The Sarbanes-Oxley (SOX) Act is a milestone data compliance and disclosure law designed to protect investors by improving the accuracy and reliability of corporate disclosures and making corporate board members, managers, and accounting firms liable for the accuracy of their financial statements. IT plays a significant role in corporate compliance with the regulatory policies established by SOX, since related financial reports come from data housed on corporate systems and must be secured and maintained in a safe environment. This article explores the key contents of SOX, how companies can stay in compliance, and the benefits of regulatory enforcement.
Table of Contents
What is SOX Compliance?
The SOX Act protections require companies to maintain a thorough, accurate knowledge of their financial data and upkeep their network security in all areas where financial data could be breached or misrepresented. Passed by the U.S. Congress in 2002 after several major fraud cases, including the Enron fraud scandal, SOX guards investors against faulty or misrepresented disclosures of publicly traded companies’ financial data.
At a high level, SOX mandates that companies do the following:
- Prepare complete financial reports to ensure the integrity of financial reporting and regulatory compliance
- Put controls in place to safeguard financial data and ensure its accuracy
- Provide year-end financial disclosure reports
- Protect employee whistleblowers who disclose fraud
SOX also requires CEOs, CFOs, and other C-suite executives to take responsibility for honest financial data reporting, formalized data security policies and procedures, and documentation of all relevant financial details—which can all be pulled up and reviewed via audit at any time. But SOX also puts pressure on IT teams, much like other government, regulatory agency, and jurisdictional compliance policies like the European Union’s General Data Protection Regulation (GDPR), through its data and reporting requirements.
Data-Specific Rules in SOX
SOX specifically regulates the financial data of publicly traded companies, especially as it relates to corporate transactions, which can include line items like off-balance sheet transactions, pro forma figures, and stock transactions. The law enacts several rules for these kinds of financial data, obliging companies to submit for regular external audits and enabling internal reporting and controls to support financial data accuracy.
Data management and archiving are essential to SOX. IT must create and maintain a data archive of corporate records that conforms to the management of electronic records provisions of SOX Section 802, which provide direction in three critical areas:
- Retention periods for records storage are defined, as are SOX best practices for the secure storage of all business records
- Definitions must be made for the various types of business records that need to be stored (e.g., business records, communications, electronic communications, etc.)
- Guidelines must be in place for the destruction, alteration, or falsification of records and the resulting penalties
Beyond routine audits and maintenance of financial reporting, companies are expected to report concrete evidence of changes in financial condition to the SEC. The controls that SOX requires include an Internal Control Report, which details all financial history for managerial responsibility and transparency, as well as additional documentation that proves the regular monitoring of financial data.
The SEC also requires formal data security policies with proof of communication and enforcement across a corporate network. SOX does not provide exact security protocols or expectations.
SOX compliance falls into the category of corporate governance and accountability. While it’s mainly financial, it also involves enterprise IT departments as it includes very specific guidelines for how corporate electronic records must be stored and for how long—generally, for a minimum period of five years.
SOX directs all covered companies to undergo annual audits and make the results publicly available to their stakeholders. In order to pass a compliance audit for SOX, companies need to inspect the quality of their internal controls and systems in these four key areas:
- Limiting physical and electronic access to only what authorized users absolutely need
- Security measures with features like endpoint security, multi-factor authentication, and anti-malware have been set up and maintained to protect against breaches
- Secure backup storage for all relevant financial data that could suffer from a breach
- Change management and internal auditing practices to ensure financial data remains protected when users, devices, and programs change
- Appropriate reporting cycles, report formats, and data content must be put into place with a documented review process for SOX reports
Externally, SOX is enforced by the U.S. Securities and Exchange Commission, which established the Public Company Accounting Oversight Board to oversee, regulate, and discipline auditors who work with publicly traded companies under SOX.
All publicly traded companies with American shareholders are required to comply with SOX rules, including related boards, management, and accounting firms. The consequences for non-compliance can be fines, imprisonment or both.
SOX can also be applied to international companies in certain situations—like other data laws, such as GDPR, SOX applies to any publicly traded company that does business with American citizens, even if the business itself is not located in the United States.
SOX has ushered in a level of financial accountability and liability that makes it difficult for publicly traded companies to defraud or mismanage financials. It has improved corporate data governance and ethics and made financial responsibility both a management and a board-level mandate. SOX also delivers a number of additional benefits for IT.
More Widespread Acceptance
Traditionally, management has not always recognized the return on investment of IT projects, but SOX has changed that to some extent. For example, it may be easier to approve the purchase of data integration and cleaning software, additional data storage, or expensive security and activity monitoring software if it’s necessary to help the company stay SOX compliant. Similarly, IT policies that might have been viewed as unnecessary or ignored because they might delay project deliverables now must be documented for compliance.
SOX forces the integration of systems, work processes, and data that might not otherwise be integrated. Many companies use multiple invoicing, purchasing, enterprise resource planning (ERP), and customer relationship management (CRM) systems that IT needs to support. To maintain compliance with SOX, those systems are more likely to be integrated and business processes and systems redesigned to make everything—including data—more seamless and uniform. This integration reduces system complexity for IT in both new application development and system maintenance.
Supplier Data Sharing
SOX can improve the quality of transactions and data sharing with suppliers. While IT has traditionally struggled to integrate internal systems with those of suppliers for data exchange, SOX elevates the issue of supplier data incompatibilities into a SOX narrative for uniform data standards. This can compel supplier audits and demands for change to better integrate supplier data with corporate systems.
Improved Data Quality
The need to conform to external regulatory requirements has placed the spotlight on clean and accurate data and reporting and highlighted the importance of high quality data—even if it means investing IT staff time and budget. Standardized, high quality data is now the goal of virtually every company; without it, it’s almost impossible to run analytic and automation technologies like artificial intelligence. SOX and other compliance regulations help facilitate this work.
Despite the benefits of compliance—not least of which is avoiding punishment and fines—companies face challenges in their ongoing efforts to meet SOX regulations, which can put burdens on multiple departments and teams. Here are some of the most common.
Lack of Expertise
Inadequate resources or internal SOX expertise can be a problem for many companies, especially new and/or smaller businesses. Compliance requires implementing appropriate controls to monitor each SOX-related process—for example, purchasing might implement a control so that only someone manager-level or higher can sign off on an order in excess of $1,000. If the existing purchasing system does not have that checkpoint built into it, unsigned invoices could slip through and create a material weakness for auditors or regulators to find.
Some company cultures are averse to having rules and regulations foisted upon them. For example, some technology startups pride themselves on creativity, freedom, and innovation—such environments make it difficult to get management onboard with costly, time-consuming, and restrictive SOX initiatives.
Just because SOX requires data integration and uniform data management doesn’t make the job of data integration any easier for IT—it will take time, money, and resources. Businesses that merge or go through acquisitions and subsequently have to blend disparate systems into a composite enterprise whole for SOX reporting, especially, may find the effort daunting.
The regulatory environment is constantly changing, and companies need to keep up. When a SOX requirement changes, the typical chain of communication starts in a regulatory agency, trickles down to the legal staff, gets reviewed by management, and then finally makes its way to IT. The challenge comes in keeping delays from happening along the way so that IT has time to implement the changes before the deadline.
The Bottom Line: SOX Compliance and Enterprise IT
SOX compliance is a fact of life for publicly traded companies. IT plays a major role in assuring that SOX guidelines and requirements are met. While the burden is high—and so are the costs for not meeting it—the advantages of compliance are widespread and benefit the companies themselves, not just their investors. SOX compliance has also elevated the role of IT in enterprise businesses, giving it a seat at the table it did not necessarily have prior. As similar new data regulations start to take hold around the world, IT teams will continue to play an important role in helping businesses stay compliant.
Read about the future of data management to learn about how other trends and policies are shaping the way enterprise organizations work with data.