Is Your Organization SOX Compliant for 2020?

The Sarbanes-Oxley Act of 2002, sponsored by Paul Sarbanes and Michael Oxley, represents a huge change to federal securities law. It came as a result of the corporate financial scandals involving Enron, WorldCom and Global Crossing. Effective in 2006, all publicly-traded companies are required to implement and report internal accounting controls to the SEC for compliance. In addition, certain provisions of Sarbanes-Oxley also apply to privately-held companies.

Executives who approve shoddy or inaccurate documentation face fines of up to $5 million and jail time of up to 20 years.

Provisions of the Sarbanes-Oxley Act (aka SoX, Sarbox or SOA) detail criminal and civil penalties for noncompliance, certification of internal auditing, and increased financial disclosure. It affects public (and private) U.S. companies and non-U.S. companies with a U.S. presence. SOX is all about corporate governance and financial disclosure.

The Sarbanes Oxley Act requires all financial reports to include an Internal Controls Report. This shows that a company's financial data accurate and adequate controls are in place to safeguard financial data. Year-end financial dislosure reports are also a requirement. A SOX auditor is required to review controls, policies, and procedures during a Section 404 audit.

SOX auditing requires that internal controls and procedures can be audited using a control framework like COBIT. Log collection and monitoring systems must provide an audit trail of all access and activity to sensitive business information.

Sarbanes-Oxley also encourages the disclosure of corporate fraud by protecting whistleblower employees of publicly traded companies or their subsidiaries who report illegal activities. Section 806 of Sarbanes Oxley the Act authorizes the U.S. Department of Labor to protect whistleblower complaints against employers who retaliate and further authorizes the Department of Justice to criminally charge those responsible for the retaliation.

SOX affects private companies too

Certain provisions of Sarbanes-Oxley also affect private-held companies. For example, intentionally destroying, altering or falsifying documents with the intention of impeding or influencing a federal agency investigation or a federal bankruptcy proceeding carries fines and up to 20 years imprisonment. In addition, whistleblower protection applies, such as retaliating against someone who provides a law enforcement officer with information relating to a possible federal offense, and is punishable by up to 10 years imprisonment.

SOX affects accounting firms

Sarbanes-Oxley builds a firewall between the auditing function and other services available from accounting firms. The firm that audits the books of a publicly held company may no longer do the company's bookkeeping, audits, or business valuations, and is also banned from designing or implementing an information system, providing investment advisory and banking services, or consulting on other management issues.

SOX affects HR departments

Sarbanes-Oxley contains mandates regarding the establishment of payroll system controls. A company's workforce, salaries, benefits, incentives, paid time off, and training costs must be painstakingly accounted for under Section 404 of Sarbanes-Oxley. SOX requires certain employers to adopt an ethics program that include a codified code of ethics, a communications plan, ans staff training.

SOX is expensive to implement

According to a 2008 SEC survey of officers at public companies, Sarbanes-Oxley cost the average company $2.3 million annually in direct compliance costs, including staff time, documentation, and external audits, compared with estimates of $91,000 in annual costs before the Act was passed.

Summary of Key Provisions

Many thousands of companies face the task of ensuring their accounting operations are in compliance with the Sarbanes Oxley Act. Auditing departments typically first have a comprehensive external audit by a Sarbanes-Oxley compliance specialist performed to identify areas of risk. Next, specialized software is installed that provides the "electronic paper trails" necessary to ensure Sarbanes-Oxley compliance.

The summary highlights of the most important Sarbanes-Oxley sections for compliance are listed below.

SOX Section 302 - Corporate Responsibility for Financial Reports

a) CEO and CFO must review all financial reports.
b) Financial report does not contain any misrepresentations.
c) Information in the financial report is "fairly presented".
d) CEO and CFO are responsible for the internal accounting controls.
e) CEO and CFO must report any deficiencies in internal accounting controls, or any fraud involving the management of the audit committee.
f) CEO and CFO must indicate any material changes in internal accounting controls.

SOX Section 401: Disclosures in Periodic Reports

All financial statements and their requirement to be accurate and presented in a manner that does not contain incorrect statements or admit to state material information. Such financial statements should also include all material off-balance sheet liabilities, obligations, and transactions.

SOX Section 404: Management Assessment of Internal Controls

All annual financial reports must include an Internal Control Report stating that management is responsible for an "adequate" internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the company management's assertion that internal accounting controls are in place, operational and effective.

SOX Section 409 - Real Time Issuer Disclosures

Companies are required to disclose on a almost real-time basis information concerning material changes in its financial condition or operations.

SOX Section 802 - Criminal Penalties for Altering Documents

This section specifies the penalties for knowingly altering documents in an ongoing legal investigation, audit, or bankruptcy proceeding.

SOX Section 806 - Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud

This section deals with whistleblower protection.

SOX Section 902 - Attempts & Conspiracies to Commit Fraud Offenses

It is a crime for any person to corruptly alter, destroy, mutilate, or conceal any document with the intent to impair the object's integrity or availability for use in an official proceeding.

SOX Section 906 - Corporate Responsibility for Financial Reports

Section 906 addresses criminal penalties for certifying a misleading or fraudulent financial report. Under SOX 906, penalties can be upwards of $5 million in fines and 20 years in prison.

Sarbanes-Oxley Compliance 9-Step Checklist

A SOX compliance checklist should include the following items that draw heavily from Sarbanes-Oxley Sections 302 and 404. For each item, the signing officer(s) must attest to the validity of all reported information.

1. Establish safeguards to prevent data tampering (Section 302.2)
Implement a ERP system or GRC software that tracks user logins access to all computers that contain sensitive data and detects break-in attempts to computers, databases, fixed and removable storage, and websites.

2. Establish safeguards to establish timelines. (Section 302.3)
Implement an ERP system or GRC software that timestamps all data as it is received in real-time. This data should be stored at a remote location as soon as it is received, thereby preventing data alteration or loss. In addition, log information should be moved to a secure location and an encryped MD5 checksum created, thereby preventing any tampering.

3. Establish verifiable controls to track data access. (Section 302.4.B)
Implement an ERP system or GRC software that can receive data messages from virtually an unlimited number of sources. Collection of data should be supported from file queues, FTP transfers, and databases, independent of the actual framework used, such as COBIT and ISO/IEC 27000.

4. Ensure that safeguards are operational. (Section 302.4.C)
Implement an ERP system or GRC software that can issue daily reports to e-mail addresses and distribute reports via RSS, making it easy to verify that the system is up and running from any location.

5. Periodically report the effectiveness of safeguards. (Section 302.4.D)
Implement an ERP system or GRC software that generates multiple types of reports, including a report on all messages, critical messages, alerts and uses a ticketing system that archives what security problems and activities have occurred.

6. Detect Security Breaches. (Section 302.5.A/B)
Implement an ERP system or GRC software that performs semantic analysis of messages in real-time and uses correlation threads, counters, alerts, and triggers that refine and reduce incoming messages into high-level alerts. These alert then generate tickets that list the security breach, send out email, or update an incident management system.

7. Disclose security safeguards to SOX auditors. (Section 404.A.1.1)
Implement an ERP system or GRC software that provides access to auditors using role-based permissions. Auditors may be permitted complete access to specific reports and facilities without the ability to actually make changes to these components, or reconfigure the system.

8. Disclose security breaches to SOX auditors. (Section 404.A.2)
Implement an ERP system or GRC software capable of detecting and logging security breaches, notifying security personnel in real-time, and permitting resolution to security incidents to be entered and stored. All input messages are continuously correlated to create tickets that record security breaches and other events.

9. Disclose failures of security safeguards to SOX auditors. (Section 404.B)
Implement an ERP system or GRC software that periodically tests network and file integrity, and verifies that messages are logged. Ideally the system interfaces with common security test software and port scanners to verify that the system is successfully monitoring IT security.