Quick 10-Step SOX Compliance Checklist
November 11, 2021

What Is SOX Compliance?

The Sarbanes-Oxley Act of 2002, also known as SOX, is a series of legal requirements for organizations. The ultimate aim of SOX compliance is to stop misinterpretations or fraud in financial reporting. The SOX Act was created in reaction to multiple cases of serious financial misconduct, which occurred in the US in the late 20th century, and the resultant losses.  

SOX compliance primarily applies to US public companies. In certain cases, non-profit organizations and private companies must also comply. This compliance also affects non-US companies that are in operation in the US. To remain compliant, every company needs to successfully go through a SOX compliance audit—a process of examining a company and the internal controls of the company.  

The SOX Act is made up of sections dealing with the corporate responsibility for management evaluation of internal control, financial reporting, and more. They are outlined in the complete text of the Sarbanes-Oxley Act.  

Related content: Read our guide to SOX audits (coming soon)

In this article:

The information outlined in this article is intended solely for education discussion and features only general information about commercial, legal, and other issues. It is in no way legal advice, and must not be approached as such. Information in this article may not be the most up-to-date legal or other information. 

The information on this page is given “as is” without any warranties or representations, implied or express. We make no warranties or representation regarding the information on this page and all liability with regard to actions carried out or not carried out based on the information of this article are therefore expressly disclaimed.  

You cannot rely on the content of this article as a substitute for legal advice from your professional legal provider or attorney. If you have a question about a specific legal matter you must consult a professional legal service individual or attorney. 

This article could feature links to third-party websites. These links are there only for the reader and users convenience. We do not endorse the information or content of any third-party websites.  

Primary SOX Compliance Requirements

The SOX compliance requirements outlined here directly relate to IT organization within organizations that must comply with SOX regulations. These requirements will impact the information security strategy of your organization: 

  • Section 302Corporate Accountability for Financial Reports—public organizations must file reports outlining their financial circumstances to the Security Exchange Commission (SEC). SOX states that the CFO and CEO of the reporting company need to sign all reports and must take personal responsibility for its contents. CEOs/CFOs must confirm that:
    • Each report is accurate and truthful
    • Reports do not leave out essential information
    • They have established measures to make sure the above is true
    • They validated their internal controls within 90s day prior to report submission 

Willful misrepresentation of financial reporting can result in fines and even jail time for the responsible corporate officers.

  • Section 404Management Evaluation of Internal Controls—SOX ensures corporate management is responsible for establishing an internal control structure, which is deemed “adequate”. Both external auditors and management must report on and evaluate the adequacy of the structure of the controls and report any flaws. 
  • Section 409Real-Time Disclosures by Issuers—if there is a noticeable change to the financial situation of a company, or a change to the company’s capacity to operate, company officials must inform the general public and investors in a timely way. 
  • Section 802Criminal Sanctions for Altering Documents—if company officials or individuals—who are responsible for changing financial documents or other material related to SEC administration—makes a false entry, covers up or conceals this type of document, is subject to imprisonment up to 20 years or significant fines.  
  • Section 906Corporate Liability for Financial Reports—company officials that provide false or misleading financial reports may be fined up to $5 million and may be imprisoned for up to 20 years.  

Do You Need a SOX Compliance Checklist?

Checklists are useful tools to ensure no important details get missed, particularly when you are handling a complex process like SOX compliance. You may need multiple checklists, and will likely need to drill down to finer points of detail. 

For many organizations, financial reporting demands are quite straightforward, and are probably  activities that the company has been carrying out for many years. This may be true even if reporting was initially carried out as a private company, rather than a public company. 

The main challenge generally involves compliance with Section 404 of the SOX Act: Management Evaluation of Internal Controls. While it is generally good practice for organizations to show strong internal controls, SOX also includes requirements for tests, documentations, and audits of IT and financial controls. This can burden staff from all affected departments. 

You may wish to make a distinction between checklists evaluating your IT controls and those investigating your financial controls, as these will be different and will be handled by distinct teams.

Related content: read our guide to SOX internal controls

10 Step SOX Compliance Checklist

To ensure compliance with the SOX Act, make sure you implement the following steps.

1. Analyse Your Development Ecosystem

Perform a full analysis of your ecosystem, including the production environment and any connected networks or components.  This includes but is not limited to any storage, applications, commercial off the shelf software, and cloud components.

2. Assess Your Asset Usage

Assess who is using your assets and how. This will enable the fine tuning of your SOX compliance policy and set usage limits and controls.

3. Establish SOX Controls

Create dynamic SOX audit and security controls based on the above assessments, focusing on sensitive data access.  These controls must also be monitored regularly for effectiveness and completeness.

Related content: read our guide to SOX testing (coming soon)

4. Establish SOX Compliance Policies

Design and implement internal policies for achieving SOX compliance, ensuring that all relevant staff and stakeholders are familiar with the policies. Ensure all parties are aware of any changes made to the policies.

5. Monitor Your Environment

Continuously monitor your environment and controls in real time to ensure users are adhering to policies. 

6. Enforce Your Policies

Ensure that your SOX compliance policies and controls are constantly enforced. Apply automation to block unauthorized or suspicious activity. 

7. Maintain Data Integrity

Ensure all the financial data stored by your organization is accurate and complete, as per sections 302, 401 and 409 of the SOX Act.  This includes preventing the ability for others to tamper or unknowingly change financial data.

8. Ensure Data Availability

Ensure that your data is stored with sufficient redundancy to weather incidents like natural disasters or hardware failures. The financial department must be able to access data such as monitoring files and reports at all times. 

9. Provide Documentation

Ensure all incidents, both normal and abnormal, are properly documented. The reports should include granular audit data that can be easily exported for offline review. 

10. Secure Your Perimeter

Ensure the perimeter around your infrastructure is consistently secured, as per sections 302 and 401 of the SOX Act. Ensure the relevant firewalls are updated and patches applied.

SOX Compliance Automation with Pathlock

Preparing for a SOX audit can be a stressful, expensive, and time consuming process, but it doesn’t have to be. Pathlock provides an automated, real-time solution to proving compliance with your internal controls for SOX. Continuous controls monitoring can ensure that you are always tracking towards compliance, so there are no major surprises when the audit season comes around. 

In today’s modern enterprise, nearly 100% of the financially relevant activity happens in modern applications like SAP, Oracle, Workday, and NetSuite. Furthermore, up to 10 financially relevant applications may be in play just to support the standard order to cash and procure to pay processes.  By connecting directly into your business applications, Pathlock can automatically monitor activity in these applications to surface any violations to controls, and pinpoint and quantify the financial impact of any risks.  Internal and external auditors alike trust Pathlock’s reports to prove control enforcement and compliance with regulations.

Financial Impact Prioritization

Pathlock automatically prioritizes your most critical violations by quantifying access risk by tying violations to real dollar amounts of the out-of-policy transactions

Comprehensive Rulebook

Pathlock’s catalog of over 500+ rules, Pathlock can provide out-of-the-box coverage for controls related to SOX, GDPR, CCPA, HIPAA, NIST, and other leading compliance frameworks. 

Real-time Access Mitigation

Pathlock allows user to quickly investigate and respond to potential risky transactions by reviewing access, deprovisioning users, forcing 2FA, or even allowing Pathlock to respond intelligently in real-time, terminating suspicious sessions and blocking transactions in real time

Out-of-the-Box Integrations

Pathlock’s out of-the-box integrations extend workflows to the provisioning and service desk tools you already have in place such as ServiceNow, SailPoint, Okta, Azure AD, SAP GRC, and more

Lateral SOD Correlation

All entitlements and roles are correlated across a user’s behavior, consolidating activities and translating cross application SOD’s between financially relevant applications

Continuous Control Monitoring

Pathlock identifies the largest risks by monitoring 100% of financial transactions from applications like SAP in real-time, surfacing violations for remediation and investigation

Learn more about Pathlock SOX compliance automation