SOX (Sarbanes-Oxley) Compliance
What is the Sarbanes-Oxley Act?
Sarbanes-Oxley Act (SOX), is a regulation that was signed into law on July 30, 2002. For compliance, all institutional investors are expected to install and report internal accounting controls to the SEC (Securities and Exchange Commission).
All applicable businesses must set up a financial accounting framework capable of producing financial reports that can be easily verified with traceable source data. This source data must be preserved and cannot be subjected to undocumented revisions. Furthermore, any changes to financial or accounting source code must be clearly documented, including what was changed, why, who changed it, and when.
The following organizations are affected:
All publicly traded American corporations
International companies that have registered equity or debt securities with the Securities and Exchange Commission in the United States (SEC)
Accounting firms or other financial service providers to either of the aforementioned
What are the requirements for SOX compliance?
The Sarbanes-Oxley Act is divided into eleven sections that total more than 60 pages, but the most important in terms of compliance are sections 302, 401, 404, 409, 802, and 906. (The most difficult section to comply with appears to be Section 404):
Section 302 specifies corporate responsibility to review and ensure that financial reports contain no misrepresentations, that reports are fairly presented, to manage internal accounting controls, and to report any deficiencies in internal accounting controls or fraud involving audit committee management.
Section 401 governs disclosures in periodic reports. All financial statements and the requirement that they are accurate and presented in a way that does not contain incorrect statements or admit to state material information.
Section 404 states that annual financial reports must include an Internal Control Report stating that management is responsible for adequate internal control assessments and efficiency.
For the implementation of the controls, your organization is recommended to adopt an IT security framework (such as the NIST CSF, COBIT, COSO, etc).
Section 409 requires companies to report on changes in their financial position or operations on a regular basis.
Section 802 restricts and defines the penalties for altering documents in a legal investigation, audit, or bankruptcy proceeding.
Section 902 states that any person who corruptly alters, destroys, mutilates, or conceals any document with the intent to impair the object's integrity or availability for use in an official proceeding commits a crime.
Other companies and standards to be aware of in regards to SOX:
PCAOB: Public Company Accounting Oversight Board, trains auditors and conducts SOX audits.
SEC: SOX Act is administered by the Securities and Exchange Commission (SEC) that provides deadlines and rules for compliance.
COSO: The Committee of Sponsoring Organizations updates the internal controls towards achieving SOX compliance. These updates provide the PCAOB auditing standards.
COBIT: The Control Objectives for Information and Related Technology, developed by ISACA, is a framework that can be used to implement SOX. It consists of 34 best procedures for IT security.
The COBIT framework puts the COSO plan into action by providing details that enable organizations to secure their IT environments. The framework consists of many other standards, including ISO/IEC 27000.
ITGI: The Information Technology Governance Institute is an IT framework that includes COBIT and COSO standards, but it focuses solely on security in terms of general compliance that can be used to achieve SOX compliance.
Why should you be SOX compliant?
The Sarbanes-Oxley Act safeguards investors by prohibiting fraudulent accounting and financial practices in publicly traded companies. It has been successful in forever changing the corporate governance landscape to the benefit of investors. It has enhanced investor confidence and accountability expectations for corporate directors and officers, as well as their legal and financial advisers.
Penalties for noncompliance include:
Lawsuits and bad publicity
Even if done in error, a corporate officer who fails to corporate or submits an inaccurate certification faces a fine of up to $1 million and ten years in prison.
If the incorrect certification was submitted on purpose, the fine could be up to $5 million and 20 years in prison.
How to achieve compliance?
Becoming compliant requires following the regulation laws sections mentioned above
The Centraleyes platform has a fully integrated SOX questionnaire that addresses the requirements towards compliance, especially in the sections mentioned above.
To become compliant with the SOX regulation, it is highly recommended that, in addition to enforcing the regulation requirements, it be implemented in conjunction with cybersecurity controls - using a proper framework. There is no requirement for a specific framework as there are numerous framework options available that can be mapped and linked to what is relevant for SOX-IT security.
In addition to the integrated SOX questionnaire, the Centraleyes platform has also integrated and mapped the popular cybersecurity frameworks NIST CSF and COBIT 2019. The platform also simplifies the compliance process by providing streamlined, automated data collection and analysis, prioritized remediation guidance, real-time customized scoring to meet SOX requirements, and an ad hoc reporting system that prepares you for the audits.
Using Centraleyes, organizations can gain full visibility into their cyber risk levels and SOX compliance, resulting in time savings, money savings, and more accurate data.