SOX compliance is the set of guidelines that all public companies must follow to comply with the Sarbanes-Oxley Act. SOX compliance requires the establishment of strong internal controls, which must then be tested and monitored on an ongoing basis. SOX compliance is important for public companies because it helps to ensure that they are properly managing their finances and providing accurate financial information to investors. SOX compliance can be costly and time-consuming, but public companies need to maintain a high level of financial transparency.
All publicly-traded companies in the USA must comply with SOX, as well as any wholly-owned subsidiaries and foreign companies that are both publicly traded and do business with the USA. Any accounting firms that are auditing companies bound by SOX compliance are also, by proxy, obliged to comply.
Other companies, including private ones and non-profits, generally do not have to comply with SOX, although adhering to it anyway is good business practice. There are other reasons, besides good business sense, to comply with SOX even if you are not publicly traded. SOX does have some articles that state if any company knowingly destroys or falsifies financial data they could face punishment under the Act.
Companies that are planning on going public, perhaps via an IPO (Initial Public Offering) should prepare to be bound by SOX.
SOX Compliance Requirements
SOX requires that all financial reports include an Internal Controls Report. This report should show that the company’s financial data is accurate (a 5% variance is permitted) and that appropriate and adequate controls are in place to ensure that the data is secure.
Financial reports at the end of every year are also a requirement.
SOX audits are to be carried out by external auditors within which controls, policies and procedures are all to be reviewed during a Section 404 audit.
Section 404 audits will also involve looking into staff, potentially even conducting interviews, to ensure that job descriptions match duties and that the required training on how to handle financial data has taken place.
SOX sections 302, 404, and 409 require that strict auditing, logging, and monitoring take place across all internal controls, network and database activity, login activity, account activity, user activity, and information access.
SOX audits often require the use of frameworks like COBIT to audit internal controls and procedures. You must make sure that any log collection, auditing, and monitoring solutions can
provide a complete audit trail of access to and interactions with sensitive data.
SOX IT audits are focused on the following key areas:
- IT Security:
- Access Controls
- Data Backup
- Change Management:
Compliance Checklist for SOX:
Since every business is unique, there isn't a single checklist that applies to all of them for SOX compliance. However, the following are some general rules:
- Make sure all of your systems, especially your logging and monitoring software, are up to date.
- Make sure that any alarms you receive from your SOX audit solution are handled right away and thoroughly explored.
- Make sure to categorize your sensitive financial data regularly and to be aware of the creation of new financial data.
- Be careful to keep an eye out for unusual user activity that might result in SOX compliance violations. Users shouldn't copy financial information, for instance, to unprotected sites.
- Make careful to examine access limits often and get notifications if permissions change that can affect access to Financially sensitive information.
Keep a current and routine SOX compliance status report. In the case of a SOX audit, this will assist you in producing the necessary information.
Assure that SOX auditors have the access they require to do their duties.
Ensure that all employees, whether new or old, receive frequent training on how to handle financial data properly.
Report security lapses and occurrences as soon as you can, in as much information as you can.