What is SOX compliance?
SOX compliance refers to compliance with the Sarbanes-Oxley Act (SOX), a U.S. federal law that was enacted in 2002 to protect investors and clients from fraudulent corporate practices. SOX compliance requirements ensure the accuracy of financial reports from companies, improve financial disclosures, and deter accounting errors and fraudulent practices in corporations. The Act was named after its bill sponsors, U.S. Senator Paul Sarbanes (D-MD) and U.S. Representative Michael G. Oxley (R-OH).
Companies are required to conduct SOX compliance audits on annual basis. These are performed by authorized independent auditors.
As part of these audits, companies’ financial statements and internal controls are assessed. The chief executive officer (CEO) and the chief financial officer (CFO) are required to sign statements attesting to the accuracy all information that is submitted.
Meeting SOX compliance requirements is not only a legal obligation but good business practice. All organizations should behave ethically and limit access to their financial data. SOX compliance has the added benefit of helping organizations to keep sensitive data safe from insider threats, cyberattacks, and security breaches.
The 11 Titles of SOX
The SOX Act is comprised of eleven titles. Sections under each title detail what is required for SOX compliance. Below is an index of the Act with descriptions included for those that have the most impact on companies.
Title I Public Company Accounting Oversight Board
Title I establishes the Public Company Accounting Oversight Board and explains how it provides independent oversight of public accounting firms that offer audit services. It also creates a smaller oversight board that is responsible for registering auditors, defining the specific processes and procedures for compliance audits, inspecting and policing conduct and quality control, and enforcing compliance with the specific mandates of SOX.
Sec. 101. Establishment; administrative provisions
Sec. 102. Registration with the Board
Sec. 103. Auditing, quality control, and independence standards and rules
Sec. 104. Inspections of registered public accounting firms
Sec. 105. Investigations and disciplinary proceedings
Sec. 106. Foreign public accounting firms
Sec. 107. Commission oversight of the Board
Sec. 108. Accounting standards
Sec. 109. Funding
Title II Auditor Independence
Title II is where the standards for external auditor independence are set with the goal of limiting conflicts of interest. It also provides direction for new auditor approval requirements, audit partner rotation, and auditor reporting requirements. Title II also creates a separation of duties for auditors, by restricting the same firm from conducting audits and providing non-SOX compliance audit services.
Sec. 201. Services outside the scope of practice of auditors
Sec. 202. Preapproval requirements
Sec. 203. Audit partner rotation
Sec. 204. Auditor reports to audit committees
Sec. 205. Conforming amendments
Sec. 206. Conflicts of interest
Sec. 207. Study of mandatory rotation of registered public accounting firms
Sec. 208. Commission authority
Sec. 209. Considerations by appropriate state regulatory authorities
Title III Corporate Responsibility
Title III defines the responsibilities of senior executives, specifically taking individual responsibility for the accuracy and completeness of corporate financial reports. It also details the interaction of external auditors and corporate audit committees, and specifies the responsibility of corporate officers for the accuracy and validity of corporate financial reports. This part of SOX legislation also defines the specific forfeitures of benefits and penalties for non-compliance.
Sec. 301. Public company audit committees
Sec. 302. Corporate responsibility for financial reports
Section 302 highlights include:
- Public companies must file financial reports with the SEC.
- CEOs and CFOs must certify that they have reviewed the report being submitted and that it “does not contain any untrue statements.”
- Signing officers must attest that internal controls are in place, and have been effective within 90 days leading up to the report, to ensure that any information provided by the company is accurate and accessible to auditors.
- Any “deficiencies” in the design or operation of these internal controls have been identified and communicated to the auditors.
- Auditors must be informed regarding any changes made to the internal controls after the report has been submitted.
Sec. 303. Improper influence on conduct of audits.
Section 303 forbids “any action to fraudulently influence, coerce, manipulate, or mislead any independent public or certified accountant engaged in the performance of an audit of the financial statements of that issuer for the purpose of rendering such financial statements materially misleading.”
Sec. 304. Forfeiture of certain bonuses and profits
Sec. 305. Officer and director bars and penalties
Sec. 306. Insider trades during pension fund blackout periods
Sec. 307. Rules of professional responsibility for attorneys
Sec. 308. Fair funds for investors
Title IV Enhanced Financial Disclosures
Title IV explains the reporting SOX compliance requirements for financial transactions, including off-balance-sheet transactions, pro-forma figures, and stock transactions of corporate officers. It also specifies the required internal controls to validate the accuracy of financial reports and disclosures, and mandates both audits and reports on those controls.
Sec. 401. Disclosures in periodic reports
Section 401 reiterates that SOX compliance reports may not contain any misleading statements, untrue statements, or factual errors. It also sets forth the requirement that financial reports are prepared in accordance with generally accepted accounting principles (GAAP).
Sec. 402. Enhanced conflict of interest provisions
Sec. 403. Disclosures of transactions involving management and principal stockholders
Sec. 404. Management assessment of internal controls
Section 404 is widely considered to be the most complicated, difficult, and costly to implement:
- Directs management establish “adequate internal control structure and procedures for financial reporting.”
- Establishes that management is responsible for assessing the effectiveness of these controls and procedures during the most recent fiscal year.
- Requires that each registered public accounting firm that prepares or issues the audit report attest to, and report on, the assessment made by management.
Sec. 405. Exemption
Sec. 406. Code of ethics for senior financial officers
Sec. 407. Disclosure of audit committee financial expert
Sec. 408. Enhanced review of periodic disclosures by issuers
Sec. 409. Real time issuer disclosures
Section 409 stipulates that companies must immediately inform the public of any material changes in their financial condition or operations, including disclosure of data breaches or other forms of cyberattacks.
Title V Analyst Conflicts of Interest
Title V consists of only one section that is designed to help restore investor confidence in the reporting of securities analysts by defining the codes of conduct and requiring disclosure of knowable conflicts of interest.
Sec. 501. Treatment of securities analysts by registered securities associations and national securities exchanges.
Title VI Commission Resources and Authority
Title VI defines practices to restore investor confidence in securities analysts. It also reinforces that the SEC has the authority to censure or bar securities professionals from practice.
Sec. 601. Authorization of appropriations
Sec. 602. Appearance and practice before the Commission
Sec. 603. Federal court authority to impose penny stock bars
Sec. 604. Qualifications of associated persons of brokers and dealers
Title VII Studies and Reports
Title VII specifies the requirements for the Comptroller General and the Securities and Exchange Commission (SEC) to perform various studies and report their findings.
Sec. 701. General Accounting Office (GAO) study and report regarding consolidation of public accounting firms
Sec. 702. Commission study and report regarding credit rating agencies
Sec. 703. Study and report on violators and violations
Sec. 704. Study of enforcement actions
Sec. 705. Study of investment banks
Title VIII Corporate and Criminal Fraud Accountability
Title VIII is also referred to as the “Corporate and Criminal Fraud Accountability Act of 2002.” It enumerates the criminal penalties for manipulation, destruction or alteration of financial records or other interference with investigations. It also provides some protections for whistleblowers.
Sec. 801. Short title
Sec. 802. Criminal penalties for altering documents
Section 802 states that whoever knowingly alters, destroys or falsifies records faces significant fines, imprisonment, or both. In addition, it stipulates that all audit or review workpapers must be retained for a period of five years after the audit, including both electronic and non-electronic records. Failing to do so can result in fines, imprisonment, or both.
Sec. 803. Debts nondischargeable if incurred in violation of securities fraud laws
Sec. 804. Statute of limitations for securities fraud
Sec. 805. Review of Federal Sentencing Guidelines for obstruction of justice and extensive criminal fraud
Sec. 806. Protection for employees of publicly traded companies who provide evidence of fraud
Section 806 focuses on whistleblowers. It specifies that SOX protects the employees and officers of a company who support an investigation, come forward with information, testify in an investigation, or cause information about a company’s financial fraud to be released. Employees are protected from losing their positions and from harassment, demotion, suspension, or any other discrimination. This section also outlines compensatory violations.
Sec. 807. Criminal penalties for defrauding shareholders of publicly traded companies.
Title IX White Collar Crime Penalty Enhancement
Title IX is also called the “White Collar Crime Penalty Enhancement Act of 2002.” The increased criminal penalties associated with white-collar crimes and conspiracies are laid out, along with recommendations for extended sentencing. This section also makes failure to certify corporate financial reports as a criminal offense.
Sec. 901. Short title.
Sec. 902. Attempts and conspiracies to commit criminal fraud offenses
Section 902 states that “any person who attempts or conspires to commit any offense under this chapter shall be subject to the same penalties as those prescribed for the offense.”
Sec. 903. Criminal penalties for mail and wire fraud
Sec. 904. Criminal penalties for violations of the Employee Retirement Income Security Act of 1974
Sec. 905. Amendment to sentencing guidelines relating to certain white-collar offenses
Sec. 906. Corporate responsibility for financial reports
Section 906 also covers criminal penalties, including fines and imprisonment, for employees who submit false or misleading reports in violation of SOX. Individuals who can be held responsible include contractors, employees, agents, and executives.
Title X Corporate Tax Returns
Title X consists of one section. Section 1001 states that the chief executive officer must sign the company’s tax return.
Sec. 1001. Sense of the Senate regarding the signing of corporate tax returns by chief executive officers.
Title XI Corporate Fraud Accountability
Title XI consists of seven sections. Section 1101 recommends a name for this title as “Corporate Fraud Accountability Act of 2002.” It identifies corporate fraud and records tampering as criminal offenses and joins those offenses to specific penalties. It also revises sentencing guidelines and strengthens their penalties.
This enables the SEC to resort to temporarily freezing transactions or payments that have been deemed “large” or “unusual.” It also created the crime of obstructing an official proceeding.
Sec. 1101. Short title
Sec. 1102. Tampering with a record or otherwise impeding an official proceeding
Sec. 1103. Temporary freeze authority for the Securities and Exchange Commission
Sec. 1104. Amendment to the Federal Sentencing Guidelines
Sec. 1105. Authority of the Commission to prohibit persons from serving as officers or directors
Sec. 1106. Increased criminal penalties under Securities Exchange Act of 1934
Sec. 1107. Retaliation against informants
This strengthens protections for whistleblowers, establishing federal criminal penalties of fines or less than ten years’ imprisonment for any retaliation against an informant.
A brief history of SOX
After a wave of fraudulent activities by large corporations around the turn of the 21st century, government regulators succumbed to pressure to protect shareholders. SOX was born out of a drive to close accounting loopholes and eliminate poor financial reporting that resulted in corporate failures that cost investors billions of dollars and impacted public confidence in U.S. securities markets.
The bill overwhelmingly passed in both the House of Representatives and the Senate (i.e., approved in the House by a vote of 423 in favor, 3 opposed, and 8 abstaining, along with a vote of 99 in favor and 1 abstaining in the Senate). When he signed SOX into law, President George W. Bush said it was “the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt. The era of low standards and false profits is over; no boardroom in America is above or beyond the law.”
Harvey Pitt, the 26th chairman of the SEC, led the adoption of the SOX compliance rules. He created the Public Company Accounting Oversight Board (PCAOB), to enforce SOX requirements. PCAOB oversees, regulates, inspects, and disciplines accounting firms in their roles as auditors of public companies.
Why the enterprise needs SOX compliance
Meeting SOX compliance requirements does more than meet a legal obligation; following the rules set forth in SOX is good business practice. SOX provides a framework to help companies behave ethically and protect their financial and other sensitive data. Other ways that SOX compliance helps enterprises include the following.
Control structure strengthening
When adhering to SOX compliance requirements for documentation of controls, including operations manuals, personnel policies, and recorded control processes, enterprises see improvements in productivity. This is because many organizations find significant deficiencies in documentation. Bringing these up to the higher levels required by SOX compliance corrects errors and omissions that benefit overall operations.
In most public companies, SOX compliance falls under the purview of the audit committee or executive management, who are also the executive sponsors for SOX compliance efforts. Because of the broad view of risk management and reporting that this group must take for SOX compliance, they bring the weight of their positions to push for improvements in processes that uplevel the organization’s audit readiness. In this way, SOX compliance drives more effective and efficient processes, which in turn streamline audit processes, reducing the time and cost to complete them.
Improved financial reporting
The increased minimum standards for financial reporting required for SOX compliance deliver results beyond passing audits. Due to mandatory detailed internal controls to provide evidence that control activities are in place for all relevant financial reporting assertions for all significant accounts and disclosures, any significant gaps have been identified and remediated.
Post-SOX, companies have seen more efficient, more reliable financial reporting, meaning that less time is required to gather data and make corrections.
SOX compliance requirements help organizations determine which systems to focus on by directing risk assessments that help clarify risk exposure and existing controls. Efforts can be more focused once systems that do not need to be SOX compliant are delisted. Since SOX requirements are, in many cases, more stringent than corporate rules, complying with mandates generates a strong security posture.
SOX compliance helps companies by driving process efficiencies beyond finance. Companies that must adhere to SOX compliance requirements see improved documentation, optimized business and IT processes, and minimized audit costs.
Who must comply with SOX
SOX compliance has a broad reach, but private companies, charities, and non-profits generally do not need to comply with all of SOX. Entities that are required to adhere to SOX requirements include:
- Publicly-traded companies
- Wholly-owned subsidiaries
- Foreign companies that publicly trade and conduct business in the US
- Private companies planning their Initial Public Offering (IPO)
- Accounting firms auditing public companies
- Accounting firms and auditing
Benefits of SOX compliance
- Better security
Requirements for risk reduction and data protection have improved overall security at companies that require SOX compliance.
- Enhanced internal controls
SOX compliance provides companies with a baseline for understanding the internal control standards that safeguard their data and protect their businesses.
- Eradication of accounting conflicts of interest
SOX dictates that the firm that handles audits cannot be the same as that which takes care of accounting work.
- Improved risk management
Compliance with SOX enables processes that keep companies focused on high-risk priorities and the most appropriate company controls to remediate them, including integration of IT and security across siloed departments.
- Minimization of human error through process automation
Automated controls replace error-prone manual processes, significantly minimizing errors, increasing efficiency, and reducing the need for controls testing.
- Predictable financials
Controls, testing, automation, and operational efficiencies have improved visibility and made it easier for companies to predict their financials.
- Reduced accounting complexity
Rather than using diverse accounting practices, companies move to a centralized system and follow best practices to simplify processes and allow them to conduct audits quicker with fewer errors.
- Smoother operations
Improvements to documentation provide clarity in job descriptions and exact definitions of who is responsible for covering which business processes, which streamlines onboarding and helps employees better understand operations and how they are accomplished.
- Standardized processes
Because standardized processes are easier and quicker to evaluate as part of a SOX compliance audit, many companies have standardized processes across all systems, which has helped them save time and excel at audits.
- Streamlined audits
SOX compliance provides internal audit teams with more specific responsibilities for SOX reporting, data documentation, and SOX testing.
SOX compliance challenges
- Complying with SOX means an added financial burden that is not directly related to business outcomes.
- Designing and deploying an internal control framework for SOX compliance can be complex and put a strain on enterprise resources.
- Establishing new internal controls, constructing processes for financial information, and confirming the accuracy of reports to meet SOX compliance criteria is burdensome.
- Hiring new employees and contractors to support SOX compliance processes is time consuming and expensive.
- Implementing controls for nonrecurring or significant transactions, evaluation of existing controls, and responding to significant deficiencies and material weaknesses is difficult.
- Increasing audits and accounting firms increases costs.
- Segregating accounting duties often requires new team members.
SOX compliance requirements
At a high level, SOX compliance requirements can be summarized in a four-step process:
- Provide the SEC with financial statements that have been audited by a third party, which cannot not be the same firm that handles accounting.
- Report material changes to the public in a timely manner as defined in SOX compliance requirements.
- Design, implement, and test internal controls across IT systems to ensure the security of financial data.
- Create an annual statement that reports on internal controls and their adequacy, which executive management affirms and a third party audits.
SOX compliance audits
Four key items comprise SOX compliance audits: Access control, change management, data backup, and IT security.
Organizations must have controls in place to ensure that sensitive information can only be accessed and viewed by authorized users. Access controls must cover physical access (e.g., doors, file drawers) and electronic access (e.g., login credentials).
Defined processes must be in place for adding and removing users, content, and devices, as well as for installing and updating software. An audit trail of who made the change, what was changed, and when the change was made must also be recorded and saved.
Systems must be in place to ensure that all financial records and other sensitive data are backed up—onsite and offsite — using appropriate storage systems.
Companies must validate that they know exactly who has access to what data and resources. In addition, they must demonstrate that they have the appropriate tools to protect data and prevent data breaches.
SOX compliance implementation
From an IT perspective, the following controls must be in place to enable SOX compliance:
- Access control
- Backup systems
- Change management
- Security and cybersecurity
- Segregation of duties
In addition, these activities must also be monitored, logged, and audited:
- Account activity
- Database activity
- Information access
- Internal activity
- Login activity
- Network activity
- User activity
Key steps for implementing SOX compliance
SOX compliance implementation can be accomplished efficiently and effectively by following these steps.
Establish a compliance committee.
- Mandatory members include the CEO, CFO, and major business unit heads.
- Recommended members include functional area executives (e.g., finance, IT, legal, human resources).
- Identify the types and scope of risks in the Board’s risk guidelines.
- Assess the enterprise-wide risks within the organization, including:
- Financial risks
- Human capital risk
- Legal and regulatory risks
- Operational risks
- Strategic risks
- Technological risks
- Quantify each risk (i.e., likelihood, scope, potential impact).
- Document the risk landscape to identify interrelationships.
- Develop a risk management plan.
Establish guidelines for controls.
- Define decision rules and reporting objectives to address risks.
- Set objectives for internal control in the following areas:
- Business services
- Business services
- Systems and resources
- Systems and resources
Develop an implementation plan.
- Articulate steps to transition from the project / planning stage to production stage to support ongoing, day-to-day operations.
- Ensure that employees have what they need to execute internal controls.
- Identify factors affect the proper execution of internal control methods.
Communicate the ongoing procedures.
- Explain the why behind them.
- Ensure that they are clearly defined.
- Identify subject matter experts to address questions.
- Deliver the education and resources that employees need to support SOX compliance.
- Deliver the education and resources that employees need to support SOX compliance.
- Leverage internal and external components.
Document risk management processes.
- Develop documentation for all controls.
- Provide resources for why controls were adopted.
- Write detailed descriptions and analysis of controls for future audits.
Conduct evaluations continuously.
- Ensure that controls are operating as intended.
- Implement systems to detect issues early.
- Make updates as needed to maintain SOX compliance.
Do countries other than the US have SOX compliance requirements?
After the passage of SOX, its principles were codified into law in several countries, including the following.
- Canada (2002)
- Germany (2002)
- Netherlands (2004)
- Turkey (2002)
- Turkey (2002)
- Israel (2006)
- South Africa (2002)
- France (2003)
- Australia (2004)
- India (2015)
- United Kingdom
SOX compliance checklist
Following are recommendations for a basic SOX compliance checklist with questions that cover key systems and processes. Each organization has its own unique requirements, but this will help teams orient around several important areas, and identify adjacent ones, by considering the questions as they apply.
- Are documentation and policies in place to govern backing up systems?
- Are restoration capabilities tested on a regular basis?
- What validation systems are in place to demonstrate that backups are accurate and tamper-proof?
Data access control
- Are unique login credentials with strong passwords required?
- Are users able to share credentials?
- Can sessions on the network be traced to individual users?
- What is the process for updating access privileges when a user changes roles or leaves the organization?
- What technologies have been implemented to track logins and detect suspicious login attempts to systems used for financial data?
- Who has access to sensitive financial data?
Reporting for financial and business records
- Are systems in place to record and apply timestamps to activities related to data that is relevant to SOX compliance?
- Can logs be searched and filtered to create custom reports?
- Where are those logs kept, and do they have controls to prevent tampering?
- Do existing systems allow data to be retrieved from across myriad repositories, including files, file transfer protocol (FTP), and databases?
- Are records kept about who accessed or modified the data?
Security breach responses
- Are security systems in place to monitor and analyze data, identify signs of a security breach, send alerts, and automatically send updates to an incident management system?
- Is there an incident plan in place with a team ready to implement it?
- How are cyberattacks (e.g., phishing, ransomware) managed?
- Is there a plan to disclose security breaches and failure of security controls to auditors?
- What systems are in place to log security breaches and enable staff to record their resolution incidents?
- What are the processes for escalating incidents?
Segregation of duties
- Are employees’ roles clearly defined and do they understand the parameters?
- Are protocols in place to ensure appropriate separation of duties (e.g., a user cannot both submit and approve an invoice)?
- Are systems in place to prevent and detect fraud (e.g., embezzlement)?
- Does the organization abide by the principle of least privilege?
- If data is stored in the cloud, does the service level meet SOX compliance requirements?
- Is there a data management plan that provides direction for data retention, protection, access, and destruction?
Verification of safeguards
- Are systems in place to provide daily updates to key stakeholders in the organization that all SOX compliance control measures are working properly?
- Can reports be provided to auditors and others in a way that they can only view them and not make changes?
- How are SOX compliance safeguards tested, verified, and disclosed to auditors?
- How are reports, related to critical messages and alerts, security incidents that occurred, and how they were handled, created?
SOX compliance solutions
There are many solutions available to support the enterprise in enabling SOX compliance. Types of SOX compliance solutions that are widely used include:
- Access management software
This is used to secure networks by limiting external access and managing inside users to prevent unauthorized internal access.
- Automated backup solution
In the event of a disaster or other cause of data loss, these solutions ensure that copies of applications and data are available.
- File transfer software
This is used to protect data transfers, including encryption to secure files in motion as well as enforcing rules related to what can be accessed and shared.
- Log management software
This tracks and records system and file access to provide an audit trail and alert administrators if any unusual activity is detected.
- SOX compliance software
These solutions scan for security threats and flag them, track data, and generate reports.
High stakes for failing to comply with SOX
The stakes for failing to meet SOX compliance requirements are high and come with personal liabilities for executives. A CEO or CFO who willfully submits inaccurate documentation during a SOX compliance audit can be imprisoned for up to 20 years, fined up to five million dollars, or both.
It is also important to note that ignorance is not bliss when it comes to SOX compliance. If incorrect information is submitted accidentally during a SOX compliance audit, a CEO or CFO can still be fined and imprisoned—up to one million dollars and up to 10 years in prison. Failure to meet SOX compliance requirements can also result in a company being delisted from stock exchanges.
SOX compliance demands the utmost attention. The enterprise must take the time to identify the systems needed to support the effort, invest in the proper implementation of systems and processes, and devote the necessary resources to maintain SOX compliance, including staying on top of changes to rules and supporting solutions.
You might also be interested in:
Take control of your cloud platform.
Learn more about SailPoint Identity Security.