Congressmen Paul Sarbanes and Michael Oxley put the compliance act together the SOX (Sarbanes-Oxley Act) Compliance Act in the US in 2002. With the SOX Act, all U.S. public company boards, management, and public accounting firms should confirm with SOX standards with the goal to increase transparency in financial reporting. It also requires them to implement formalized systems for internal controls. The nature of data storage by IT has also changed with the SOX Ac. It defines which records need to be stored and the timeline that has to be followed for the storage. Complying with SOX requires businesses to save all data records, which are no longer limited to electronic records and messages, for not less than five years. Non-compliance with SOX may lead to fines or imprisonment or both.

The Act contains eleven titles that cover additional corporate board responsibilities to criminal penalties. The enforcement and implementation of these requirements were given to the Securities and Exchange Commission (SEC). The most important SOX compliance requirements are considered to be 302, 404, 409. As per section 302, every public company must file periodic financial statements and the internal control structure with the SEC. Section 404 requires that all annual financial reports include an Internal Control Report stating that management is accountable for internal controls and that any shortcomings should be reported. As per section 409, companies need to disclose any changes in financial conditions or operations so that the interests of the investors and public are protected.

Electric Record Management Rules

The third rule under Sec 802 of SOX Act defines business records, communications, and electronic communications that need to be stored. The IT department is responsible for the creation and maintenance of corporate records. The department should comply with the Act in a cost-effective way. According to Sec 802, Criminal Penalties for Altering Documents in SOX Act, the penalties for anyone involved in the destruction, alteration, or falsification of records would be hefty fines or imprisonment for not more than 20 years or both. The second rule under Sec 802 SOX Act defines the data storage retention timeline. Some of the generally accepted retention periods under SOX are listed below.

SOX Compliance Controls

The management should implement security controls so as to ensure the safety and accuracy of data. There is a major overlapping of Data governance and SOX Compliance as both of them work towards the safety and accuracy of data within the organization. Data mapping and classification tools help in tracking the data’s whereabouts and its usage.

SOX Compliance Audits

An independent auditor conducts SOX audits on an annual basis. SOX audits have to be separate from other external and internal audits to avoid any conflict of interest. However, one can time the audits with other audits so as to be able to include it in their financial annual reports, thus having transparent communication with their stakeholders.

SOX Software Solution

To comply with SOX, your business must demonstrate that it has strong, approved internal controls. It also mandates that an internal auditor should verify that these controls work. Implementing a software solution for managing compliance requirements would enable monitoring of data, tracking policies and its timelines and recording every user action. With evidence trails captured in the system, it would ensure the proper investigation in case of any fraudulent activity. Implementing a software solution that ensures SOX compliance would protect data and business and ease the SOX audit processes carried out annually. VComply helps the organization in tracking SOX Controls on a single platform with real-time tracking and in-detailed analysis.