The Sarbanes-Oxley (SOX) act is a law passed in 2002 by Congress. The law was passed in response to multiple corporate accounting scandals in which organizations were committing fraud to inflate their values. Once discovered, this led to the collapse of organizations that were involved, and the development of extreme mistrust between economic investors and publicly traded institutions
SOX was enacted to restore the trust between investors and publicly listed companies through the implementation of strict regulatory ordinances regarding company financial records. SOX entails strict financial auditing requirements, ensuring that reported financial data is independently examined, accurate, and free from the coercion of higher-up company officials.
This statute is enforced by the Securities and Exchange Commission (SEC). Regular reports must be made to the SEC by publicly traded organizations to attest to their implemented security controls and ability to disclose accurate financial reports. Reports must be prepared according to accepted standards and are often created quarterly and annually.
Despite being focused on financial reporting, the Sarbanes-Oxley act can have several implications for IT and cybersecurity practices at a company. The SOX act itself does not specify ways for companies to meet requirements, but many requirements can be met through organizational IT and cybersecurity methods and best practices.
For example, securely storing SOX-related documents and maintaining a log of activity to said documents are necessary for SOX compliance. Furthermore, the principle of least privilege is a common cybersecurity practice in which employees are only given the lowest access permissions needed to perform their duties. Applying this principle within an organization helps employ cybersecurity best practices while ensuring that only those who need access to Sarbanes-Oxley-related documents have that access. Moreover, maintaining audit trails and being able to catch ongoing security incidents quickly can be achieved by using security information and event management (SIEM) tools.
Overall, achieving SOX compliance has the added benefit of improving company cybersecurity posture. Many internal controls that can be implemented for an organization to become compliant with the Sarbanes-Oxley act can also help protect against cyberattacks and mitigate potential risks.
The Sarbanes-Oxley Act of 2002 is a very elaborate legal statute, but there are a few key sections in particular worth noting. These key provisions include:
Section 302 mandates for a company’s CEO and CFO to take direct responsibility for the implementation of internal controls that deal with the accuracy of financial reporting. By holding senior executives accountable for financial disclosures, investors can be confident that reports are reliable.
Section 404 of the Sarbanes-Oxley act requires for organizations to implement and maintain strong internal controls over their infrastructure that houses or processes financial data or reports, which is documented with an ‘internal control report”. Furthermore, this section also necessitates for an independent auditor to perform an assessment over the internal controls and provide a report. By having an external auditor assess the internal controls, investors can have increased trust in the company’s financial reporting.
Section 409 of the SOX act calls for mandated real-time reporting of urgent events that may affect the financial condition or operations of an organization. This means that if a company were to experience a data breach, cyberattack, or another event that could cause financial or operational instability, the company is required to disclose this to the public in an easy-to-understand manner.
Section 802 outlines penalties for altering, destroying, concealing, or falsifying documents audit-related documents. The Sarbanes-Oxley act requires for all audit documents to be kept and maintained for a period of five years, and failure to do so can result in punishment, including jail time.
Egis IT Security serves organizations within the Indianapolis metropolitan area and across the country to help them understand Sarbanes-Oxley requirements. Egis is dedicated to helping others understand and implement the necessary security controls for their business. With our extensive expertise and years of experience, Egis can offer tailored solutions to help your organization align with industry standards, allowing you to focus on your business.
Some of what we can offer to assist your organization be compliant with Sarbanes-Oxley include:
