Sarbanes-Oxley Act (SOX) Compliance Requirements
May 29, 2020
Many countries have specific regulations to help protect shareholders & investors in financial markets from the losses caused due to accounting errors and financial frauds concerning public companies.
The Sarbanes-Oxley Act or SOX is one such key regulation, governing the financial accounting practices & policies of public enterprises that are based and/or operating in the United States. SOX, also known as “Public Company Accounting Reform and Investor Protection Act” in US Senate, aims to protect stakeholders of securities markets, shareholders of corporations, buyers, and sellers of securities.
SOX mandates public companies to follow stringent controls & financial accounting framework to provision verifiable & traceable financial records for auditing. The law also obligates public companies to maintain all paper & electronic records for a minimum 5 years
Introduction of Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act of 2002 is a United States federal law for regulation of corporate governance and accountability across multiple aspects of corporate business practices and the securities market. SOX was legislated as a result of a series of corporate accounting scandals in the US that had resulted in huge losses in the financial markets and shaken the investor trust.
The stated goal of SOX is “to protect investors by improving the accuracy and reliability of corporate disclosures.”
Key Objectives of the Sarbanes-Oxley Act:
Following are the key goals of the SOX Act
1. Fairness to Shareholders
SOX changed the focus of corporate governance practices and compelled corporations to put more emphasis on complying with regulations focusing on shareholder fairness.
2. Fairness to Stakeholders
SOX requires corporate governance to take into consideration the interest of external stakeholders other than just the shareholders of the corporation.
3. Heightened Responsibilities for Director and Board
SOX heightened the responsibilities of the officers and directors of the corporation in carrying out their duties. It tremendously raised the stakes for liability as officers and directors.
4. Director and Officer Ethics
SOX requires corporations to have ethics codes or provisions that set the standard for governance in an organization.
5. Disclosure and Accountability
The most important aspect of the law is the increased disclosure requirements, the accountability of officers and directors for that disclosure, with liabilities in case of failures in corporate governance practice.
It is notable that though a majority of the SOX Act details out a framework for financial governance and accountability, sections of the act also identify and laydown the policies for data storage and information security.
Who Must Comply with SOX Regulations?
SOX obligates the following types of entities to fulfill the regulatory needs:
1. Publicly-traded companies in the US
2. Publicly-traded foreign companies operating in the US
3. Private companies preparing for IPO
4. Accounting firms that audit companies
SOX Compliance - Key Requirements for Businesses
The Sarbanes-Oxley Act lists down explicit requirements for businesses and obligates them to comply with stringent guidelines, as follows:
1. CEO & CFO To Take Responsibility of Financial Statements
SOX obligates CEO and CFO of the company for the accuracy, documentation, and submission of all financial records. It holds them personally accountable for any misrepresented data.
2. Set Up Internal Controls
The company must provide a description of its internal controls in an attempt to increase the confidence of the public in that organization while allowing them to gain an insight into the company's procedures. Any financial discrepancy in the records must be reported up the chain of management by the earliest to ensure transparency.
3. SOX Compliance Documentation
SOX obligates the organization to maintain detailed documentation for proving SOX Compliance. The documentation must be regularly updated to continuously monitor and measure the SOX compliance goals.
4. Formalize & Implement Data Security Policies
The company is responsible to implement the right data security policies that protect the data stored, utilized and transferred. As per data privacy laws, it is imperative for organization to ensure that there is no data leakage across its lifecycle.
5. Hire An Independent Audit Firm
The company is responsible for hiring an independent accounting firm to audit the accuracy of their financial reports. The financial reports are required to have a section dedicated to the auditors’ opinion on the accuracy of the figures presented in the reports.
Key Provisions of Sarbanes-Oxley Act (SOX)
SOX has several provisions but there are 4 key ones that you should focus on:
a.) Section 301 – Whistleblower Hotline
Requires companies to set up procedures for the confidential, anonymous submissions by employees with concerns regarding questionable accounting or auditing issues.
b.) Section 302 – CEO, CFO Certification
The management is required to evaluate the design and operational effectiveness of disclosure controls and procedures every quarter (disclosure controls include internal controls). The CEO and CFO sign a certification related to internal controls.
c.) Section 404 – Internal Controls
Requires organizations to test the efficiency of internal controls over financial reporting and the external auditors to audit internal controls, annually.
d.) Section 906 – Criminal Penalties
Imposes criminal penalties if the information certified by the CEO and CFO does not fairly represent the financial condition and results of the operations of the company.
Penalties under SOX Act:
Failure to comply with the SOX regulatory mandates can result in financial penalties of up to US$ 1 million and imprisonment of up to 10 years for the corporate officer, even if done mistakenly. Deliberate violation of the law can increase the penalties to up to US$ 5 million and imprisonment of up to 20 years!
The 5-Step Process to Attain SOX Compliance:
1. Discover Sensitive Data and Analyze Risks
Discover sensitive data and analyze internal and external risks that could pose a threat across the enterprise. Assessing the risks, discovering databases and sensitive data will help you analyze relevant risks and implement best safety measures.
2. Identify and Assess Vulnerabilities and Gaps
Assess the databases and servers you have discovered for vulnerabilities, misconfigurations, and security gaps, and remediate them. System software controls will allow identification and mitigation of security vulnerabilities and configuration flaws including periodic assessments and reviews of vulnerabilities and security gaps.
3. Control Access, Review and Validate User Rights
Established businesses need to implement access controls to prevent inappropriate and unauthorized use of their databases.
4. Monitor, Audit and Secure Usage Access
Controls are required to prevent and detect unauthorized transactions and to ensure timely reporting of security violations. Continuously audit and issue alerts on significant changes in financial data usage patterns to avert fraudulent activities.
5. Measure, Report, and Certify
The configuration and usage are to be measured and reported periodically to certify that they are within the best practice guidelines. Centralized monitoring of security and periodic audits help verify that controls are operating effectively.
Data Erasure: Hitting the SOX & Data Privacy Bulls Eye
Information security is a key underpinning of SOX regulation, knowing that the law places a huge onus on the organizations concerned to maintain the integrity of data for a minimum duration of 5 years and make it available for routine audits as per the book of law. But what happens to this financial data after the period of obligation is over? Considering that a majority of this financial data is highly sensitive and confidential, organizations have obligations to dispose of such unwanted but sensitive data in a way that they are compliant with the prevalent data protection regulations.
In addition, there could be plausible scenarios when organizations may find themselves at the intersection of SOX and data privacy obligations; for instance, the need for removing undocumented copies of financial audit reports from a legacy device when the primary custodian, for example a corporate officer such as CFO, transitions to a new device. Professional data erasure tools such as BitRaser can solve this problem through safe and certified wiping of the sensitive records, helping organizations meet SOX and data privacy obligations at once! BitRaser can permanently erase the sensitive data from hard drives, servers and mobile devices, and it generates reports and certificate of erasure to serve as tamper-proof audit trails for regulatory compliance.
SOX compliance is a paramount need for all public organizations based and/or operating in the United States. It lays down stringent requirements for businesses in the purview but at the same time could be a key differentiator in terms of winning the investor confidence. Exercising due diligence, implementing the right policy measures, & adopting a thorough practice are essentials to attain SOX compliance. And having the right tools and systematic assistance can bolster your efforts towards a fail-safe compliance with SOX and data privacy laws!
|US Department of Defense, DoD 5220.22-M (3 passes)|
|US Department of Defense, DoD 5200.22-M (ECE) (7 passes)|
|US Department of Defense, DoD 5200.28-STD (7 passes)|
|Russian Standard – GOST-R-50739-95 (2 passes)|
|B.Schneier’s algorithm (7 passes)|
|German Standard VSITR (7 passes)|
|Peter Gutmann (35 passes)|
|US Army AR 380-19 (3 passes)|
|North Atlantic Treaty Organization-NATO Standard (7 passes)|
|US Air Force AFSSI 5020 (3 passes)|
|Pfitzner algorithm (33 passes)|
|Canadian RCMP TSSIT OPS-II (4 passes)|
|British HMG IS5 (3 passes)|
|Pseudo-random & Zeroes (2 passes)|
|Random Random Zero (6 passes)|
|British HMG IS5 Baseline standard|
|NAVSO P-5239-26 (3 passes)|
|NCSG-TG-025 (3 passes)|
|5 Customized Algorithms & more|