SOX Compliance: The Complete Guide
What Is SOX Compliance?
The Sarbanes-Oxley Act of 2002 (SOX) defines legal requirements that regulate the financial reporting and conduct of public companies and related entities. It was created in response to US financial scandals and the resulting losses to companies and their investors.
The goal of SOX compliance is to prevent misrepresentation in financial reporting and outright fraud such as falsification of financial documentation. SOX compliance involves several aspects by which companies are assessed, including responsibility for financial reports and the management of internal controls.
The SOX Act applies to several types of companies, including US-based public companies, private companies, and non-profit organizations that meet certain criteria, as well as non-US companies that operate within the US. To remain compliant, these companies are required to pass SOX compliance audits, which assess the company’s internal controls and integrity of financial reporting.
See the official full text of the SOX Act.
Who Must Comply with the SOX Law?
The SOX Act applies to all publicly-traded companies located in the US—including their foreign companies and wholly-owned subsidiaries. These companies are required to follow the eleven sections of the Act. Additionally, publicly traded companies that conduct business within the US, and all accounting firms performing audits for public US companies, must comply with the SOX Act.
Generally, the SOX Act does not apply to private companies and charities. However, any private company that is in the process of going public, undergoing an initial public offering (IPO), is required to comply with SOX regulations. Private companies that are being acquired by public companies with a SOX requirement may also feel pressure to prove compliance. There are also several exceptions defined for non-profit companies.
In order to encourage people to report suspected fraudulent activities within their company, the SOX Act includes protection measures for whistleblowers. The act also defines strict punishments for auditors, board members, and officers destroying company documents, treating these offenses as criminal activities. These penalties apply to both publicly traded companies and non-profit corporations that violate the SOX Act.
Benefits of SOX Compliance
Here are several key benefits of SOX compliance:
- Improved financial record management—the SOX Act provides a framework that helps companies better manage their financial records.
- Predictable finances—the majority of SOX-compliant companies report that their financials become more predictable after implementing SOX requirements. Improved financial reporting makes stockholders happy and offers companies easier access to capital markets.
- Better security—SOX regulations help companies protect themselves from cyber-attacks and effectively manage the aftermath of data breaches, which can be expensive to manage and mitigate.
- Improved collaboration—SOX requirements help companies build cohesive internal teams and improve the communication between all teams involved with audits. SOX is a company-wide program that has many tangible effects on companies, such as improved cross-functional cooperation and communication.
Related content: Read our guide to SOX certification (coming soon)
What Are the SOX Requirements?
The SOX Act includes many requirements. Here are the six of the most important requirements:
Section 302: Corporate Responsibility for Financial Reports
All public companies must periodically file financial statements. They are also required to report on their internal control structure with the US Securities and Exchange Commission (SEC). Section 302 holds the CEO and CFO directly responsible for the accuracy of these reports as well as the proper documentation and submission of any report made to the SEC. In addition, the CEO and CFO are required to establish and maintain internal SOX controls and must validate these controls within 90 days of issuing a report.
Section 404: Management Assessment of Internal Controls
This section is generally considered the most complex and expensive to comply with. It stipulates that all annual financial reports must contain an internal control report that holds management responsible for establishing and maintaining an “adequate” internal control structure. Management is also responsible for assessing the effectiveness of existing control structures.
Management must report any shortcomings in internal controls. They are required to hire a registered independent auditor to verify the accuracy of the assertion that:
- Internal accounting controls are in place
- An internal control framework is in place
- Controls are operational and effective
The external auditor and management are all held responsible for performing assessments in the form of a top-down risk assessment. This requires basing the scope of the assessment and any collected evidence on concrete risks.
Section 409: Real-Time Issuer Disclosures
Section 409 requires companies to disclose, on a near real-time basis, all material changes to the financial operations or condition of the company. The goal of this requirement is to protect the interests of the public and the company’s investors.
Section 802: Criminal Penalties for Altering Documents
This section imposes penalties of up to twenty years of imprisonment for crimes related to fraudulent financial reporting activities. These activities include altering, mutilating, destroying, concealing, and falsifying financial documents, records, or any tangible objects, with the intent to impede, influence, or obstruct legal investigations.
The section also imposes penalties of up to ten years on auditors, accountants, or others who willfully or knowingly violate the maintenance requirements of all review or audit papers for a period of five years.
Section 806: Sarbanes Oxley Whistleblower
This section promotes the disclosure of fraudulent activities by protecting the employees of publicly-traded organizations and their subsidiaries who report illegal activities.
The section authorizes the US Department of Labor to protect employees who “blow the whistle” against employers who retaliate against them and further authorizes the Department of Justice to criminally charge all parties responsible for the retaliation.
Section 906: Corporate Responsibility for Financial Reports
Section 906 says that the criminal penalty for certifying a fraudulent or misleading financial report can be as high as $5 million in fines as well as twenty years in prison.
Learn more in our detailed guide to SOX requirements (coming soon)
What Are SOX Controls?
SOX security controls help companies identify and prevent inaccuracies or errors in financial reports, including errors of the intentional and unintentional kind. Companies need to apply SOX controls to all processes related to financial reporting and their financial results.
To comply with the SOX Act, companies are required to test, record, maintain, and review the controls applied to financial report management on a regular basis. Additionally, internal auditors are required to perform periodic compliance audits in order to ensure that all the controls implemented by the company are consistent with SOX requirements.
SOX controls are defined to ensure the accuracy of financial statements and to protect investors from fraud. Another key objective of SOX controls is to improve the responsibility taken by management roles.
Here are several examples of SOX controls:
- Sign-offs—all financial disclosures submitted to the SEC must be signed off by an executive officer, typically the CFO or the CEO.
- Hiring processes—all candidates must be interviewed and approved by both the hiring manager as well as HR to ensure that the candidate meets all requirements.
- Approval requirements—authorized access to the payroll processing system must be defined as a set of requirements. Only those meeting the requirements can gain access.
- Multiple sign-offs—to prevent fraud or theft, all checks require multiple sign-offs.
- Segregation of Duties (SoD)—all financial reporting activities must be split between several roles to prevent a conflict of interests.
Learn more in our detailed guide to SOX internal controls
What Is SOX Testing?
SOX testing involves evaluating the internal financial reporting controls of an organization. Management teams must report any flaws or insufficiencies in these controls, which external auditors verify. While companies may differ in the specific controls they use and the details of the SOX testing process, they must all address the following four testing phases:
- Initial assessment—the SOX team conducts and documents walkthroughs of the control processes. The team then demonstrates that control activities occurred. The documentation informs an assessment of the SOX control designs and any corrections that must be made.
- Interim test—the SOX team performs an additional round of testing, usually halfway through the year, to ensure that any flaws identified have been addressed and that the controls operate correctly. This test determines if the controls need to be redesigned or the documentation updated.
- End-of-year test—in this final internal testing round, towards the end of the year, the SOX team retests controls that have shown deficiencies. Remediation measures must be shown to be effective.
- Independent audit—third-party auditors test the operational effectiveness of SOX controls. These auditors follow independent requirements for SOX testing, and any concerns they raise must be dealt with promptly by management and the SOX team.
What Types of Software Can Assist with SOX Compliance
It can be overwhelming to generate and manage the extensive documentation required to comply with SOX. Keeping meticulous records of protected financial data and its change management is practically impossible to do manually.
Given the complexity and high stakes involved in compliance reporting, it is critical that you use software to automate some of your auditing responsibilities. SOX compliance software offers various capabilities, including tracking of relevant controls and their effectiveness, enforcement of key controls, flagging of potential security threats, creation of compliance reports according to common templates, and tracking of overall compliance progress and posture (using cataloged data and machine-driven analysis).
Security information and event management (SIEM) software are especially helpful for consolidating log management and analyzing trends to flag the most relevant information. SIEM solutions typically detect security threats automatically, leveraging intelligence feeds to identify bad actors (hackers or unauthorized persons) and malware. SIEM tools can also recognize suspicious behavior based on known threat patterns or behavior anomalies and provide notifications to alert security teams to potential threats.
However, policing alone is not enough to secure your network—effective cybersecurity requires preventative measures to regulate who can access data rather than relying on responsive measures to breaches and data loss. The IT department must secure sensitive data stored in files and applications systematically by applying access privileges that effectively detect unauthorized access to data. Otherwise, there is no way to tell if a user is authorized or not.
Tools for managing access rights provide a comprehensive view of how data is accessed across various locations. This minimizes the guesswork and enables the data collection necessary for compliance reports, auditing operations, and data loss prevention strategies. Furthermore, it can automate manual processes of reporting on segregation of duties across various business-critical applications to prove compliance.
You can also use email archiving tools to permanently store information in a secure, centralized location, where you can easily access it when needed. This can help you provide evidence for SOX compliance, allowing you to store your organization’s entire email history and access records instantly.
Learn more in our detailed guide to SOX compliance software
SOX Compliance Best Practices
Here are a few best practices that can help your organization achieve SOX compliance.
Plan the Timing of Your Annual SOX Audit
Companies are required to hire an independent auditor to perform an annual SOX audit. To prevent conflicts of interest, the annual SOX audit must be separated from other internal audits. Plan the audit so that it can be completed well in advance of annual financial reporting, enabling the company to address audit results and still submit financial reports on time to investors.
Related content: Read our guide to SOX audit
Focus on Internal Controls
A SOX audit presents an opportunity to review and improve the internal controls of the company. Typically, internal controls include oversight of all electronic infrastructure, computers, network hardware, technologies, and business processes through which financial information passes.
Get Support from the IT Department
Here are several security best practices organizations need to adopt in order to pass a SOX audit:
- Standardize security—implement a security information governance program to ensure security is maintained properly across the organization.
- Prevent data loss—data plays a critical role in SOX compliance. Establish practices that protect financial reports and all data required for audit against data leaks, modification, and deletion.
- Back up your data—make sure you have backups of all data needed. Data backup is not only a SOX best practice but also a measure that can help the organization recover during failures and maintain normal operations.
- Beware of social engineering—threat actors use social engineering tactics, such as email scams and fraudulent telephone calls to gain unauthorized access to systems, networks, and data. Set measures in place to protect your organization against these tactics.
- Educate and train your employees—education and training are critical to ensure users make proper use of company assets. It can help turn your employees into more aware users who understand the risks of social engineering tactics and shadow IT and strive to protect the organization by using the practices learned during training. It is important to educate all users, including executives like the CEO, on the proper usage of technology resources.
- Establish clear policies—policies are typically used by both human resources and IT systems. Policies should be clearly defined and communicated to ensure that people of all skill sets are able to understand and implement them. Automated systems also require clearly defined policies.
- Update your systems—updates often include security fixes. To ensure your systems and software remain healthy, update them as soon as possible.
- Implement incident response—the goal of an incident response strategy is to define standards of response that are to be implemented and maintained on a regular basis by all relevant parties, including IT teams, security experts, and executives.
- Monitor and Control System access – ensure that critical access is requested and granted in an approved fashion, and monitor all user access to ensure there is no unnecessary access granted and that controls like segregation of duties, and user access reviews are in place.
Meet with the External Auditing Team
After choosing and hiring an external auditing team, you should schedule a meeting to introduce internal teams. You should discuss the particular needs of the organization and what is needed for a successful SOX audit.
You can, for example, discuss the designation of a primary contact person, the review of all preparatory materials required when the project begins, as well as additional information the auditors need for their work.
Map Organizational Responsibilities
Properly define all relevant roles and responsibilities. You can do this using Segregation of Duties (SOD) techniques, which create the basic building blocks of sustainable risk management and internal controls. For example, a company should not assign the staff member responsible for maintaining the general accounting ledger to also approve checks or pay invoices.
Automating SOX Internal Controls Auditing with Pathlock
Preparing for a SOX audit can be a stressful, expensive, and time-consuming process, but it doesn’t have to be. Pathlock provides an automated, real-time solution to proving compliance with your internal controls for SOX. Continuous controls monitoring can ensure that you are always tracking towards compliance, so there are no major surprises when the audit season comes around.
In today’s modern enterprise, nearly 100% of the financially relevant activity happens in modern applications like SAP, Oracle, Workday, and NetSuite. Furthermore, up to 10 financially relevant applications may be in play just to support the standard order to cash and procure-to-pay processes. By connecting directly to your business applications, Pathlock can automatically monitor activity in these applications to surface any violations to controls and pinpoint and quantify the financial impact of any risks. Internal and external auditors alike trust Pathlock’s reports to prove control enforcement and compliance with regulations.
Financial Impact Prioritization
Pathlock automatically prioritizes your most critical violations by quantifying access risk by tying violations to real dollar amounts of the out-of-policy transactions.
With Pathlock’s catalog of over 500+ rules, Pathlock can provide out-of-the-box coverage for controls related to SOX, GDPR, CCPA, HIPAA, NIST, and other leading compliance frameworks.
Real-time Access Mitigation
Pathlock allows users to quickly investigate and respond to potential risky transactions by reviewing access, de-provisioning users, forcing 2FA, or even allowing Pathlock to respond intelligently in real-time, terminating suspicious sessions and blocking transactions in real time.
Pathlock’s out-of-the-box integrations extend workflows to the provisioning and service desk tools you already have in place, such as ServiceNow, SailPoint, Okta, Azure AD, SAP GRC, and more.
Lateral SOD Correlation
All entitlements and roles are correlated across a user’s behavior, consolidating activities and translating cross-application SODs between financially relevant applications.
Continuous Control Monitoring
Pathlock identifies the largest risks by monitoring 100% of financial transactions from applications like SAP in real-time, surfacing violations for remediation and investigation.