The US Congress passed the Sarbanes-Oxley Act (SOX) to regulate the operations of publicly traded companies in 2002. The law is named after two individuals; Paul Sarbanes and Michael Oxley.
The passage of the SOX law was stirred by the need to protect the public from losses as witnessed in numerous public scandals in large corporations such as Enron Corporation, WorldCom, and Tyco International PLC. These scandals affected the stock market negatively stirring public fear.
SOX introduced new modalities of reporting financial data which guaranteed accountability and honesty from the management of these institutions as well as the Boards of Directors. The legislation has been updated severally to include more details thus making it relatively more complex than its original copy.
The Major Provisions of Sarbanes-Oxley
The SOX 2002 has offered five main provisions including:
- It established the Public Company Accounting Oversight Board (PCAOB) and imposed several restrictions to guide the auditors of public firms
- It developed several requirements to guide corporate governance including the creation of audit committee safeguards
- SOX updated the disclosure requirements for all press releases revolving around financial reports and the use of public funds.
- The legislation instituted criminal penalties to regulate the behavior of CEOs and CFOs who have in the past been involved in certifying falsified reports
- Sarbanes-Oxley Act introduced sentences of 20-25 years for any individual who obstructs justice to continue with their fraudulent activities
SOX contains many regulations that aim at ensuring information security and accountability. While it offers superb protection, many corporations feel overwhelmed to comply with the SOX requirements. To simplify the process, you should check the areas that pertain your organization as opposed to going through the entire document.
SOX Section 302
This section details all the Disclosure Control and Procedures. The SOX 302 are audited and reviewed by independent auditors. Also, it requires the submission of quarterly reports detailing the processes and controls that have been instituted to protect public disclosures. Below is a summary from SOX regarding the responsibility of signing officers:
- The officer must review the report
- Based on the expertise of the officers, the report should not contain falsified or misleading data
- Based on the knowledge of the signing officer, the financial statements should present all the materials showing the financial situation for a specific period of operations for the corporation
In simpler terms, if a signing officer signs a document, they are expected to take all the responsibilities for it being true personally.
SOX Section 401
This part includes two sections:
- SOX 404 dictates that the reporting of off-balance sheet disclosures should meet all the accounting rules.
- It emphasizes the preparation of financial disclosures following the required accounting standards thus boosting investors’ confidence
The reports in SOX 401 is based on the annual as well as quarterly public financial data. This is concerning the same mistake in the WorldCom and Enron scandals. SOX 401 is different from the requirements of section 302 as SOX 401 directs a public accounting firm audits all reports.
SOX Section 404
This section focuses on the efficiency of internal controls and procedures involved in financial reporting. It is wider than any other part of the Sarbanes-Oxley Act of 2002, and you are likely to spend most of your SOX compliance efforts here.
A brochure by SEC highlights all the steps involved in evaluating and documenting internal controls. First, your organization should check its reporting risks both internally and externally. When you’re assessing these risks, you should follow the following guidelines by the United States Security and Exchange Commission (SEC):
- With what level precision do entity level controls coordinate with all your financial reporting elements?
- Do you have multiple controls addressing a single financial reporting risk? If that is the case, then which is the most efficient?
- Have you automated your controls? How reliable are your IT controls? If your controls are manual, how do you evaluate the risk of human error?
- Only the controls that address financial reporting risks should be identified.
You should determine the efficiency of all your controls and the risks associated with their failure. If the risks are high, then you should have evidence of highly effective controls.
Finally, you should report on all the controls’ effectiveness and deficiencies. Any control with a substantial weakness is considered ineffective! According to SEC guidance, a weakness refers to single or multiple deficiencies that can lead to a misstatement in your company’s financial reports.
SOX Section 409
This section is also called the real-time issuer disclosures. The issuers are obliged to disclose any change in financial operations. The disclosures should be made in an accessible language that the members of the public can internalize. As such, all the stakeholders should be informed of such changes including security breaches.
SOX Section 806
This part of SOX offers protection to whistleblowers. The legislation gave the U.S Department of Labor Protection the authority to protect employees from victimization. If your organization dismisses or victimizes employees for sharing information on irregularities, then you risk a court battle and eventual fines.
SOX Section 906
This emphasizes the responsibility for filing of financial reports. The CEOs and CFOs must submit quarterly as well as annual reports in compliance with SEC requirements. This SOX section is more straightforward than SOX 302
Sarbanes-Oxley and Information Security
Information security professionals experience difficulties in complying with SOX due to an overlap of SOX 404 and SOX 302. While section 302 discusses the process of individual certification of all financial reporting controls, section 404 broadens the internal controls thus creating an overlap. These sections fail to give a specific definition of “controls” which allows different parties to interpret it differently.
The SOX developed the PCAOB to guide your auditor on the best practices. However, these guidelines provide minimal insight into IT controls. To try and resolve this, the PCAOB chose the COSO framework to institute a guide that would restructure all internal controls.
The COSO framework helps in simplifying various compliance areas including control environment, information monitoring, security controls, and communication monitoring.
To further bridge the compliance gap, your organization may use the Control Objectives for Information and Related Technology (COBIT). This framework organizes approximately 34 IT processes into acquisition and implementation, monitoring, planning, and organization, as well as delivery and support.
You should ensure that your organization has security standards, authentication procedures, security policy, segregation of duties, monitoring, physical security, and network security details. The availability of these elements will make it relatively easy for your organization to comply with SOX.
The primary challenge for IT departments in compliance includes accessing the controls. The department should be able to monitor the use of public data as well as identify any irregularities in the company’s financial reporting. The IT department should regulate the accessibility of data by monitoring the controls to ensure that only authorized individuals to get access to your organization’s information.
Since the SOX regulations require senior management officials to sign off after accessing the controls, the compliance with the rules guarantees security for the organization. Nevertheless, the IT department should ensure that they protect information by upholding all the controls. This is a major SOX requirement during the auditing process, and your organization must pass it to guarantee certification of SOX compliance. To simplify the process, you can always use technology apps that collate all information together for ease of access and auditing!