SOX standards for Sarbanes-Oxley Act, passed in 2002 and it establishes regulations to protect the public from fraudulent business practices by corporations. It was passed following some large business scandals, where companies like Enron, Tyco and Adelphia used deceptive business practices to trick the public. In order to protect consumers it mandates more transparency in the financial reporting of corporations. It requires companies to have formalized checks and balances to ensure that their reporting is accurate. SOX applies to all publicly traded companies in the United States, subsidiaries and foreign companies that are publicly traded and conduct business within the US. SOX also has regulations for accounting firms that audit companies for SOX compliance.
Summary of SOX Compliance Requirements
You must make your financial records public and your quarterly and annual reports should accurately reflect your company’s finances.
CEO and CFOs must take direct responsibility for the accuracy, documentation and submission of all financial reports. They must also report on the internal control structure to the SEC (Securities and Exchange Commission).
You are required to produce an Internal Control Report that states management takes responsibility for adequate internal control structure for the company’s financial records.
You are required to have formal data security policies, communication of data security policies and consistent enforcement of those policies. All companies should have a comprehensive data security strategy to protect and secure all financial data stored and used during business operations.
SOX requires that companies continuously monitor and measure SOX compliance objectives and provide documentation proving that you are compliant.
You are required to have yearly security audits and to make the results of those audits easily accessible by stakeholders. These audits must be separate from any other audits to prevent a conflict of interest and must be performed by external auditors with the purpose of verifying the companies financial statements.
You are required to disclose any changes to your company’s financial conditions or operations. Also, the information you present must be clear and using terms the public can understand.
Preparing for the SOX Audit
There are five sections to SOX compliance that auditors will be assessing your company against:
Section 302: Corporate Responsibility of Financial Records
Section 401: Disclosures in Periodic Reports
Section 404: Management Assessment of Internal Controls
Section 409: Disclosures of Changes to Financial Conditions or Operations
Section 802: Penalties for Altering Documents
Section 302: Corporate Responsibility of Financial Records
This requires that the CEO and CFO maintain accurate financial records. SOX mandates that financial reports are to include certifications that:
The signing officers have reviewed the report
The report does not contain any material untrue statements or material omission or be considered misleading
The financial statements and related information fairly present the financial condition and the results in all material respects
The signing officers are responsible for internal controls and have evaluated these internal controls within the previous ninety days and have reported on their findings
A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities
Any significant changes in internal controls or related factors that could have a negative impact on the internal controls
*Organizations cannot avoid these requirements by incorporating or transferring activities outside of the US.
Section 401 Disclosures in Periodic Reports
Financial reports of the company must be published to the public and meet normal accounting standards. It should include all material off-balance sheet liabilities, obligations and transactions. You will be assessed on the accuracy of these disclosed financial statements.
Section 404: Management Assessment of Internal Controls
In a SOX audit, they will look to verify four different types of internal controls. To pass you need to demonstrate proper implementation of the following:
Access Controls: This includes physical controls (doors, locks) and technical controls (least privilege access). The most important part of this control is ensuring you have a least permissive access model, which means that people only have access to areas or information that is essential for their job function and nothing more than that.
Security: You must demonstrate that you have security controls to prevent data breaches from occurring. This is a broad term but it’s important to have security controls that are preventive as well as consistently monitoring your environment for any security threats. You also want security tools that give you the ability to remediate any incidents that may occur.
Regular Backups: Sox requires off-site backups of all your financial records to be maintained. Any third party or data center that stores this information is subject to the SOX compliance audit.
Change Management: You need to have defined and documented processes for adding and maintaining user accounts, installing new software and making changes to current software and databases that manage your companies financials.
SOX External Audit Exemptions
-Companies who are non-accelerated filters (Companies with less than 75 million dollars in public float-the portion of shares held by public investors)
-Emerging growth companies for up to five years
Section 409 Disclosures of Changes to Financial Conditions
You are required to disclose any changes to your company’s financial conditions or operations. Also, the information you present must be clear and using terms the public can understand. They should be supported by trend and qualitative information in graphic presentations as appropriate, for example bar or pie charts.
Section 802: Penalties for Altered Documents
Fines and Penalties
Unlike other compliance regulations, SOX specifically penalizes the corporate officer (usually CEO or CFO) that is responsible for compliance rather than just the company itself. An officer that doesn’t comply or submits an inaccurate certification is subject to a $1 million fine and ten years in prison, even if done mistakenly. If an inaccurate account is submitted on purpose the fine can be up to $5 million dollars and twenty years in prison.
SOX Compliance Checklist
Are your CEO, CFO and other executives working together?
Is your SOX compliance software up to date and clear of any alerts?
Do you have a recent SOX compliance status report?
Is your data organized and accessible for the SOX auditor?
Are there any breaches or compliance issues left unreported?
Do you have security controls in place for all systems that handle your financials?
Have you published your quarterly and yearly reports with the proper accounting standards?
Did you report all changes to your company’s financial conditions?