16 Jul 2020 Ankit Chadha

SOX Compliance: Requirements and Checklist

In the summer of 2000, a wave of massive financial and accounting scandals at publicly traded companies like Enron, Global Crossing, Tyco International PLC, and WorldCom shocked the world. These high-profile scandals shook investor confidence in the dependability of corporate financial statements, which led to people demanding an overhaul of ancient regulatory standards. Consequently, the Sarbanes-Oxley Act (SOX) was established.  

SOX was drafted by U.S. Congressmen Michael Oxley and Paul Sarbanes to regulate financial accountability, financial practice, and corporate governance. This act also came to be known as the ‘Corporate and Auditing Accountability and Responsibility Act’ and the ‘Public Company Accounting Reform and Investor Protection Act.’  

What is SOX Compliance? 

SOX came into existence as a federal law to safeguard shareholders and the general public from fraudulent practices and accounting errors in companies and to improve the accuracy of corporate disclosures. The primary purpose of SOX is to institute verifiable security controls for protection against disclosure of confidential information and the tracking of personnel to identify data tampering related to fraud.  

Another key intention of SOX is to lessen fraud occurrences, enable data protection, build public trust and confidence as the absence of such functions may affect companies and their shareholders. SOX encompasses numerous sections, all of which demands compliance by all public companies in the United States, including international companies that have registered stock with the SEC. Subsequently, it is mandatory to carry out a SOX compliance audit annually by an external compliance auditor. Here’s a list of some of the primary requirements of the SOX compliance audit: 

  • Section 302 Stating Corporate Responsibility of Financial Records 

According to this section, companies have to protect their data responsibly so that financial reports are not based upon inaccurate, faulty, or tampered data. 

  • Section 401 Affirming Corporate Responsibility of Financial Records 

As per Section 401, the company has to publish all financial reports to the public, and these reports have to meet the related accounting standards. These statements also have to include all off-balance-sheet liabilities, transactions, or obligations, if any.  

  • Section 404 Stating Management Assessment of Internal Controls 

Section 404 is the primary element of a SOX compliance audit. In a nutshell, Section 404 ensures that the data security plans cannot be hidden from external auditors, and if any security breach occurs, they must be reported. An IT compliance audit is also conducted as part of Section 404, which is performed as per an IT compliance framework like COBIT (Control Objectives for Information Technologies). This audit examines four critical aspects of the IT environment in a company, which include: 

  1. Access: Electronic and physical measures that impede unauthorised access to sensitive and essential information, which comprises the process of fortifying data centres, servers, and authentication controls like lockout screens and passcodes.  

  1. Security: Staff, tools, and practices must be employed by companies to prevent security breaches on major networks and devices.  

  1. Change Management: Understand the mechanism behind the company’s critical software updates, how it defines new user accounts and retains audit trails of any alterations to the original software.  

  1. Backup: Inspect how the company handles the restoration of lost sensitive data, including data that is stored off-site.  

  • Section 409 Announcing Disclosures of Changes to Financial Conditions or Operations 

If a company’s financial condition changes, they are legally required to update the public about the same. Moreover, the information that is provided must be in laypersons terms so that nothing gets lost in the translation. 

  • Section 802 Imposing Penalties for Altering Documents 

Section 802 of the SOX levies penalties up to 20 years of imprisonment for concealing, destroying, altering, or falsifying documents and records to influence, obstruct, or impede a legal investigation. Arthur Andersen LLP, USA, was found guilty of illegally destroying documents pertaining to the ongoing Enron investigation. As a result of this, the company lost its license to audit public companies and was ultimately shut down.  

  • Section 906 Asserting Corporate Responsibility for Financial Reports 

The employees of a company who submit false or misleading financial reports can be imprisoned for up to 20 years or fined a maximum of $5 million.  

SOX Compliance Checklist 

  • Establish Protections to Prevent Data Tampering 

Enforce systems that track user logins and identifies suspicious login attempts into systems containing confidential data.  

  • Establish Processes to Record Timelines 

Implement systems that timestamp all data as and when it is received. Additionally, all records and data should be stored off-site as a control measure to avoid data theft, loss, or alteration.  

  • Establish Confirmable Controls to Track Data Access 

Set up systems that can receive data from a variety of organisational sources such as databases, FTPs (File Transfer Protocol), and related files. Control systems should also track who has accessed or edited the data, be it on a drive or on the server. 

  • Ensure Protections are Tested, Verified, and Operational 

Employ systems that send daily reports to certain officials informing them that the SOX measures are tested, verified, and operational. These systems should also give access to auditors to allow them to view reports and data.  

  • Regularly Report the Efficacy of the Safeguards 

Set up systems that generate reports with regards to critical alerts, messages, reports, security activities and problems that have occurred and how they were solved.  

  • Detect Security Breaches 

Enforce security control systems that analyse incoming messages or data, recognise symptoms of a data breach, and generate alerts to store them on the incident management system. 

  • Divulge Security Details and Security Failures to External SOX Auditors 

Enforce critical control systems that record security breaches or security incidents that take place. These incidents are notified to the external SOX auditors who have the permission to view and study them.  

SOX Compliance with TRC Consulting Services 

If it’s that time of the year where your company has to test or audit its SOX compliance, do not stress about it. At TRC Corporate Consulting, we offer extensive GRC services, including SOX Compliance.  

Our experts at TRC with their practical experience and deep-domain knowledge deliver innovative solutions for business consulting, outsourcing, compliance, and financial management services across all industries. If you have any queries regarding SOX compliance testing and audit, contact our team today!