore and ask your auditor, who is also happens to be your accountant, to turn a blind eye (potentially resulting in a stock crash and you as well as your stockholders losing billions).
Standardization of processes: Instead of using many different processes for different tools or departments (such as inputting financial transactions into various systems), it is better to follow just one or two standardized processes across all your systems, departments and offices. Not only does this reduce the likelihood of errors, it also helps companies excel at audits because standardized processes are easier and quicker to evaluate (making the audit much cheaper).
Reduced complexity = more efficiency: Simplification is key to achieving SOX compliance. Rather than using different accounting practices, for instance, it is better to use a centralized system and follow best practices to unify processes and thereby make them more efficient. This helps managers and everyone else to maintain a better overview of the situation. Processes can be conducted quicker and fewer errors occur.
Minimization of human error through process automation: Manual processes are the weakest link of internal controls. Ask anyone. (Ask your auditor!). Humans can be distracted, tired, ill or just mean. Automated controls that are well thought through and implemented do not make mistakes. Automation helps companies excel at audits and reduces auditing costs, since just one or two trial runs of an automated system are enough to demonstrate its functionality. Also, according to the PCAOB, some automated controls only require testing every three years instead of every year (provided the control has not been changed since the last audit and the company can prove this).
Predictable financials: All of these advantages make it easier for companies to predict their financials, which gives them easier access to capital markets and is another factor in keeping shareholders happy.
Fewer data breaches: Process automation, limiting user access and minimizing human errors reduce the likelihood of your company falling victim to employee data theft or a data breach.
Download our white paper for a deep dive into the Sarbanes-Oxley Act, its purpose and the role of IT in achieving compliance.