The Sarbanes-Oxley Act of 2002, often simply called SOX or Sarbox, is U.S. law meant to protect investors from fraudulent accounting activities by corporations. Sarbanes-Oxley was enacted after several major accounting scandals in the early 2000’s perpetrated by companies such as Enron, Tyco, and WorldCom. The law mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud. It also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.
The law is named for the two congressmen who drafted it, Paul Sarbanes and Michael Oxley. The U.S. Securities and Exchange Commission (SEC) administers the act.
Though Sarbanes-Oxley does not call out any specific IT requirements, the law does have a great impact on information systems – and in particular the security of those systems – owed to the fact that the financial information covered under the law is processed and stored by IT systems. Section 404 in particular has had very costly implications for publicly-traded companies as it is expensive to establish, maintain, and validate the required internal controls.
Sarbanes-Oxley affects all public companies in the United States by requiring them to follow the provisions of the 11 sections of the act. In addition to publicly-traded companies, along with their wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the U.S., Sarbanes-Oxley also regulates accounting firms that perform audits for any U.S. public company.
Private companies and charities aren’t required to follow all of the provisions of the law. However, private companies getting ready to go public with an IPO need to be prepared to comply with the regulations in Sarbanes-Oxley. The law also provides some exceptions for non-profit companies.
Sarbanes-Oxley includes protection for whistle-blowers, in an effort to encourage people to come forward to report suspected fraudulent activity within their own company. The strict punishments for officers, board members, and auditors for destroying company documents are criminal in nature and would apply to non-profit corporations as well as the publicly-traded companies targeted in the law, experts have said.
Sarbanes-Oxley is arranged into 11 titles. As far as compliance is concerned, the most important sections within these are often considered to be 302, 404, 409, 802 and 906.
Section 302 – Corporate Responsibility for Financial Reports – Every public company is required to file periodic financial reports with the SEC, and the principal executive officer and the principal financial officer must sign each report to indicate they have reviewed it and they certify that the report does not contain any untrue statements and does not omit any material information. In addition, the signers of the report are responsible for establishing and maintaining internal controls and must have validated those controls within 90 days prior to issuing the report.
Section 404 – Management Assessment of Internal Controls – All annual financial reports must include an Internal Control Report stating that management is responsible for an “adequate” internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls also must be reported. In addition, registered external auditors must attest to the accuracy of the company management’s assertion that internal accounting controls are in place, operational and effective.
Section 409 – Real Time Issuer Disclosures – Companies are required to disclose to the public in a timely manner any material changes in the financial condition or operations of the company in the interest of protecting investors and the public.
Section 802 – Criminal Penalties for Altering Documents – Anyone who knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of matters before the SEC can be fined, imprisoned for no more than 20 years, or both.
Section 906 – Corporate Responsibility for Financial Reports – The criminal penalty for certifying a misleading or fraudulent financial report can be upwards of $5 million in fines and 20 years in prison.
Sarbanes-Oxley not only affects the financial side of corporations, but also IT departments charged with implementing and maintaining the internal controls referenced in Section 404. Companies must document, test, and maintain those controls as well as the procedures for financial reporting to ensure their effectiveness. The impact of section 404 is substantial in that a significant amount of resources are needed for compliance.
Modern financial reporting systems are heavily dependent on technology and associated controls. Any review of internal controls would not be complete without addressing controls around information security. An insecure system would not be considered a source of reliable financial information because of the possibility of unauthorized transactions or manipulation of numbers. Thus, Sections 302 and 404 indirectly force the scrutiny of information security controls for SOX compliance.
The SOX regulation doesn’t specify any particular controls to safeguard financial data; this is left to the discretion of the individual company. However, the Public Company Accounting Oversight Board (PCAOB), which assists in implementation and oversight of SOX, has selected the COSO (Committee of Sponsoring Organizations) framework for the purpose of internal control guidance. Following the COSO framework is not mandatory but simply a way to help companies ensure they have adequate controls.
Sarbanes-Oxley does not specifically call for the use of encryption as a control to protect financial data, but its use is considered a best practice. The SANS Institute identifies encryption as a critical security control in its list of the Top 20 Critical Controls. According to SANS:
Data resides in many places. Protection of that data is best achieved through the application of a combination of encryption, integrity protection and data loss prevention techniques. As organizations continue their move towards cloud computing and mobile access, it is important that proper care be taken to limit and report on data exfiltration while also mitigating the effects of data compromise. The adoption of data encryption, both in transit and at rest, provides mitigation against data compromise.
In practice, many companies under the purview of the Sarbanes-Oxley Act actively engage in data protection through a technology stack that includes encryption, regardless of where the data resides, in order to legitimately attest to the fact that the data has not been tampered with or otherwise compromised. Under the penalty provisions of Sarbanes-Oxley, the stakes are high, and it’s critical for companies to know that their data is as secure as possible.