In 2022, the financial world fell apart after the frauds of WorldCom and Enron, which literally shook the financial world to its core and put the public’s confidence to the test in auditing and financial reporting. In 2002, Congress passed the Sarbanes-Oxley Act (SOX) to revolutionize the regulation of corporate governance in the USA followed by full financial disclosure.
The gist of the SOX act is: Any company wanting to enter the world of the public market, either through IPO or through a special purpose acquisition company (SPAC), would have to deal with the SOX and comply with all the rules and regulations.
Having all the priorities straight and requirements in order is a daunting task for organizations as each step needs to be evaluated with extreme care and caution. Throughout this article, we’ll understand SOX compliance and how organizations can navigate through the series of requirements of SOX by focusing on people, processes, and technology.
What is SOX compliance and what are the key SOX requirements?
SOX compliance is an annual obligation resulting from the Sarbanes-Oxley (SOX) Act, which requires publicly traded companies doing business in the United States to set standards for financial reporting, including privacy, tracking of attempted violations, keeping electronic records for audits, and evidence of compliance.
The SOX Act, also known as the 'Public Company Accounting Reform and Investor Protection Act’ and the 'Corporate and Auditing Accountability and Responsibility Act’, was created in honor of its main architect, Senator Paul Sarbanes, and Representative, Michael Oxley.
The law requires internal controls
over financial records and requires the chief executive officer (CEO) and chief financial officer (CFO) to sign statements certifying the accuracy of financial reporting. The law also levies fines and penalties for fraudulent reports. Both provisions are intended to increase confidence in US corporate investments.
The new or expanded compliance requirements apply to all directors, administrators, and auditors of US public companies. The SOX Act requires the following:
- All financial reports need to include an internal control report
- Accurate financial reporting and controls in place to protect financial data
- The release of full financial disclosure annual reports
- Protection to whistleblowers
SOX compliance requirements are quite vast with 11 titles, but to understand the crux of it, let’s understand the brief context of the internal controls:
Internal control report
SOX requires organizations to submit a report demonstrating that senior management remains responsible for the internal control framework applied to financial records. To ensure transparency, all consequential weaknesses must be reported to management immediately. Sections 302, 404, and 906 are particularly relevant to this aspect of the Act:
- Section 302 - states that the Chief Executive Officer and Chief Financial Officer are directly responsible for the accuracy of the organization's financial reports. Signatory officers are required to review and certify the accuracy of financial statements, establish and maintain internal controls, and disclose any weaknesses, fraud, and material changes in internal controls.
- Section 404 - specifies that all annual financial reports must include an internal control report demonstrating that management has established an appropriate internal control structure for fair and efficient evaluation of effectiveness responsible for the internal control structure and any control deficiencies. Independent external auditors must also confirm the accuracy of the company's statement that internal controls are in place and effective
- Section 906 - guarantees that the Executive Director and CFO provide certifications that all financial reports give a true and fair view of the financial condition and results of operations of the issuer in all material respects. It also states that they comply with the law entirely and failing to do so will attract criminal penalties for noncompliance.
In publicly traded companies, the chief executive officer and chief financial officer are directly responsible for all financial reports filed with the Securities and Exchange Commission (SEC). Violators would face severe penalties, including jail terms and millions of dollars in fines.
Data security policies
Under the SOX compliance act, all organizations should create and maintain a data security policy that protects the storage and use of all financial information. Organizations should consistently implement this policy and communicate it clearly to all employees.
Evidence of compliance
SOX requires organizations to create and maintain compliance documentation, the auditors must be provided upon request. In addition, organizations must continuously conduct SOX control tests, as well as monitor and measure SOX compliance goals.
What are SOX internal controls?
The Sarbanes Oxley Act of 2002 (SOX) is a federal law designed to increase the reliability of financial reporting and protect investors from corporate fraud. SOX includes public companies operating in the United States and some private companies as defined in SOX Sections 302 and 404.
SOX Section 404 requires companies to implement internal controls to ensure their financial security to guarantee the accuracy of the report.
Also known as SOX 404 controls, the SOX controls are safeguards designed to detect and prevent errors in the company’s financial reporting process cycle. They help the overarching business process achieve its objectives while preventing anomalies in the organizational process. Their key purpose is to detect and prevent errors that would cause deficiencies in the process.
SOX controls must be applied and verified in all cycles leading to the company's financial reports or financial results. Internal auditors should conduct regular compliance audits to verify that the appropriate controls are in place and functioning properly.
The important thing to know here is that the SOX standard does not provide a list of specific controls. Instead, organizations must define their own controls to meet the regulator's objectives.
Benefits of SOX compliance
Additional Read- Effective compliance risk framework
SOX compliance creates a strong, inclusive internal team culture, and improves communication between departments involved in audits rather than operating in silos. The benefits of an enterprise-wide program like SOX can have multiple tangible impacts on the business, including better communication and collaboration across functions.
SOX inherently requires a comprehensive risk management framework embedded in the organization's culture. Organization benefits from the company-wide visibility and transparency of the processes, improved coordination, and the prompt containment of violations.
By implementing SOX, organizations are more secure from cyberattacks and the costly consequences of a data breach. Data breaches are difficult to manage and fix, and some companies never recover for the damage done to their brand. The security controls that SOX requires go a long way in reducing the potential for malicious attacks, or insider threats.
Efficient financial management
SOX provides the framework for businesses to better manage their financial records, which in turn benefits many other aspects of the business. Similar to ISO 27001 compliance, SOX alignment promotes efficient and accurate financial reporting that promotes a higher level of financial diligence in your organization.
SOX-compliant companies report more predictable financial metrics and easier access to capital markets. Whether you are creating reports for investors, auditors, or regulators, your reporting capabilities will be greatly enhanced with SOX.
A checklist of SOX compliance and SOX compliance audit
The importance of SOX compliance varies from organization to organization, but SOX engagements typically begin with identifying how and where organizations are protecting financial data, aligning systems with SOX accounting requirements, and thinking of addressing the holistic context of business risk processes.
The following IT-SOX audit checklist helps cover key areas when designing controls:
SOX compliance audit assesses how the organization identifies sensitive data, protects it from cyberattacks, monitors who accesses it and how, and detects security incidents. In other words, in case of an accident, the organization must have the ability to take corrective measures quickly and effectively. This requires dedicated security personnel, effective security procedures, and security tools such as a Security Information and Event Management (SIEM) system.
A few questions to look for:
- Can you currently detect data breaches?
- Is there an incident team ready to respond?
- Can you handle ransomware or phishing attacks?
- Do you have software that can help detect a breach, whether it's occurring in a database, website, or storage?
SOX compliance has several data retention requirements for different types of data. It must be indexed, searchable, easily retrievable, and encrypted. Data centers must be SOX compliant.
A few questions to consider:
- What type of data do you need to protect?
- Where does this data reside?
- Which employees and stakeholders are the owner of this data and who has access to it?
- Is your data stored in the cloud?
SOX compliance needs a precise assessment of how the organization restricts and implements access control measures, to ensure that only the right people have physical and electronic access to confidential financial information.
This includes physical access measures and video surveillance for server rooms, and digital measures such as authentication and management of credentials using an identity and access management (IAM) solution.
A few questions to answer here:
- Who has access to your data?
- Do users have unique credentials?
- Can sessions on your network be traced back to users? Can users share logins?
- What happens when employees change roles or leave the company?
- Can you track access to your sensitive data, e.g. B. with an ERP system?
- Is the access appropriate or too lenient?
- Is your access enforcement adequate?
Organizations sit on stacks and piles of financial and business records, but data security requires automatic and auditable reporting whenever it's needed, apt and accurate. SOX compliance attaches great importance to authenticated reporting.
Some questions to answer:
- Do you have a security tool that stores logs and allows you to search and filter them?
- Where are these records kept and do you have controls in place to prevent tampering?
Everything would go sideways if incidents were not escalated within the timeframe and can wreak havoc throughout the ecosystem, both for the organization as well as for interested parties.
The question to ask here is:
- Once a security incident is detected and logged, does your system then generate tickets to address and resolve issues?
Segregation of duties:
The Institute of Internal Auditors (IIA) describes the basic idea behind the segregation of duties: "No employee or group of employees should be able, in the course of their normal duties, both to commit and to conceal errors or fraud."
The work of one individual must be independent of or serve to control the work of another.
An example would be:
Training of staff on SOX law and development of systems. Part of compliance is the separation of duties within multiple job functions. A few questions to ask:
- Do you have strategies in place to prevent and detect various types of embezzlement and fraud, including those related to the separation of duties?
- Do employees understand their roles?
During the materiality analysis, auditors will identify and document SOX controls that may prevent or reveal transactions being misrecorded. You need to identify controls and balances in the financial reporting process that ensure transactions are properly recorded and account balances are accurately calculated.
Some examples of preventive or detective SOX controls are the separation of conflicting duties, verification of single or multiple transactions posted during the period, and account reconciliations. At this stage, you should answer this question thoroughly:
- Do you have systems that time-stamp data and user access in real time?
This step is all about the evaluation of how the organization secures key data and systems to minimize business interruption and data loss in the event of a disaster.
Both the original systems and the data center that contain backups or standby systems storing financial data must meet SOX requirements.
A few questions to ponder upon:
- Do you have documentation and a policy for backing up systems?
- Do you conduct quarterly data recovery tests?
- How do you prove that your backups are correct and tamper-proof?
Automating SOX compliance with VComply
Understanding the SOX compliances in a vivid manner is definitely half battle won, but the half battle still remains. Achieving SOC compliance is a tedious task and to get the right in the first place, you need the right tech stack to gather the right set of data and set up the security measures and controls as per the SOX regulatory norms.
VComply SOX compliance solution
provides a framework for managing complex SOX requirements to save time, alleviate risks, and visualize compliance performance trends using real-time reporting. The VComply platform, with its simple governance and policy management capabilities, helps organizations prepare for SOX audits. It standardizes even the most extensive and intricate controls to address any SOX compliance challenges.
A few benefits of choosing VComply to stay organized for SOX regulations are:
- Management approved internal controls for a robust financial structure.
- Built-in workflows for assigning, reviewing, overseeing controls, and policy implementation.
- Audit capabilities based on SOX framework to assess the controls.
- Built-in reports for meeting SOX compliance standards and insightful dashboards.
- Central storage for SOX-related risks and controls.
Though sound SOX compliance is often considered a liability and a load of responsibility for an organization, it does have a silver lining as well. It gives organizations an opportunity to improve their financial reporting, cybersecurity, and access control capabilities. Being up-to-date with new strategies and tech stacks benefits the organization in the long term. Being an ongoing set of activities, SOX doesn’t only protect the investors and stakeholders but also improves the organization’s capability on a holistic level.