What is SOX Compliance?
Sarbanes-Oxley Act (SOX) compliance is a United States federal law that addresses financial recordkeeping and reporting. It requires that any publicly- traded American or overseas company registered with the Securities and Exchange Commission (SEC) demonstrate strong and transparent internal control over their financial reporting (ICFR). Companies that provide financial services to such firms also fall under SOX compliance obligation. In addition, top executives ultimately are held responsible for the accuracy of the financial data of their organization, under SOX.
This is a big ask and requires organizations to ensure they have robust technical solutions in place to deliver the reliable documentation and reporting that serves as evidence that any financial applications, supporting systems, and services are secured appropriately.
As you’d expect, the annual documentation and process improvement process can be a heavy lift for an organization’s IT team and CIO as SOX compliance (or Sarbox) is assessed each year by an external auditor for actual effectiveness. The IT team’s role is to support any of the processes that address the risks identified. Sections 302, 404, 409, and 802 (detailed later) fall under the IT team’s responsibilities to support.
What Does it Take to Be SOX Compliant?
First, to be SOX compliant, an organization must undergo an annual audit. This audit looks for proof that financial reporting is accurate, and that financial data the organization touches is secured appropriately. The audit will also seek to ensure the use of any financial applications and financial data is configured on internal systems so that they match the organizational security policy.
To meet this requirement, most IT departments define their security policy by using Security Exchange Commission or SEC-approved COBIT or ISO 27002 frameworks.
SOX compliance entails a few primary policies or processes around financial data:
Data must be kept secure and protected from possible tampering or breaches
If a data breach is attempted, it must be tracked and have proposed resolutions
Event logs must be kept and made available for the outside auditor
Compliance with SOX requirements must be proven for the past 90 days
How Did SOX Come to Be?
Scandal. Lots of financial scandals. A number of famous and costly financial scandals in the 2000s brought about the act that now helps protect investors by improving the internal controls around financial reporting and the security of financial data.
Headline-makers from Enron, Tyco, WorldCom, and more helped bring about the Sarbanes-Oxley Act and established stricter controls for publicly traded companies. The Act improved the accuracy and reliability of corporate disclosures around securities laws. When investors lost billions of dollars in these scandals and public confidence in the securities markets faltered, the U.S. Senator Paul Sarbanes and U.S. Representative, Michael G. Oxley brought forth what is now known as SOX, Sarbox, or the Sarbanes-Oxley Act.
SOX was officially enacted in 2002 and its 11 sections place requirements on the boards of directors, management, and public accounting firms of public companies. These sections address the responsibilities of these individuals and firms, and criminal penalties are applied for certain types of misconduct. The law requires the Securities and Exchange Commission develop the regulations that define exactly how public corporations are to comply.
It is important to note that some provisions of SOX can also apply to privately held companies, for things like willfully destroying evidence to disrupt a federal investigation.
J-SOX: Japan’s SOX Equivalent
The United States is not alone in wanting more financial accountability. Japan has similar requirements for financial reporting internal controls for public companies there as well – The Financial Instruments and Exchange Act (J-SOX), often referred to as “the Standards.”
J-SOX was strongly influenced by SOX and finalized in 2007. J-SOX, like the U.S.’ SOX, requires companies to enhance the internal controls on financial reporting and be able to prove the effectiveness of these internal controls. A significant difference is that J-SOX does not require the outside auditor to assess the effectiveness of the internal control, and leaves that as the company’s responsibility.
There are distinct differences that need close attention, especially by companies doing business in both Japan and the U.S., as detailed here.
SOX Compliance Checklist
Meeting SOX compliance requirements takes a combination of technology and policy. One way to start is to address key items primarily culled from Sections 302 and 404 of the Sarbanes-Oxley Act. Each item on the following checklist must have the signing officer(s) attest to its validity.
- Prevent data tampering by establishing safeguards
- Establish safeguards that establish timelines
- Put variable controls to track data access in place
- Check operational condition of any safeguards put in place
- Regularly report on the effectiveness of established safeguards
- Put solutions in place to detect any data or security breach attempt
- Provide SOX auditors with access to security safeguard details
- If security is breached, disclose this information to SOX auditors
- Disclose any security safeguard failures to SOX auditors
Sarbanes-Oxley provides more specific details on how to comply with this checklist.
What Being SOX Compliant Means for IT
With IT doing the heavy lift on SOX compliance, let’s break down a few of the sections that IT needs to address.
SOX Section 302: Addresses Executive Level Responsibilities
This section is where the C-suite comes into play, as it requires that the CEO, CFO, and other senior-level stakeholders and financial officers attest that they have assessed their internal financial reporting controls after certifying their financial results within 90 days.
Section 302 involves IT as the company needs to provide the required real-time reporting on their controls for SOX compliance. Automated testing, reporting on any needed remediation, and documentation gathering all fall under IT’s responsibilities for this section.
SOX Section 404: Addresses Systems for Reporting
Section 404 of SOX seeks to ensure that organizations have the necessary means and internal systems to deliver the proof and data that compliance auditors require for annual reporting.
IT assists in meeting this requirement by identifying the systems and processes needed to process and report on the company’s financial data. All procedures that support the accuracy and secure transmission of financial data, and in preventing unauthorized access to the financial data fall under the scope of the IT department.
SOX Section 409: Addresses Timeliness
SOX compliance requires that financial information that could have an impact on a public company’s financial future or prospects need to be reported in a timely fashion. Events such as bankruptcy, mergers, or a serious data breach can all trigger a fiscal shift that investors need to be aware of in a reasonable timeframe.
IT teams support this section by utilizing software solutions to trigger alerts that would be required under the Act. They could also assist in incorporating quick information distribution mechanisms for shareholders or regulators.
SOX Section 802: Addresses Record Retention
Financial records such as financial transactions, spreadsheets, email messages, IMs, and even phone calls regarding financial matters of publicly traded companies must be preserved and available to auditors for a minimum of five years.
For SOX compliance, IT needs solutions designed to preserve these records with automated backup procedures in place for proper and secure document management. In addition, IT can help control the availability of the required records should they need to be migrated from an older-style system to a cloud-based system.
SOX Compliance Made Easier with IT Guide
Fortra recognizes the outsized role IT teams play in complying with SOX requirements. Our guide for IT professionals is designed to help your team navigate SOX with information on solutions that can help streamline compliance.
Solutions for SOX Compliance from Fortra
With IT playing an integral role in SOX compliance, technical solutions that can stand up to the strict requirements are a must. The cybersecurity and automation suites from Fortra are designed to make compliance easier, more integrated, and streamlined as they are all supported by a single vendor. Solutions addressing SOX include:
With ready-to-use compliance policies for SOX, Clearswift's solutions will inspect all content flowing through an organization and take the appropriate remedial action per the policy defined. Rather than stopping and blocking all communications that could be a SOX breach, Clearswift's adaptive data loss prevention features modify the content in real-time by redacting or sanitizing the information that breaks policy and allow the rest of the communication to move forward, ensuring secure but continuous collaboration.
This solution helps deliver the proof that compliance measures are being adhered to via its robust auditing and reporting capabilities. The singe pane of glass structure of this solution monitors jobs across your environment providing the transparency SOX compliance requires.
Fortra's data classification solutions support SOX compliance by allowing users to identify key data and make decisions about its storage and transmission. Users can value the data created or handled, reducing the risk of data loss and the potential for embarrassment and costly penalties. SOX compliance is supported by clearly identifying information through labeling or marking data requiring special handling such as ITAR information, which carries a substantial fine if mishandled. Visual labels are automatically applied to educate users on an organization’s data protection policy and warns them before they can send messages containing personal information or when sensitive data is leaving the organization.
Fortra IBM i compliance solutions can help you simplify security and more easily meet auditor requirements of SOX compliance. Powertech can harden your system to protect your business-critical data and visibility to database access.
Managed file transfer (MFT) secures sensitive financial data both while it is at rest and while it is in motion. Automated workflows, encryption protocols, and comprehensive audit logs help streamline the flow of data transfers.
Fortra's identity and access management (IAM) and cyber threat solutions can help simplify the SOX compliance process with privileged access management, security information and event management (SIEM), and policy management.