All you need to know about the Sarbanes-Oxley Act (SOX)

Continuing with our Governance, Risk Management, and Compliance series, we will cover all you need to know about the Sarbanes-Oxley Act. You may have started a new position at a company that requires compliance with it, or your company may have changed its status and now must comply with this law. This article is a great way to learn about it and be prepared for all the dos and don’ts.

What is the Sarbanes-Oxley Act?

The Sarbanes-Oxley Act, often referred to as SOX, is a U.S. federal law enacted in 2002. It is a crucial piece of legislation to ensure financial transparency, accountability, and investor protection in publicly traded companies. Its main goal is to protect investors by helping them have better information in their decision-making. Companies subject to SOX must comply with its provisions, including maintaining accurate financial records, implementing internal controls, and undergoing annual audits.

Originally a response to a series of corporate scandals, including those involving companies like Enron and WorldCom in the early 2000s, it intended to prevent deceptive accounting techniques used to hide losses and artificially inflate stock prices in those scandals. Compliance with this law promotes ethical business practices that benefit the market.

SOX imposes various reporting, accounting, and data retention requirements to ensure transparency and integrity in business practices.

Key Provisions and Goals

  • Financial Accuracy: SOX mandates that companies produce and retain accurate data about their finances. This includes financial statements, internal controls, and audit trails. While this may sound obvious, previous corporate scandals made legislation necessary to assure transparency for investors.
  • Data Retention: Companies must retain financial records for specified periods (the legal requirement is often seven years), making them available for audits and regulatory scrutiny. This raises some specific technical considerations. Data retrievability needs to be guaranteed to prevent out-of-compliance.
  • Internal Controls: SOX emphasizes establishing robust internal controls to prevent financial fraud. Controls must be specified and tested frequently to demonstrate the company is in-compliance.
  • CEO and CFO Certifications: CEOs and CFOs are required to certify the accuracy of financial statements. CEOs and CFOs are responsible for the accuracy in their statements. This results in both the CEO and the CFO becoming liable for their work to the regulating entities.
  • Whistleblower Protection: The law protects employees who report financial misconduct from retaliation.

Who Does SOX Apply To?

SOX applies to publicly traded companies in its full extent, but it also applies to privately held companies in some of its requirements.

Publicly Traded Companies: SOX primarily applies to publicly traded companies listed on U.S. stock exchanges. If you joined a publicly traded company, your company has to comply with all requirements in this law. Most companies have a compliance, legal, or audit department that makes sure the financial requirements are met. By extension, the office of the CISO (Chief Information Security Officer), or a team within the CTO (Chief Technology Officer), must guarantee that all systems in use also guarantee the financial accuracy of their actions.

Privately Held Companies: Some provisions, such as record retention, whistleblower protection, etc. also apply to these companies.

Compliance Frequency

Companies subject to SOX must comply annually. They undergo external audits to assess their adherence to the law’s requirements. Additionally, companies must report any significant changes in their financial condition promptly. This means that compliance frequency is both cyclic and continuous.

The company must report, therefore be audited, yearly to certify its compliance. This is where BlueKatana comes in to help. But it also means that the company must be ready with its documentation proving compliance. This is something that the company prepares prior to the external auditors coming into the company. The internal departments, mentioned above, do this work.

The company must make sure it is at its best behavior continually, when executing its policies and procedures. For example, you cannot enact a policy that is non-compliant, or build a system that is non-compliant. This means that those enacting policies and procedures may need the team responsible for compliance’s input before they are enacted. Similarly, the CISO’s office will guarantee that systems going into production are aligned with the compliance requirements. BlueKatana offers CISO, vCISO, and CISO’s office consultants to complete these tasks if your team is small.

Preparedness Strategies

Prepare yourself for compliance by keeping a smart strategy. You need to cover the following:

  • Robust IT Infrastructure: Companies need reliable systems for data storage, retrieval, and security. IT teams play a crucial role in ensuring data accuracy and availability. This includes systems developed in-house, custom developed, and purchased for implementation.
  • Documented Processes: Clear documentation of financial policies, processes, and controls is essential.
  • Training and Awareness: Regular training ensures employees understand their responsibilities under SOX. Everyone is required to do their part in the enterprise. Compliance is a team effort.
  • Internal Audits: Conduct internal audits to identify gaps and address compliance issues proactively.
  • External Auditors: Collaborate with external auditors to validate and certify compliance.
  • Risk Assessment: Regularly assess risks related to financial reporting and adjust controls accordingly.

Final note

It is always better and lower cost to build compliant products, systems, policies, and procedures, than have to correct them after being enacted. Or even worse, after being externally audited as non-compliant.

Non compliant solutions lead to spending at least an order of magnitude more than compliant solutions.

 

InfoSec Rush To Safety Series: Include Your Team

Your company takes security seriously, but is your Company taking your InfoSec Teams’ suggestions seriously? One of the things that 2020 is showing us is that we certainly need to take our InfoSec Pros seriously. Cybercrime and ransomware have particularly risen in the last 6 months and we need to make sure everyone can speak up and eliminate or at least minimize exposure to those risks.

Continue reading

InfoSec Rush to Safety Series

In light of the pandemic coming to a close sometime in 2021, we expect that some people will start coming back to work to their office locations. This not only imposes a new reality on the overall social aspects, architecture, and office layout but also poses some challenges on the InfoSec front. Over the next few articles, we will be focusing on the upcoming rush to achieve a secure level of compliance.

Continue reading