The passing of the Sarbanes-Oxley Act (SOX) in 2002 established rules to protect the public from fraudulent or predatory practices by corporations and other business entities. The act increased transparency in financial reporting by corporations, and established a system of internal corporate checks and balances.
SOX compliance is a legal obligation and, in general, just a smart business practice: to safeguard data, companies should already be limiting access to internal financial systems. By implementing SOX financial and cybersecurity controls as well, businesses can also reduce the risk of data theft from insider threats or cyberattacks.
This article will cover everything you need to know about SOX compliance, from a detailed look at SOX controls to how to prepare for and complete an audit.
Get the Free Essential Guide to US Data Protection Compliance and Regulations
Overview: History of SOX
SOX was enacted by the federal legislature in response to a string of financial scandals, highlighting the need for closer control over corporate financial reporting practices.
Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH-4) wrote the bill in response to several high-profile corporate incidents in which a lack of financial reporting and transparency produced massive losses for investors, the public, and government agencies. In particular, the Enron, WorldCom, and Tyco scandals provided much of the impetus and necessity for a piece of legislation like SOX.
The stated goal of SOX is “to protect investors by improving the accuracy and reliability of corporate disclosures.” The bill established responsibilities for boards and officers of publicly-traded companies and set criminal penalties for failing to comply. The bill passed by overwhelming majorities in both the House and Senate, with only three members voting in opposition to SOX.
Who does SOX compliance apply to?
SOX applies to all publicly-traded companies in the U.S., in addition to any wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States. SOX also regulates accounting firms that audit companies subject to SOX compliance.
Private companies, charities, and nonprofits are generally not required to comply with all SOX requirements. However, private organizations who knowingly destroy or falsify financial data can still be penalized under certain SOX language. Private companies planning an initial public offering should prepare to comply with SOX before they go public.
Here is a short list of entities that fall under the purview of SOX:
- Publicly-traded companies based in the U.S.
- International companies that have stocks or securities registered with the SEC
- Private companies in certain areas of financial reporting
- Accounting firms that audit companies for SOX
If your company falls under one of these categories, you are subject to meeting data security and controls requirements, as specified under SOX.
What are SOX controls?
SOX requirements for public companies include implementing internal controls for processes that impact financial reporting. The objective of SOX controls are to ensure accurate and reliable financial reporting, as well as data protection. It’s important to understand the scope of SOX controls within your organization, knowing where SOX ends and regular internal management controls begin.
Generally speaking, SOX requirements encompass both business controls and information technology (IT) controls. On the business side, SOX controls focus on the accuracy and security of data that feeds into financial reporting. In terms of technology, there are IT general controls and application controls. The goals for IT controls are to ensure all systems are accurate, complete, and error-free in ways that could potentially impact financial reporting.
SOX compliance requirements
CEOs and CFOs are directly responsible for the accuracy, documentation, and submission of all financial reports to the SEC, as well as the internal control structure. SOX also requires an internal control report that states management is responsible for an adequate internal control structure for their financial records. Any shortcomings must be reported up the chain as quickly as possible.
SOX mandates formal data security policies, communication of those policies, and consistent ongoing enforcement. Companies should develop and implement a comprehensive data security strategy that protects and secures all financial data stored and used during normal operations.
Finally, companies need to maintain and provide documentation proving compliance. Documentation should clearly show the organization is continuously monitoring and measuring SOX compliance objectives throughout the year.
Now that you’re familiar with SOX compliance from a conceptual standpoint, you’re ready to start preparing for specific steps and action items in our checklist.
SOX compliance checklist
SOX compliance is imperative in protecting your data and keeping the integrity of your financial transactions intact. The best way to ensure compliance is to follow a checklist heavily anchored on sections 302 and 404 of the act.
Below is a SOX checklist with practical measures you can take to guarantee the alignment of your business with compliance requirements.
1. Prevent data tampering.
Install software that can track suspicious logins and prevent breaches to business databases containing sensitive financial data. Ensuring your sensitive data isn’t accessed or altered is a cornerstone of SOX compliance. To that end, you should strongly consider implementing some form of data privacy protection software.
2. Document activity timelines.
Employ systems and software that can record timestamps of activities on all transactions and data related to SOX guidelines. Encrypt the recorded data in a secure location or database to avoid tampering. Activity documentation is critical to ensure that the correct information is easy to find during your SOX audit.
3. Install access tracking controls.
Implement software capable of receiving data and messages from all digital sources such as FTP, databases, and computer files. These controls should also be able to identify and track external entities breaching and attempting to tamper with your data. Detailed cybersecurity tracking and visualization tools, such as DatAdvantage, are extremely helpful in monitoring access controls on an ongoing basis.
4. Ensure defense systems are working.
Install multiple systems able to send reports to your auditor via email — or other means of communication — on a daily basis. Grant your auditors access to these systems for them to view relevant data without actually altering anything. Constantly assess whether your safeguarding software is in working condition by collaborating with your company’s IT department and SOX auditors.
5. Collect and analyze security system data.
You should also implement systems to test and validate that your security and compliance measures are effective year-round. Have systems and processes in place that collect data around breaches, security incidents, and suspicious activity. Use software to collect and report on system activity data so that your entire team — from executives down to IT staff — can address any SOX compliance issues proactively.
6. Implement security-breach-tracking.
Install detection software that can dissect and identify suspicious activities on all systems relevant to SOX compliance. This software should have the ability to detect, assess, and document threats in real-time, and send detailed reports to your incident management system to be addressed immediately.
7. Grant auditors defense system access.
Constant communication with your SOX auditors can go a long way. This best practice and the next two steps are aspects that every company that's succeeding in SOX compliance has in common. Your auditors should have access and limited control to all your safeguarding protocols, software, and systems so that they can diagnose and troubleshoot working issues, and identify improvement opportunities.
8. Disclose security incidents to auditors.
Install systems that can detect and document security breaches, as well as immediately alert your SOX auditor about the incident. This will mitigate the overlooking of threats and allow your auditors to address issues as soon as possible. Using a data classification engine, for instance, can help both determine what data to protect most and alert you to any breach or compromise.
9. Report technical difficulties to auditors.
Instruct your IT department to communicate to your auditors any technical difficulties identified in your security safeguards. Also, establishing systems capable of testing network functionality and file integrity — as well as documenting and disclosing security incidents to your auditors — is helpful in checking this box.
SOX compliance audits
SOX mandates that companies complete yearly audits and that they share the results with stakeholders as requested. To prevent any conflict of interest, companies hire independent auditors for these specific audits. SOX compliance should be treated as a year-round endeavor, continually preparing for the next audit.
The primary purpose of the SOX compliance audit is the verification of the company’s financial statements. Auditors compare past statements against the current year and determine if everything is in order. Auditors can also interview personnel and verify that compliance controls are sufficient to maintain SOX compliance standards.
Your SOX auditor will have access to all relevant security controls, and you should also be prepared to provide documentation about changes or improvements that you made to comply with SOX. Auditors will also look closely at financial reporting and filings to ensure accuracy and that there are no signs of malfeasance.
Preparing for a SOX compliance audit
Update your reporting and internal auditing systems so that when an auditor requests a report, you’re able to pull it and provide it quickly. Verify that your SOX compliance software systems are working as intended so there will be no surprises in reviewing those systems. Also, make sure to have cybersecurity and financial documentation organized and readily available prior to an audit.
SOX internal controls audit
Your SOX auditor will investigate four internal controls as part of the yearly audit. To be SOX compliant, it’s crucial to demonstrate your capability in these four key areas below:
Access
Access means both physical controls (doors, badges, locks on file cabinets, etc.) and electronic controls (login policies, least privileged access, and permissions audits). For example, you might place a biometric scanner on the entrance to a server room that houses critical data to ensure only authorized personnel can enter. Maintaining privileged access management with a least-privilege model (meaning each user only has the access necessary to do his or her job) is a requirement of SOX compliance.
Security
You also need to assess how your organization identifies sensitive data and safeguards against cyberattacks. You’ll need to monitor who is accessing data — and how — as well as detect and respond to security incidents. In the event of a breach or incident, you should be able to take corrective action in a timely and effective manner. The development of a cybersecurity incident response plan by management and executives often helps address security on a company-wide level for the purposes of SOX compliance.
Data backup
Next, evaluate how your company backs up data and key systems. Data backup is critical because it minimizes disruption and data loss in the event of a system-wide disaster. Both original systems and data center devices containing backups must be safeguarded and handled in a SOX-compliant fashion. You should also consider maintaining SOX-compliant offsite backups of all of your financial records.
Change management
Have defined processes in place to add and maintain users, install new software, and make any changes to databases or applications that manage your company's financials. Anytime you add new employees, computing infrastructure, or software, changes must be recorded and monitored for potential resulting abnormalities.
Benefits of compliance software for a SOX audit
One of the best tactics you can deploy to ensure SOX compliance is implementing compliance software. A few areas and situations in which compliance software can be helpful:
- Information security: By implementing a data-centric software security platform, you’ll improve visibility into all SOX compliance activities while improving your overall cybersecurity posture.
- Permission tracking: Modern data security platforms can help you identify any glaring permission issues. This reduces the risk of insider threats or employees accessing data they shouldn’t.
- Data classification: This type of software helps automatically classify data based on sensitivity, risk profile, and other factors. You’ll be able to show auditors that your most critical data is safeguarded accordingly.
- Attack prevention: This software can proactively alert you to any suspicious activity, insider threats, or ransomware attacks, ensuring that when your audit rolls around, you’re well aware of any breaches or attacks ahead of time.
Five benefits of SOX compliance
1. Financial stewardship
SOX provides the framework needed for companies to be better stewards of their financial records, which in turn benefits many other aspects of the company. Much like ISO 27001 compliance, being in alignment with SOX promotes efficient and accurate financial reporting that fosters a higher level of financial caretaking in your organization.
2. Improved reporting
SOX-compliant companies report more predictable finances and easier access to capital markets. Whether producing reports for investors, auditors, or regulators, your reporting capabilities will be much improved with SOX.
3. Enhanced cybersecurity
By implementing SOX, companies are safer from cyberattacks and the expensive aftermath of a data breach. Data breaches are difficult to manage and remediate, and some companies never recover the damage done to their brand. The security controls that SOX requires will go a long way toward reducing the potential of a malicious hack or insider threat.
4. Better collaboration
SOX compliance builds a cohesive internal team and improves communication between departments involved with the audits. The benefits of a companywide program like SOX can have other tangible effects on the company, including improved cross-functional communication and cooperation.
5. Risk prioritization
While complying with SOX, you’ll embed a comprehensive risk management framework within your organization’s culture. Your business will benefit from corporatewide visibility and transparency in processes, coordination, and timely breach mitigation. You’ll know exactly which cyber risks to prioritize so you can deploy resources more efficiently.
Familiarize yourself with these organizations
As you’re embarking upon your SOX compliance journey, there are several related organizations and frameworks you might encounter along the way. Here are some concepts and groups you should be familiar with, in addition to SOX:
- PCAOB: The Public Company Accounting Oversight Board develops auditing standards, and trains auditors on best practices to perform a successful SOX audit.
- COSO: The Committee of Sponsoring Organizations updates their recommendations for internal controls to achieve SOX compliance. These recommendations inform the PCAOB auditing standards.
- COBIT: The Control Objectives for Information and Related Technology is another framework used to implement SOX compliance. Developed by ISACA, this is a comprehensive list of 34 best practices for IT security.
- ITGI: The Information Technology Governance Institute is another IT framework used to achieve SOX compliance. ITGI uses standards from both COBIT and COSO, but focuses on security instead of just focusing on general compliance.
SOX FAQ
Q: What are the SOX key controls?
A: SOX specifies four key aspects of controls: access, IT security, data backup, and change management. You’ll need to address all four of these areas in preparation for a SOX audit and ongoing compliance.
Q: Why did Congress pass SOX?
A: Accounting scandals at companies like Enron, WorldCom, and Arthur Andersen that resulted in billions of dollars in corporate and investor losses prompted the creation and passage of SOX. It’s a wide-reaching framework designed to prevent any such future scandals.
Q: What are SOX non-compliance penalties?
A: Lawsuits and negative publicity aside, individuals who don’t comply or who submit inaccurate reports are subject to fines of up to $1 million and 10 years in prison, even without malicious intent involved. Deliberate malfeasance can result in fines up to $5 million and 20 years in prison.
Closing thoughts
While SOX compliance can be quite an undertaking, it doesn’t necessarily have to be difficult. You should view SOX compliance as an opportunity to improve your financial reporting, cybersecurity, and access control capabilities. Implementing new strategies and technologies like identity access management or automated data governance enforcement for the purposes of SOX compliance also strengthens your company over the long haul.
Finally, you shouldn’t view SOX compliance as a “one and done” affair. Rather, it’s a year-round, ongoing effort of improving financial controls and cybersecurity. While SOX was designed to prevent criminal corruption and false financial data from being published, compliance also gives you better visibility and efficiency with financial reporting and cybersecurity.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.