In 2002, US Congress passed the Sarbanes-Oxley (SOX) Act. It aimed to protect the public from fraudulent or erroneous book-keeping in public companies. Public companies need to ensure they’re accurately reporting financial records to stop stock manipulation. SOX compliance isn’t just a legal requirement for US-traded companies. It’s also a best practice to prevent legal challenges for your company.
To reach SOX compliance, your company must secure and protect its financial data. This will ensure that all financial data can be reported accurately with no manipulation. To this end, a company’s IT department often gets the job. They manage this data and conduct mandatory audits.
To understand SOX compliance, let’s first take a look at how it came into existence.
The SOX Act
In 2002, Senator Paul Sarbanes and Representative Michael G. Oxley created the SOX act. This came in response to several corporate scandals where fraudulent activities took place. Namely, companies like Enron, Tyco, and Worldcom deceived their shareholders.
The SOX act aimed to “protect investors by improving the accuracy and reliability of corporate disclosures”. Unsurprisingly, it passed with an overwhelming majority in 2002. The SOX act makes all board members and officers of a public company liable for criminal prosecution.
Since the original act in 2002, only a minor amendment was made in March 2020. This update addressed the term ‘accelerated filer’. Today, all public businesses traded in the US must comply with the current SOX act.
SOX Compliance Requirements
Basically, all public companies must ensure their financial data is unmodified, secure, and controlled. This way, the company isn’t liable. To this end, every member of a business must act to ensure this occurs. Here are 3 things you could do to meet SOX compliance:
1. Prevent Data Leaks
All network users must have a way to prevent data-leaks. Everyone must ensure they aren’t giving information to bad actors outside the company. As a minimum, this means having adequate passwords to stop brute force attacks. It also includes configuring a firewall. Data leak prevention also involves training users about IT best practices. For example, your users shouldn’t click an email link from an untrusted source. They also shouldn’t plug in USB devices they found on the company’s site.
2. Use an ERP System
You should silo financial data. This will protect it from users that don’t need access to it. To comply effectively, many companies will use their enterprise resource planning (ERP) software or equivalent. Then, they can control access and provide adequate version control of financial data. You’ll also need versioning control as a minimum for the annual external audit. You should even include email archiving no matter what system your business uses.
3. Customize Your Solution
All businesses operate differently with their own systems and procedures. As a result, it can be difficult to define exactly what you need. Each business will use different tools, infrastructure configurations, and granular processes. That said, during the mandated annual audit, your company should meet some key requirements.
And that brings us to the next idea. What should you do to prepare for a SOX compliance audit?
Preparing for a SOX Compliance Audit
At face value, it seems that finance teams should oversee SOX audits. In reality, though, it’s the IT team’s job. Why? Because the SOX compliance audit pertains to data management.
Below, we’ll discuss 4 key governance methods to help ensure you’re SOX compliant.
1. Secure Access Control Management
ERP will help you with SOX compliance. In fact, if you have an ERP system, you’ll know these help with many different auditing processes. In some instances, you’ll find a one-person business using an ERP system. Why? It helps them meet the needs of the industry they work in and gain contracts even if they aren’t a publicly traded company. For SOX compliance, ERP would do most of your work, but let’s see how it helps you with your secure access control specifically.
Silo Financial Data
For instance, you could silo data based on either project or role requirements. This means management may have access to financial data, but they may not be able to modify content. Instead, they can only view content. Financial officers may have ‘create’ and ‘modify’ permissions. This way, they can push documents through a tracked version control. This means every event is logged by the file object in the ERP.
Implement Security Labels
Some industries like aerospace need to use security labels to comply with industrial de-facto security standards. Otherwise, they can’t gain contracts from US-based companies. Security labels can also create security levels within the organization. They dictate what different members can see or work on. An ERP system will have built-in audit reports. You can source user access logs directly or through the ERP from the server logs.
Restrict User Permissions
If you don’t have an ERP system, then you may have to try and control data access through server user policies or permissions. Files will need some form of versioning control. However, this control should be foolproof. Some companies will rely on an enterprise document management (EDM) system to achieve this instead of a full ERP system.
No matter what solution to data security and control you have, you’ll need to ensure no users will be able to gain access to financial records when they shouldn’t. You may wish to create test users and check by interrogating the system. Ensure you document your findings.
2. Demonstrate a Resilient Cybersecurity Framework
You must demonstrate that your organization has a resilient cybersecurity framework. In most organizations, this is considered in relation to the (COSO) framework. If you’ve implemented COSO, you should meet this need through assessment. Certainly, you should implement suitable cybersecurity measures.
COSO helps assess and highlight both internal and external risks to a company. It works based on a top-down approach. This way, a business can quickly align risk policies and governance.The COSO framework is an iterative process self-regulating governance model. Assessment is conducted routinely to ensure new risks aren’t overlooked. These get reported back to management. Then, the company makes changes to reduce or mitigate risk.
Implement the COSO framework if you can. It makes it easier to keep track of all risks and their control activities. This will also help you with SOX compliance.
3. Change Management
During the audit, you must prove that your change and versioning control system works for financial documentation. Often, you could do this by implementing an ERP or PLM system.
All staff must be familiar with the SOX compliance standard. Additionally, they should know the controls the company uses to meet these. Mainly, this helps each individual to understand how the change management and versioning control processes should work. This also helps ensure individuals use the defined process, instead of side-stepping it. Despite employees’ good intentions, neglecting requirements is detrimental. It leads to bad data entry practices with no rationale provided.
No system is 100% foolproof. But you can provide a software solution with adequate governance documentation. You could also include training. Eventually, this helps reduce your risk of non-compliance.
After the training, you could also test your employees. Then, use these test results as proof of your SOX compliance.
4. Demonstrate Data Backup Protocols
You must implement industry best practices for data backups. This will ensure you can restore your data should failure occur. Clearly, you can back up your system in many different ways. But regardless of your methods, you should ensure it works properly. If your data backups don’t work when needed, then the business will fail. This will also cause problems for shareholders.
You need to demonstrate your backup solution works to attain SOX compliance. To do this, replicate your production environment on your test system. Then, restore a recent backup. Ensure you document the process and provide evidence that it works.
You may also have to show auditors the process. To this end, roll back the test system. Then, use the documentation to repeat the process if you need to.
And that’s it! You know the governance methods to prepare for a SOX compliance audit. To sum up, here are a few tricks you should keep in mind.
- Use data management software that includes; logs, alerts, trends, and systems for the audit.
- Check you have email archives as part of your data auditing.
- Ensure you can restore your backups and document the process periodically.
- Implement data loss prevention software to stop data leaks outside the company.
- Ensure you have evidence that your system has fulfilled all audit requirements for at least 90 days prior to the audit.
What Are the Benefits of SOX Compliance?
If you can successfully comply with SOX, you’ll bestow trust with shareholders or new investors. Investors aren’t traders, so they’ll scour the market for underpriced investment gems. For example, China is currently losing a lot of foreign investment in its companies. Why? The country doesn’t provide transparent financial records, causing many investors to go elsewhere. Likewise, if you can’t bestow trust in your business, it’ll become uninvestable. This will stunt growth and give competitors an advantage.
But that’s not all. SOX compliance will also provide internal benefits. For example, it’ll help with your company’s growth due to winning investor trust. SOX compliance also stops management from reporting false performance. This can help workers below management feel safer in their jobs. They’ll know their business is working as it should. It also helps workers to feel more secure through proper training regarding cyber-attacks. They won’t accidentally damage the company.
Finally, to help you reach SOX compliance, I’ve also compiled this handy list of questions. This will help you know whether or not you’re compliant.
SOX Compliance Checklist
To help ensure you’re SOX compliant, take a look at this list of questions. Then, see if you can answer them effectively:
- Are you using a framework like COSO to highlight and manage your business’s risk and control measures?
- Do you have security policies that outline how to create, modify, and maintain accounting systems that manage financial data?
- Do you have safeguards to prevent data tampering?
- Can you detect data leaks?
- Do you have an incident response plan in the event of a security breach?
- Do you have a means of logging user access to financial data?
- Will SOX auditors have the access needed to do their job?
- Do you use data classification or security labels to make it easier to implement corporate policies for data handling?
In this article, we’ve discussed what SOX compliance is and explored useful measures you can take to make the process as hassle-free as possible. For the SOX compliance audit, ensure the software, user, and governance documentation is current.
Auditors will come onsite and see evidence of your processes working for themselves. Your job is to make this process pain-free for them so your business is given the green light.
In the end, remember that SOX aims to protect your financial records. As a result, SOX compliance will make investors more interested in your company. In turn, your employees will also improve their performance.
Do you have more questions about SOX compliance? Check out the FAQ and Resources sections below.
What is SOX?
The Sarbanes-Oxley (SOX) act is designed to “protect investors by improving the accuracy and reliability of corporate disclosures”. The SOX act makes all board members and officers of a public company liable for criminal prosecution if financial data is fraudulently altered. The act was created in 2002 after companies like Eron and Worldcom deceived investors.
How can I make SOX compliance as easy as possible?
If you don’t already use an enterprise resource planning (ERP) system, you may wish to start. These systems help manage data including versioning and change control. They enable companies to meet various audit needs. Even some single-person businesses use ERP solutions to enable them to win contracts in their marketplace.
How can COSO framework help SOX compliance?
The Committee of Sponsoring Organizations (COSO) framework is a top-down risk and control management standard used by businesses. It helps highlight missing control mechanisms that a business will need at different levels. Sarbanes-Oxley (SOX) compliance becomes easier through implementing the COSO framework. Most governance policies and documentation are already present and maintained.
How does SOX compliance help businesses?
Sarbanes-Oxley (SOX) compliance increases investors’ trust that your financial reporting is correct. It also proves your records are accurate, with no errors intentional or otherwise present in them. Apart from helping investors, SOX compliance also helps the business establish well-defined governance. It also ensures business management protects investors from investing based on false claims. This also upholds the company’s reputation.
When will a SOX audit take place?
The Sarbanes-Oxley (SOX) audit occurs once a year. Businesses need to show that they were compliant 90 days before the audit. To ensure your company doesn’t fail the audit, you’ll need to check that all your governance systems work. You should also see if these systems are well documented. Ensure you have evidence that due diligence has occurred to help auditors do their job.
TechGenix: Article on the COSO Framework Article
Learn what the COSO framework can offer your business.
TechGenix: Article on SOX-Compliant Firewalls
Discover how you can implement SOX-compliant firewalls.
TechGenix: Article on ISA Firewalls for SOX Compliance
Find out why administrators are using ISA firewalls to achieve SOX compliance.
TechGenix: Article on SOX Email Management Article
TechGenix: Article on Compliance Software
Learn about LepideAuditor Suite 16.0 and how it can help you track your SOX auditing journey.