With a stated goal to “protect investors by improving the accuracy and reliability of corporate disclosures,” the Sarbanes-Oxley (SOX) Act is a milestone data compliance and disclosure law of the American 21st century that protects both investors and the businesses that enforce it.
Let’s examine the key contents of SOX, how companies can stay in compliance, and the benefits that come with the enforcement of SOX regulations.
A Closer Look at SOX
Watch and learn: Compliance as Code: Expert Discussion
The Sarbanes-Oxley Act was passed by an overwhelming majority of Congress in 2002. The timing of the act is significant, as it came into law after several major fraud cases, such as the Enron fraud scandal of 2002. These cases made national news and made it clear that additional safeguards needed to be developed to protect the integrity of businesses and investors from internal and external malicious actors.
The bill intends to guard investors against faulty or misrepresented disclosures of publicly traded companies’ financial data. It provides these protections by requiring CEOs, CFOs, and other C-suite executives to take responsibility for honest financial data reporting, formalized data security policies and procedures, and documentation of all relevant financial details — which can all be pulled up and reviewed via audit at any time.
The protections require companies to maintain a thorough, accurate knowledge of their financial data and upkeep their network security in all areas where financial data could be breached or misrepresented. Although the market and the overall value of a company may fluctuate over time, SOX ensures that internal and external shareholders are not given false information about their investments.
Important features of the law
- Establishes policies, procedures, and standards for auditors through the creation of the Public Company Accounting Oversight Board (PCAOB).
- Prevents conflicts of interest between auditors, their clients, and the services they exchange.
- Senior executives, such as the CEO and CFO, are responsible for ensuring the accuracy of financial statements and reports. The CEO is required to sign company tax returns.
- Delineates scenarios in which a broker, adviser, or dealer can be barred from practicing.
- Provides certain protections for whistleblowers while also enforcing criminal penalties for violators who knowingly manipulate financial data or obstruct investigations.
- Establishes and supports reporting and compliance enforcement on the part of the U.S. Securities and Exchange Commission (SEC).
Data-specific rules in SOX
SOX specifically regulates the financial data of publicly traded companies, especially as it relates to corporate transactions, which can include line items like off-balance sheet transactions, pro forma figures, and stock transactions.
The federal law enacts several rules for these kinds of financial data, obliging companies to submit for regular external audits, as well as enabling internal reporting and controls to support financial data accuracy. Beyond routine audits and maintenance of financial reporting, companies are expected to report concrete evidence of changes in financial condition to the SEC.
The controls that SOX requires include an Internal Control Report, which details all financial history for managerial responsibility and transparency, as well as additional documentation that proves the regular monitoring of financial data. The SEC also requires formal data security policies with proof of communication and enforcement across a corporate network. SOX does not provide exact security protocols or expectations.
Some specific data points that need to be monitored and accounted for in the Internal Control Report include the following:
- Demonstration of internal controls
- Network, database, and user activity
- Security concerns related to activity (i.e., failed logins and authentications)
- Information access
Who is required to comply?
All publicly traded companies with American shareholders are required to comply with SOX rules. This includes all related U.S. public company boards, management, and accounting firms. Auditors and auditing companies that work with publicly traded companies have their own sets of regulations related to auditing procedures and avoiding conflicts of interest.
There are a few additional cases where SOX may be applied that most businesses fail to consider. For example, privately held companies can also be held liable for certain pieces of the SOX law, including if they impede a federal investigation of financial matters. SOX can also be applied to international companies in certain situations. Much like other data laws, such as GDPR, SOX applies to any publicly traded company that does business with American citizens, even if the business itself is not located in the United States.
Passing a compliance audit
One SOX compliance requirement directs all covered companies to undergo annual audits and make the results publicly available to their stakeholders. An external auditor is typically hired to conduct a financial audit of all financial data and statements, but the auditor cannot conduct any other type of audit at the same time, due to the conflict of interest clause in SOX. Through the auditing process, the auditor will examine the current year’s financial statements and compare them to the previous year’s data to determine if any intentional or accidental errors have been made in the ledgers.
In order to pass a compliance audit for SOX, companies need to inspect the quality of their internal controls and systems in these four key areas:
- Limiting access, both physical and electronic, to only what authorized users absolutely need. A zero trust model of security is a good way to ensure success in this area.
- Security measures have been set up and maintained to protect against breaches. SOX does not specify the security protections, so consider network security software as an all-encompassing software solution with features like endpoint security, multi-factor authentication, and anti-malware.
- Secure backup storage has been implemented for all relevant financial data that could suffer from a breach.
- Change management and internal auditing practices are constantly applied to make sure that financial data remains protected when users, devices, and programs change.
Additional tips for compliance
An abundance of software and third-party consultants offer solutions to help companies comply with SOX rules and regulations.
- Organize important company data through secure database management system software
- Refer to internal control frameworks like COBIT, COSO, and other guidance from the SEC
- Consider investing in an enterprise resource planning (ERP) platform that specializes in financial planning and management
Companies can also get more specific and find tools that were specifically designed with data compliance and SOX regulations in mind:
“My tip for complying with SOX requirements is to use a data-centric compliance software, like Varonis or LogicManager,” said Perry Zheng, engineering manager at Lyft and founder of Cash Flow Portal.
“They can be quite useful for managing all of your company’s audits in real-time. These platforms can help restrict access to sensitive financial information on a need-to-know basis, enhancing the security of your data, as per SOX requirements. They maintain cloud backups of all financial records, in case of a security breach.”
SOX is enforced by the U.S. Securities and Exchange Commission, which established the Public Company Accounting Oversight Board to oversee, regulate, and discipline auditors who work with publicly traded companies under SOX. Beyond enforcement at the individual corporation level, the SEC and the Comptroller General are also responsible for big-picture reporting and analytics that showcase the roles that accounting firms, credit rating agencies, and investment banks play in the enforcement of SOX. Most importantly, the SEC provides additional guidance in SOX-related cases over time and has the final word on whether an organization has fallen out of compliance.
The SEC and SOX hold CEOs and CFOs directly accountable for their company’s accurate representation and documentation of financial data and reports, as well as all other rules outlined in SOX. Violations may incur civil penalties and hefty fines, but serious and intentional violations of the law can result in criminal penalties and jail time.
Unintentional non-compliance can result in up to $1 million in fines and the possibility of a 10-year prison sentence for the corporate officer(s). Intentional non-compliance carries even stronger consequences for the violators, resulting in up to a $5-million fine and a 20-year prison sentence.
There are major consequences for organizations that fall out of SOX compliance, so it’s easy to assume the law only benefits consumers and investors outside of the company.
However, SOX offers a range of benefits to both the company and the consumer when compliance is taken seriously:
- Preparing for regular financial audits gives corporate leaders better insight into financial metrics as a whole, lending to their business intelligence, predictive analytics, and planning for the company.
- If an error occurs in the ledger, whether it’s due to honest human error or malicious intent, the auditor is likely to catch the error before it becomes a bigger problem.
- Consumers recognize the transparency of a company’s financial practices, teaching them to trust and invest in the brand to a greater degree.
- Initially complying with SOX may feel like a huge task, but it forces an organization to streamline financial processes, which increases efficiency over time.
- Once SOX processes are in place, the financial team will be able to spend less time scrambling for audits and data maintenance and more time on high-value business strategy that requires their expertise.
Perhaps most significantly, the data security requirements included in SOX encourage business leaders to take a closer look at their security infrastructure, building up security best practices that prevent a wide range of breaches.
“SOX compliance can help businesses improve their data security,” Zheng said.
“The model prescribed by SOX requires businesses to identify where sensitive data is, who has access to it, and how it is communicated. Complying with SOX reduces the chances of data breaches, which can be quite damaging to companies. Businesses that comply with SOX are also more predictable, which satisfies investors.”
Read next: HIPAA Compliance & Regulations 2021