Back in the late 1990s and early 2000s, a number of instances of financial fraud were uncovered in large public corporations, leading to a growing feeling of distrust in the market. In 2001, for instance, a scandal surrounded the American energy company Enron when they were discovered to have used fraudulent accounting practices and loopholes to hide their losses in financial reports. This incident, along with numerous other scandals like it, prompted the creation of the Sarbanes-Oxley Act to provide more oversight.
What Is SOX?
Named for its co-sponsors and passed in 2002, Sarbanes-Oxley (SOX) is a United States Federal Law that provided new financial disclosure requirements for public companies in the United States.
What Is the Purpose of SOX?
SOX aims to protect investors by focusing on improving financial accountability. The act consists of eleven titles that set out provisions to help improve transparency, reduce fraud, and outline penalties for those in violation. These titles are outlined briefly below:
Title 1: Public Company Accounting Oversight Board (PCAOB)
Title 1 creates an independent board tasked with monitoring accounting firms and creating formal processes for compliance audits and other oversight activities.
Title 2: Auditor Independence
Title 2 outlines standards that external auditors must meet in order to avoid conflicts of interest.
Title 3: Corporate Responsibility
Title 3 requires that executives of public companies take formal responsibility for the accuracy of financial reports, and also outlines prohibited activities like insider trading.
Title 4: Enhanced Financial Disclosures
Title 4 enhances the reporting requirements, mandating not only the disclosure of additional information like stock transactions, but also the quality controls for ensuring the accuracy and timeliness of these reports.
Title 5: Analyst Conflicts of Interest
Title 5 outlines the code of conduct for securities analysts.
Title 6: Commission Resources and Authority
Title 6 outlines the powers the Securities Exchange Commission (SEC) has to bar brokers, advisors, or dealers from practice and what constitutes an offense that would warrant barring.
Title 7: Studies and Reports
Title 7 outlines regular studies the SEC must perform, like reporting on credit rating agencies influence on securities markets.
Title 8: Corporate and Criminal Fraud Accountability
Title 8 details penalties for financial reporting violations like manipulation of records, and also outlines protections for whistle blowers.
Title 9: White Collar Crime Penalty Enhancement
Title 9 strengthens the punishments for committing white collar crimes and makes failure to adhere to Title 3 (certifying financial reports) a criminal offense.
Title 10: Corporate Tax Returns
Title 10 require that any CEO of a public corporation must sign the company’s tax return.
Title 11: Corporate Fraud Accountability
Title 11 lists corporate fraud as a criminal act and outlines strict punishments that should be associated with such offenses.
Who Does SOX Apply to?
While SOX primarily applies to publicly traded companies within the United States, parts of the act also apply to private companies as well. For example, private companies also face serious consequences if they destroy financial records in order to hinder an investigation.
What Are the Compliance Requirements?
SOX compliance requirements are quite broad. Essentially, companies must have controls in place to ensure the accuracy and legality of their finances and financial reporting. They must also complete and verify that these reports are accurate. Finally, they must submit these reports for evaluation to an independent, third party auditor.
While the requirements for SOX compliance are quite vague, adhering to them involves a lot of detailed work. Deciding on internal controls to ensure that your financial reports can be certified as accurate requires evaluating and implementing different tools that manage financial data, prevent or detect unintentional and purposeful tampering with this data, create reports, and streamline the process to ensure that all of the information is timely.
The following checklist will help simplify this process, providing you with the full list of requirements for SOX, as well as suggestions on how to meet them.
Find out what each requirement of SOX means and how Fortra solutions can help you comply in the table below or by downloading the PDF version of the checklist.
What It Means
Section 302: Corporate Responsibility for Financial Reports
Signing officers (CEO, CFO) must certify that financial reports are completed and accurate.
Signing officers must certify that they have implemented and evaluated all internal controls around financial reporting within the previous 90 days. Reports should include an assessment of these internal controls.
While there is no specific list of which internal controls must be used, information security tools are generally considered a required part of these controls.
Use Core Privileged Access Manager (BoKS) to enforce staff login with their own accounts on SOX infrastructures and limit privileges to financial data to only staff requiring access.
Use Powertech Event Manager to monitor logs and security events pertaining to financial data. Integrate pertinent financial software to centralize monitoring and allow for event correlation.
Use Powertech Security Auditor to enforce security policy adherence and prevent security misconfiguration.
Use Powertech Antivirus to provide protection for enterprise servers that store sensitive financial information.
Section 404: Management Assessment of Internal Controls
Organizations must provide a top-down risk assessment report of their internal controls to an external auditing firm.
External auditors must determine the effectiveness of the organization’s internal controls based on this report.
While there is no specific list of which internal controls must be assessed, cybersecurity efforts geared towards preventing insider and external threats are generally considered a required part of these controls.
Use Core Privileged Access Manager (BoKS) to log keystrokes, providing full visibility of your environment. Automatically generate event and audit logs, with user ID and user group fields in each log record.
Use Powertech Event Manager to generate automatic reports that can show logs for all event and incident response activity, as well as security posture performance over time.
Use Powertech Security Auditor to provide reports containing logs of new systems added, out-of-compliance settings, and remediation.
Use Powertech Antivirus to generate reports of scanning activity, infections found, and malware