What are SOX Internal Controls?
The 2002 Sarbanes Oxley Act (SOX) is a federal law that aims to increase the reliability of financial reporting, and protect investors from corporate fraud. It covers publicly traded companies operating in the United States, and also some private companies, as defined in SOX sections 302 and 404.
Section 404 of the SOX regulation requires organizations to implement internal controls, to ensure their financial reporting is accurate. SOX controls, also known as SOX 404 controls, are rules that can prevent and detect errors in a company’s financial reporting process. Internal controls are used to prevent or discover problems in organizational processes, ensuring the organization achieves its goals.
SOX controls must be applied and verified in all cycles leading to the company’s financial report or financial results. Internal auditors must conduct regular compliance audits to verify that appropriate controls are in place and that they are functioning properly.
The SOX standard does not provide a list of specific controls. Instead, it requires organizations to define their own controls to meet the regulator’s goals. These could include, for example, access control, change management, segregation of duties, cybersecurity solutions, and backup systems.
SOX Compliance Requirements
To better understand the context of internal controls within the SOX standard, here is a brief review of SOX requirements:
Senior management responsibility
In publicly-traded companies, the CEO and CFO are directly responsible for any financial report filed with the Securities Exchange Commission (SEC). Since the CEO and CFO are held responsible, they face severe criminal penalties for violations, including prison time and millions of dollars in fines.
Internal control report
SOX requires organizations to file a report which demonstrates that the management of the company remains responsible for the internal control structure applied to financial records.
To ensure transparency, all material weaknesses must be immediately reported to senior management. Sections 302 and 404 are highly relevant to this aspect of the act:
- SOX Section 302—holds the CEO and CFO responsible for reporting and all related internal controls.
- SOX Section 404—ensures finances remain transparent by requiring quarterly updates and annual disclosures, which should be provided to the SEC and relevant stakeholders.
Data security policies
SOX requires organizations to create and maintain a data security policy that protects the storage and use of all financial information. SOX requires organizations to consistently implement this policy and clearly communicate it to all employees.
Proof of compliance
SOX requires organizations to create and maintain compliance documentation, which must be provided to auditors upon request. Additionally, organizations are required to continually perform SOX control testing, as well as monitor and measure SOX compliance objectives.
SOX Internal Controls Audits: 4 Key Areas of Focus
An enterprise’s internal audit and controls testing is generally the largest, most complex and time-consuming part of an SOX compliance audit. This is because internal controls include all of the company’s IT assets, including computers, hardware, software, and all other electronic devices that have access to financial data.
A SOX IT controls audit focuses on the following areas:
1. Access Control
Evaluating how the organization restricts access and implements access control measures, to ensure only the right people can physically and electronically access sensitive financial information. This includes physical access measures like locks and video surveillance for server rooms, and digital measures like authentication and credentials management using an identity and access management (IAM) solution.
2. IT Security
Evaluating how the organization identifies sensitive data, protects it against cyberattacks, monitors who is accessing it and how, and detects security incidents. In the event of an accident, the company must be able to take corrective action in a timely and effective manner. This requires dedicated security staff, effective security procedures, and security tools such as a Security Information and Event Management (SIEM) system.
3. Data Backup
Evaluating how the organization backs up data and key systems to minimize business disruption and data loss in case of a disaster. Both the original systems, and the data center containing backups or standby systems that store financial data, must be compliant with SOX requirements.
4. Change Management
Evaluating how the organization manages changes to the IT environment, such as new employees, new computing infrastructure, new software, updates to existing software, and configuration changes. Changes must be recorded and any sensitive changes should be monitored, anomalies should be reported and acted on to prevent security breaches.
SOX Controls Best Practices
The following best practices can help you more effective implement and audit SOX controls.
Use a Top Down Risk Assessment Approach
According to the PCAOB, it is best to use a top down approach to assess risks related to SOX controls. Start from financial statements, identify entities related to each statement, and define the controls needed for the important accounts and disclosures related to the statement.
The end goal of a risk assessment is to identify possible risks, existing controls, and whether they are enough to satisfy SOX requirements. If not, the next step is to develop new procedures to implement the missing controls.
Related content: learn more in our guide to internal control weaknesses (coming soon)
Determining Materiality in SOX
It is critical to determine materiality, to understand the level of controls required for a financial statement to comply with SOX. The following guidelines can help you determine materiality:
- Identify what is material to P&L and balance sheet—see if an item in a financial statement can affect the economic decisions made by the company, by analyzing its significance as a share of the overall economic activity.
- Identify business units or locations with material account balances—review financial statements for all units of the business. If any of them contain material account balances, they will probably require SOX testing in the next financial year.
- Identify key transactions—when you identify a material account balance, identify the specific debits and credits that affect the balance. Find and document a process to monitor these key transactions.
- Identify financial reporting risks—for every material account, see what can cause key transactions to be improperly reported. Clearly identify how risk events can affect the account balance, and as a result, the overall financial statement.
Limit the Number of SOX Controls By Identifying Key Controls
It can be tempting to apply a control every time a risk is identified in the risk assessment process. However, this leads to a large number of controls, which can be difficult to implement and enforce and may needlessly impact business operations.
It is advised to limit the number of controls to the minimum necessary, by identifying key controls. A simple way to differentiate key vs. non-key controls is to ask the question: “what risk does this control mitigate, and is the risk low or high?” If the risk is low, the control may not be needed. Use this approach to prioritize your efforts.
Identify Manual vs. Automated Controls
In a large enterprise, it is infeasible to implement all controls manually. Differentiate between:
- Manual controls
- Automated controls outside the scope of IT General Controls (ITGC) testing
- Automated controls within the scope of ITGC testing
The first two categories fall under the responsibility of the SOX audit team. However, the third category is taken care of by existing ITGC efforts. By identifying this third category, and focusing your efforts on the first two, you can save a significant amount of time in SOX control auditing.
Automating SOX Internal Controls Auditing with Pathlock
Preparing for a SOX audit can be a stressful, expensive, and time consuming process, but it doesn’t have to be. Pathlock provides an automated, real-time solution to proving compliance with your internal controls for SOX. Continuous controls monitoring can ensure that you are always tracking your compliance, so there are no major surprises when the audit season comes around.
In today’s modern enterprise, nearly 100% of the financially relevant activity happens in modern applications like SAP, Oracle, Workday, and NetSuite. By connecting directly into your business applications, Pathlock can automatically monitor activity in these applications to surface any violations to controls, and pinpoint and quantify the financial impact of any risks. Internal and external auditors alike trust Pathlock’s reports to prove control enforcement and compliance with regulations.
Financial Impact Prioritization
Pathlock automatically prioritizes your most critical violations by quantifying access risk by tying violations to real dollar amounts of the out-of-policy transactions
Pathlock’s catalog of over 500+ rules, Pathlock can provide out-of-the-box coverage for controls related to SOX, GDPR, CCPA, HIPAA, NIST, and other leading compliance frameworks.
Real-time Access Mitigation
Pathlock allows user to quickly investigate and respond to potential risky transactions by reviewing access, deprovisioning users, forcing 2FA, or even allowing Pathlock to respond intelligently in real-time, terminating suspicious sessions and blocking transactions in real time
Pathlock’s out of-the-box integrations extend workflows to the provisioning and service desk tools you already have in place such as ServiceNow, SailPoint, Okta, Azure AD, SAP GRC, and more
Lateral SOD Correlation
All entitlements and roles are correlated across a user’s behavior, consolidating activities and showing cross application SOD’s between financially relevant applications
Continuous Control Monitoring
Pathlock identifies the largest risks by monitoring 100% of financial transactions from applications like SAP in real-time, surfacing violations for remediation and investigation