SOX Compliance: What is it, and How to Meet the Requirements?

SOX Compliance: What is it, and How to Meet the Requirements?

Complying with SOX Requirements

Security, transparency, and accurate reporting are indispensable for any organization. In the modern era of ransomware and other cyber attacks, failing in these areas can be devastating for companies and their customers. However, any company that publicly trades stocks has considerable legal obligations to comply with SOX or else face potential criminal charges.

What is SOX Compliance?

SOX is short for the Sarbanes-Oxley Act of 2002. It lays out a set of requirements for companies to secure their data to prevent breaches and fraud, while also describing a course of action to take should these events occur anyway. Successful compliance consists of setting up tamper-resistant systems, conducting internal audits, and establishing protocols to follow in the event of a breach.

What is the Sarbanes-Oxley Act?

The Sarbanes-Oxley Act was a response to major cases of financial fraud around the turn of the century. In particular, its motivation stemmed from scams surrounding Enron and WorldCom, the latter of which represented the most costly example of financial fraud in history at the time. Both companies lacked mechanisms to enforce accountability and transparency, which enabled certain executives and figures within the company to commit fraud on a massive scale.

The goal was to inflate earnings reports and artificially maintain the stock price, which resulted in terrible losses for investors after the fraud went public. This drove Congress to pass the Sarbanes-Oxley Act, which imposed stricter regulations around any publicly traded companies.

This was necessary because the issue was not just a handful of unscrupulous executives, but also the circumstances that let them get away with it as long as they did. There are many opportunities for conflicts of interest between stockbrokers, banks, and the businesses they trade stocks for. These considerations together brought the conclusion that regulatory bodies needed to exercise greater oversight over publicly traded companies.

Why is SOX Compliance Important?

SOX compliance is important for business, investors, and consumers alike. Adhering to these regulations allows for greater trust with the public and the allaying of fears that your company will defraud them. The importance of complying with SOX regulations is twofold, the first being that it's a legal necessity and failing to comply can result in harsh penalties. However, greater security, transparency, and effective bookkeeping also have benefits of their own that offset some of the costs of compliance.

Is SOX Compliance Mandatory?

Complying with the regulations and responsibilities that SOX lays down is non-negotiable. The act also includes harsh punishment for anyone who participates in the sort of financial fraud it regulates, such as fines of $5 million or more and prison terms of up to 20 years.

Who Needs to Comply?

SOX Compliance is legally necessary for any company that trades its stocks publicly. However, these aren't the only organizations that are subject to requirements within the act. Accounting firms that perform audits also have SOX requirements to uphold.

SOX Compliance Requirements

The text of the SOX Act is fairly expansive, as it doesn't just describe the obligations for businesses but also handles enforcement and funding issues. There are five important sections that describe the requirements for companies to comply with SOX, as well as potential punishment for failure to do so. These include the following (directly quoted):

Section 302: Corporate Responsibility for Financial Reports – Every public company is required to file periodic financial reports with the SEC, and the principal executive officer and the principal financial officer must sign each report to indicate they have reviewed it and they certify that the report does not contain any untrue statements and does not omit any material information. In addition, the signers of the report are responsible for establishing and maintaining internal sox controls and must have validated those controls within 90 days prior to issuing the report.

Section 404: Management Assessment of Internal Controls – All annual financial reports must include an Internal Control Report stating that management is responsible for an "adequate" internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these SOX controls also must be reported. In addition, registered external auditors must attest to the accuracy of the company management's assertion that internal accounting controls are in place, operational and effective.

Section 409: Real Time Issuer Disclosures – Companies are required to disclose to the public in a timely manner any material changes in the financial condition or operations of the company in the interest of protecting investors and the public.

Section 802: Criminal Penalties for Altering Documents – Anyone who knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of matters before the SEC can be fined, imprisoned for no more than 20 years, or both.

Section 906: Corporate Responsibility for Financial Reports – The criminal penalty for certifying a misleading or fraudulent financial report can be upwards of $5 million in fines and 20 years in prison.

SOX and Whistleblower Hotlines

Some regulatory requirements stipulate that publicly traded organizations are mandated to have a whistleblower policy and procedure in place. The US requirements of Sarbanes-Oxley state that a publicly traded organization must address and manage:

      • The receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters
      • The confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters

SOX Compliance Checklist

While the text of the act is quite dense, you can distill your obligations into the following SOX compliance checklist:

      • Implement a trustworthy whistleblower hotline that provides employees the ability to speak-up about wrongdoing
      • Design tamper-resistant systems that track changes to data on a timeline
      • Use physical security and encryption to prevent tampering with the data timeline
      • Create active security monitoring systems that can detect and report suspicious behavior
      • Build your systems with ease of use in mind to facilitate internal and external auditors
      • Test and verify that the systems work as intended and will both resist tampering and enable audit
      • Develop systematic and technological methods to identify any breaches that have occurred
      • Describe an organizational process for reporting breaches to auditors and assisting their efforts

Contact us to learn more about SOX compliance software solutions to ensure your company is fully compliant. We are here to help.

 

photo Amanda Nieweler
About the Author
Amanda writes for WhistleBlower Security about ethics, compliance, workplace culture, and whistleblower hotlines. Amanda brings her nearly two decades of risk and compliance experience to the WBS blog where she is dedicated to helping people and companies promote speak-up cultures.