SOX, or the Sarbanes-Oxley Act of 2002, imposes joint responsibility on auditors and management for the detection of fraud and external threats. It is designed to help protect investors and bolster trustworthiness of corporate financial statements by requiring stringent record keeping, audits and controls, as well as outlining requirements for IT regarding electronic records.
10%
increase in the number of hours required for SOX compliance 1
28%
of organizations use tools like automated controls testing 2
Who must comply with SOX?
- All publicly-traded companies in the United States, including all wholly-owned subsidiaries
- All publicly-traded non-U.S. companies doing in business in the United States
- Any private company that is preparing for their initial public offering (IPO)
How can SailPoint help you comply with SOX?
Our open cloud identity governance platform makes it easy for you to stay compliant by seeing and controlling access to all your apps and data for every user, including bots.
- 2. Protiviti, “2018 Sarbanes-Oxley Compliance Survey: Benchmarking SOX Costs, Hours and Controls,” 2018. https://www.protiviti.com/US-en/insights/sox-compliance-survey
What are the key SOX areas identity governance addresses?
This law requires public companies to strengthen audit committees, perform internal controls tests, include internal controls reporting with all financial reports and provide audit trails of all access and activity to sensitive business information.
Internal controls
- Process
- Policies
- Activities
Compliance and reporting
- Transparency
- Accuracy
Governance
- Accountability
- Responsibility
- Avoidance of conflict of interest
What if your organization doesn’t comply?
Penalties for failure to comply with SOX affect corporations and their corporate officers personally. Companies can be subject to lawsuits, fines, negative publicity and can even be subject to delisting. A corporate officer who does not comply or submits an inaccurate certification is subject to a fine up to $1 million and 10 years in prison, even if done mistakenly. If a wrong certification was submitted purposely, the fine can be up to $5 million and 20 years in prison.
