SOX Compliance and Auditing - Everything You Need to Know

The goal of SOX legislation is to boost transparency in financial reporting by corporations, defending the public against fraudulent or misleading business practices.

The United States Congress passed the Sarbanes-Oxley Act (named for its authors, Maryland Sen. Paul Sarbanes and Ohio Rep. Michael Oxley — hereafter SOX) all the way back in 2002. Many big-name US companies, including Enron and WorldCom, faced corruption charges at the time. The SOX Act of 2002 created the PCAOB (Public Company Accounting Oversight Board), which required US public company auditors to be subject to independent, external oversight for the very first time.

The intention was, and has remained, to minimize the adverse impact of corporate financial scandals on investors. It accomplishes this by rigorously mandating the keeping of financial records and their security, making CEOs and CFOs responsible for the data appearing within a yearly audit, and by placing all covered companies under a single rule for compliance.

What is SOX Compliance?

There are four key sections of the comprehensive SOX Act that have significant implications from a compliance standpoint. These provisions are essential for the C-suite, legal and technology staff to be familiar and compliant with.

Section 302: Corporate Responsibility for Financial Reports

This covers the responsibility of CEOs and CFOs for all financial reporting. It establishes procedures that require them to verify their personal liability for the purpose of establishing and maintaining disclosure controls, as well as identifying any changes in internal controls between audits.

Section 401: Disclosures in Periodic Reports

This two-part section states that disclosures in public financial reports must be prepared in accordance with accounting standards, and that companies must keep reports of any off-balance-sheet disclosures to ensure that they are meeting the same standards.

Section 404: Management Assessment of Internal Controls

This requires management and auditors to report the accuracy and adequacy of internal controls on financial reporting. Specifically, it states that companies must file an 8-K report on specific routine events, including changes in management or loss of a major client.

Section 802: Criminal Penalties for Altering Documents

This establishes penalties, ranging from fines to prison sentences, for any executives caught destroying, altering or falsifying electronic records. It establishes the retention period for financial records (“no less” than five years) and outlines the types of records that need to be kept.

What types of organizations must comply with SOX?

The provisions of SOX outlined above apply directly to the following entities:

  • All publicly traded companies in the United States;
  • Private companies preparing for their IPOs;
  • Publicly traded non-U.S. companies doing business in the U.S.; and
  • All wholly owned subsidiaries.

SOX was originally intended to halt corruption within larger corporate entities; however, many smaller companies and not-for-profits must also adopt the same rigorous standards in order to secure insurance, attract investors and mitigate risk. Small companies that provide services to publicly traded entities, for example, may be required by these customers to provide appropriate controls documentation under Form SAS-70.

SOX Compliance requirements

It is the company’s own responsibility to hire an independent auditor before the SOX auditing process begins. The involvement of an “independent” auditor, in all ways separate from the client company, ensures that the audit will be impartial. Careful research should be undertaken to select this auditor.

A meeting between the company’s management and the chosen auditing firm should discuss the specifics of the audit. Auditors will be authorized to interview staff; this can include verifying job descriptions and ensuring proper training protocols are in place for the security of financial data.

The most intensive part of a SOX audit, covered under section 404, encompasses four major categories of a company’s IT assets:

Access references the physical and electronic controls that prevent users without the proper credentials from having access to sensitive information: maintaining secure locations of servers and data centers, strong passwords as well as lockout screens;

Security involves ensuring that proper controls for computers, network hardware and other devices that financial data passes through are in place to prevent breaches;

Change management applies to the process for establishing new users and updating software, including the records kept of these processes and the audit trail — e.g., who made which changes when;

Backup references an airtight system that possesses the capacity to restore sensitive data, including data from third parties or that which is kept offsite.

SOX Compliance checklist

All companies must consider their compliance footprint, regardless of size. Yet there are nine items that should be specifically included within the scope of a SOX compliance checklist.

1. Safeguards to prevent data tampering (Section 302.2)

An ERP system or GRC software’s implementation to track user login access to all computers containing sensitive data and detect break-in attempts to databases, storage, computers and websites.

2. Safeguards to establish timelines (Section 302.3)

All data to be timestamped in real-time via the implementation of an ERP system or GRC software. Data should be instantly stored at a remote location to prevent loss or alteration. Log information should also be moved to a secure location, with an encrypted MD5 checksum created to prevent tampering.

3. Verifiable controls to track data access (Section 302.4.B)

An ERP system or GRC software to be implemented that can receive data messages from a virtually unlimited number of sources. Collection of data should be supported from file queues, FTP transfers, and databases, independent of the actual framework used, such as COBIT and ISO/IEC 27000.

4. Ensure that safeguards are operational (Section 302.4.C)

The implementation of an ERP system or GRC software that can distribute reports via RSS and issue daily reports to e-mail addresses, to verify that the system is up and running from any location.

5. Report the effectiveness of safeguards periodically (Section 302.4.D)

An ERP system or GRC software to be implemented that generates multiple types of reports, including a report on all messages, critical messages, alerts and uses a ticketing system that archives what security problems and activities have occurred.

6. Detect security breaches (Section 302.5.A/B)

ERP system or GRC software to perform semantic analysis of messages in real-time and use correlation threads, counters, alerts, and triggers that refine and reduce incoming messages into high-level alerts. Tickets to then be generated by these alerts to list the security breach, send out email, or update an incident management system.

7. Disclose security safeguards to SOX auditors (Section 404.A.1.1)

Access to be provided to auditors using role-based permissions via the implementation of an ERP system or GRC software. Auditors may be permitted complete access to specific reports and facilities without the ability to make changes to these components, or reconfigure the system.

8. Disclose security breaches to SOX auditors (Section 404.A.2)

Implement an ERP system or GRC software capable of detecting and logging security breaches, notifying security personnel in real-time, and permitting resolution to security incidents to be entered and stored. All input messages are continuously correlated to create tickets that record security breaches and other events.

9. Disclose failures of security safeguards to SOX auditors (Section 404.B)

The implementation of an ERP system or GRC software that periodically tests network and file integrity, and verifies that messages are logged. The system should ideally interface with common security test software and port scanners to verify that IT security is being successfully monitored.

What is a SOX Audit?

A SOX audit, undertaken by an independent external SOX auditor, reviews controls, policies and procedures during a Section 404 audit.

SOX requires companies to complete yearly audits and make those results readily available and accessible to stakeholders. The primary purpose of the SOX compliance audit is the verification of the company’s financial statements. Auditors compare past statements to the current year to ensure that all activity is satisfactory and in line with SOX compliance standards.

Leverage technology for SOX compliance audits

Companies can successfully enhance their SOX compliance framework through the implementation of a secure and reliable software program at all levels.

Solutions in the form of software to the problems of entity management, for compliance with SOX and other regulations, come in different shapes and sizes according to the organizational needs. Large organizations are increasingly looking for cost-effective solutions to the dilemmas of entity management in an outsourced platform.

This includes, in particular, creating a single source of data truth. The data repository or vault comprises a single space created by software, increasingly hosted in the Cloud, which contains the corporate data and documents that comprise operations for the many overlapping entities that make up a large organization. These data banks are sorted so as to be easily searchable and use group permission functions to handle access, track content creation and editing.

The features and functionality discussed above, plus much more, offer a number of elegant, effective and affordable solutions within Blueprint OneWorld’s entity management platform. We hope to be your organization’s entry point to Sarbanes-Oxley compliance, as well as the numerous other tasks of continuous entity management. Please call or email us today to discuss how our platform can serve you.