The United States Congress passed the Sarbanes-Oxley (SOX) Act of 2002 to prevent corporate malpractice, malfeasance and money laundering in response to high-profile fraud cases, such as Enron, WorldCom, Adelphia and Tyco International.
The main aims of SOX compliance are to improve accuracy, reliability and transparency over companies’ financial reporting and increase corporate governance responsibility. All US publicly traded companies, including direct subsidiaries, trading partners and auditors, must be SOX compliant.
SOX contains eleven titles, of which three sections are of particular focus in SOX compliance testing:
Section 302: Corporate Responsibility for Financial Reports
Annual financial disclosure reports must be made by companies to the Securities and Exchange Commission (SEC), with the CEO and CFO of the company responsible for the accuracy and reliability of the company’s financial reports, as well as the reporting of any shortcomings in the process. In addition, external auditors must be engaged to assess and validate internal controls.
Section 404: Management Assessment of Internal Controls
The company’s management team must conduct an internal audit and review to ensure that transaction controls such as accounting and an “adequate” internal control frameworks are in place and robust. All financial reports must include an Internal Control Report. In addition, external auditors must conduct a top-down risk assessment to provide an independent assessment of the company’s internal controls.
Section 409: Real-Time Issuer Disclosures
Any deviation from the recently reported disclosures must also be disclosed in real-time, as well as any serious changes in the company’s financial position and operations.
Other important sections include 802 (Criminal Penalties for Altering Documents) and 906 (Corporate Responsibility for Financial Reports). Failure to comply with SOX, such as by certifying a misleading, fraudulent or inaccurate report, can result in fines of up to $5 million and up to 20 years in prison.
SOX Compliance and Cybersecurity
Companies must demonstrate robust internal controls in many cybersecurity areas to prepare for a SOX compliance audit. In the design testing phase of the audit, a sample transaction is “walked through” end-to-end. All the records related to such a transaction must be recorded in accounting systems. As such, controls such as logging and monitoring of network traffic, database access, account, user, and information access are necessary.
In the operational effectiveness phase of testing, a larger sample or all transactions are validated to show that internal controls are in place and effective. This is usually the largest part of the audit with regard to section 404. Management must demonstrate that both phases of testing are complete, that the controls designed and implemented are effective at scale, and that resilience in the form of regular data backups, change control systems, and a cybersecurity framework is present.