What is SOX Compliance?
Introduced in 2002, in response to a number of corporate scandals including those involving Enron, Tyco International, and WorldCom, the Sarbanes-Oxley (SOX) Act takes its name from Paul Sarbanes and Michael Oxley, the congressmen who drafted it, and set out new standards to help make financial reporting more transparent in order to protect investors.
The SOX Act works by placing a clear divide between the auditing function and accounting firms to ensure financial reporting is not falsified or misrepresented like in the cases mentioned above. As a result, SOX compliance is now a legal requirement for all publicly-traded companies, domestic and foreign, that do business in the United States.
Achieving SOX compliance
In order to achieve SOX compliance, companies must conduct an annual audit to confirm the integrity of their data handling and financial statements, and then file it with the SEC. Responsibility for the accuracy of these statements and meeting the submission deadlines rests with the CEO and CFO respectively.
What is a SOX audit?
A SOX audit provides an annual assessment on how well a company manages internal controls. Primarily, this ensures that financial statements are accurate and authentic, and the audit report is also made public for shareholders. This exercise must be carried out by external auditors to avoid any conflict of interests, and penalties for non-compliance include fines, delisting from stock exchanges, and invalidation of insurance policies.
Benefits of SOX compliance
However, that doesn’t mean SOX compliance should be viewed purely in punitive terms. Meeting the obligations set out in the SOX Act is also good business practice because it helps safeguard sensitive data from internal threats, external cyber-attacks, and security breaches.
As result of SOX compliance many businesses report the following benefits:
- Stronger controls
- Improved documentation
- More involvement from the audit committee
- Convergence opportunities
- Standardised processes
- Less complexity
- Reduction in human error.
SOX compliance implications for IT
SOX compliance also has major implications for IT departments because of its intense focus on financial data security and ensuring the availability of financial records. In order to comply, IT departments must:
- Maintain transparent financial data security practices
- Be aware of all privilege access policies
- Understand current log management standards for all financial records
- Continuously improve security risk remediation processes
- Aspire towards incorruptible and continuous reliability of all financial data.
SOX compliance challenges
Although SOX compliance is the catalyst for improved reporting and data security, it isn’t without challenges. Organisations often cite spread-sheet and end-user issues along with the cost of remaining compliant as challenges that they face when meeting their legal obligations.
However, since the SOX Act was passed, a number of frameworks have emerged to help organisations to manage their responsibilities, including:
- The Committee of Sponsoring Organizations of the Treadway Commission (COSO): COSO has established a common internal control model as benchmark for the evaluation of control systems.
- Control Objectives for Information and Related Technologies (COBIT): COBIT defines a set of generic processes for IT management
- The Information Technology Governance Institute (ITGI): This framework uses COBIT and COSO, but focuses on security rather than general compliance.
Jobs in SOX Compliance
Achieving SOX compliance is a cross-departmental process involving many different people, including: compliance managers, compliance officers, internal auditors, IT auditors, financial analysts, risk management specialists, and lawyers. Working together, they ensure that all regulatory requirements are met and that any associated business benefits are maximised.