FAQ: What is SOX Compliance, and What are the Requirements?

Computer security has become one of the most important aspects of modern society for private individuals and corporate entities. As a society, we have transitioned from traditional, in-person interactions and transactions to a digital alternative. Where we once sent written letters or met in person to discuss topics of interest, we now send text messages or e-mails. The same digital transformation applies to commerce, as we have begun using online retailers rather than traditional storefronts to conduct business. 

Even our most critical financial information can be accessed through online portals designed to simplify things for users. While this advancement has made us far more productive, it has produced certain limitations and threats. 

The security issues associated with digital data storage are the most notable issue with our newfound dependence on technology. When we commit to digitizing so much sensitive information, someone will inevitably try to access it for their own benefit. Cybercrime is a prevalent issue that has led to several incidents where citizens’ private information is compromised. 

While we are generally advised to exercise caution to minimize the risk of stolen personal information, other groups are held to higher standards. Every financial institution is expected to comply with SOX standards, which have become critical to instituting data security measures. Despite the importance of SOX, not everyone knows what it means, much less how to remain compliant with its requirements.

Meeting SOX Compliance Standards

What is SOX?

If you are not accustomed to handling financial information, you have likely never heard of SOX or learned why it is important. 

In 2002, a United States senator named Paul Sarbanes and a representative named Michael G. Oxley sponsored a bill enacted in response to multiple corporate accounting scandals. The bill had multiple names and was presented to the Senate as the Public Company Accounting Reform and Investor Protection Act. When presented to the House, it was called the Corporate and Auditing Accountability, Responsibility, and Transparency Act. 

However, most people recognize it as the Sarbanes-Oxley Act (SOX), as it was renamed to honor the aforementioned officials. The swiftness of this bill’s ratification was likely due to the number of companies involved in the scandals and the fact they all collapsed.

Sarbanes-Oxley Act

Before SOX was enacted, the Enron Corporation, Tyco International, Adelphia Communications Corporation, Peregrine Systems, and MCI went under because of the situation. This cost their investors billions of dollars and destroyed public faith in the United States Securities Market. SOX consists of 11 titles that regulate how companies like those involved in the scandals handled their responsibilities. These titles were:

  • Title I – Public Company Accounting Oversight Board: A 9-section title of SOX that compels companies to create a board of representatives to oversee public accounting firms and auditing services.
  • Title II – Auditor Independence: A 9-section title of SOX that establishes guidelines for hiring external auditors. 
  • Title III – Corporate Responsibility: An 8-section title of SOX that ensures a company’s executive officers take responsibility for financial reports. 
  • Title IV – Enhanced Financial Disclosures: A 9-section title of SOX that enhances the standard requirements for financial reports. 
  • Title V – Analyst Conflicts of Interest: A 1-section title of SOX that defines a code of conduct for securities analysts and disclosure procedures.
  • Title VI – Commission Resources and Authority: A 4-section title of SOX that outlines additional policies for securities analysts. It also outlines the Securities and Exchange Commission’s ability to censure or ban securities professionals from practicing.
  • Title VII – Studies and Reports: A 5-section title of SOX that requires the Comptroller General and the Securities and Exchange Commission to perform studies and report their findings.
  • Title VIII – Corporate and Criminal Fraud Accountability: A 7-section title of SOX that outlines criminal penalties for manipulating or destroying financial records. It also provides protections for “whistleblowers.”
  • Title IX – White Collar Crime Penalty Enhancement: A 6-section title of SOX that increases the penalties for white collar crimes committed by the company or its staff.
  • Title X – Corporate Tax Returns: A 1-section title of SOX that mandates the company’s chief executive officer (CEO) to sign the company tax return.
  • Title XI – Corporate Fraud Accountability: A 7-section title of SOX that identifies corporate fraud and record tampering as criminal offenses. It also outlines the associated penalties for these crimes.

These titles help ensure companies take the necessary steps to safeguard sensitive financial information and accurately report earnings and losses to the government. Otherwise, the company would be committing serious crimes that jeopardize the financial status of its investors and customers. While these laws have served their purpose, the companies expected to follow them are not always willing to do their part. 

Sometimes, companies fail to adhere to SOX requirements because they attempt to break the law for personal gain. Other times, there might be genuine confusion about SOX compliance. Therefore, understanding what you must do to meet SOX requirements is fundamental to preventing issues that would leave your business in financial and legal trouble.

What is Required for SOX Compliance?

Meeting SOX standards can be challenging since laws like this are fairly complicated due to the various titles and sections. While we have provided a brief overview of the titles, determining what you must do to ensure your company meets federal standards can be difficult. There are a few obvious requirements, namely following the letter and spirit of the law regarding white-collar crimes like embezzlement and fraud. Otherwise, the main aspect of SOX compliance is ensuring your financial disclosures meet federal standards. 

The main goal of SOX was to keep companies transparent for the benefit of those who finance them. This could include investors or direct customers, depending on the industry in which your business is involved. Accurate reporting and proper auditing are essential for any business that does not want to run afoul of the federal government.

Filing Company Financial Reports

The first step to remaining in compliance with SOX is to ensure your company files financial reports at the end of each year. Each state has its own regulations about when the reports are due, and the frequency of the reports changes depending on whether your company is a corporation, LLC, LP, or LLP. For example, an LLC operating in California must file reports biennially to the Secretary of State on the anniversary of the company’s founding. Meanwhile, a corporation operating in the same state must only file reports annually. Filing your financial reports in compliance with these regulations is essential to meeting SOX standards.

The next step is having an external contractor audit your company to ensure your finances match your reports. These audits help confirm that you accurately report your earnings and losses to ensure mistakes and intentional misreporting are handled accordingly. However, most people forget about another aspect of SOX compliance and auditing. A major aspect of SOX is ensuring that financial information is secured and inaccessible to cybercriminals. As a result, SOX compliance requires your company to have an effective information technology team and cybersecurity system in place.

What is Required for SOX IT Compliance?

Every major financial network operates through digital records as its primary data storage and retrieval source. Paper records have been relegated to contingency because online transfers and exchanges are easier. While it might seem like physical copies are redundant or needless, digital networks are not inherently secure. Digital networks and databases can be compromised, which is significantly more terrifying when the breach occurs on a financial network. As a result, SOX has made provisions to account for security issues on financial networks to ensure the same level of responsibility as with any other aspect of the industry.

SOX regulations require financial institutions to maintain cybersecurity practices to ensure data is stored safely and access is limited to authorized users. Otherwise, compromised networks could be considered a result of negligence by the firm rather than an effective cyberattack. 

Unfortunately, complying with SOX information technology requirements is not a simple feat. There are several practices your company must adopt to ensure your network is in line with federal regulations under SOX. The most important of these requirements is to establish basic data authorization procedures. This means ensuring that the staff assigned to those files can only access data. For example, leaving every file available for any employee to access from their personal computers would be a blatant violation of security protocol. That said, you might want more specific information to ensure your IT system follows SOX regulations.

Ensure all software is updated to the most recent version to benefit from the most recent security measures. Software is regularly patched to address security issues and implement new subroutines that improve efficiency and capability. An operating system or application that is not up to date will retain the security issues and vulnerabilities that were patched out. As a result, cybercriminals can take advantage of a flaw that was supposed to be fixed and access sensitive information.

SOX IT Compliance

Another important part of SOX IT compliance is maintaining proper monitoring practices to ensure data access is limited to authorized personnel. Some companies believe that creating a password system and telling employees not to share is sufficient to protect sensitive information. Unfortunately, that plan only accounts for those within the company and assumes they will always adhere to that regulation. 

Cybercriminals who bypass the firewalls or employees who manage to pilfer someone else’s password can access sensitive data without being noticed unless the network is monitored. This means having a semi-automated alert system to inform your IT staff who accessed what information and when. This way, when unauthorized access is identified, a response plan can be executed to stop it.

The next step is outlining a breach response plan, so your IT staff is ready to act immediately should a cybercriminal get past your firewalls and defenses. Response plans to a data breach can vary but usually account for identifying the breach, blocking further access, and identifying where the vulnerability was so your staff can correct the issue. Your IT staff will generally draft the particulars of your response plan since they have the technical knowledge necessary to create one.

While all these details are crucial to maintaining SOX compliance, it means nothing if your IT staff are not trained to handle financial data per SOX regulations. Therefore, you should also ensure your staff is well-versed in accessing this information without violating the laws. Otherwise, whenever your untrained IT staff accesses financial information outside SOX regulations, you are responsible for their actions. This can destroy a financial firm since not every IT specialist is trained in SOX or how to access financial records securely.

This can be a lot of work for a company and possibly beyond your capacity if you lack time and resources. Fortunately, SOX IT compliance is something you can easily outsource if you need extra help.

Technically Speaking…

The Sarbanes-Oxley Act safeguards against abusing financial information from within or without a company. The problem is that some people will abuse information entrusted to them for personal profit despite the damage it causes their victims. The number of companies that failed to uphold their duty before SOX was ratified was a monument to the errors a company can commit when left unchecked. 

Nowadays, most companies adhere to SOX regulations to avoid losing their business, but there will always be outliers who believe they deserve their customers’ data. Even worse, some people will bypass security measures in the company’s network to steal the data despite having no affiliation. This is why SOX has updated its requirements to account for cybersecurity requirements. Unfortunately, training an in-house cybersecurity team is expensive and time-consuming.

Cybersecurity Professional Meeting SOX Requirements

That is why we at U.S. Cybersecurity have made it our mission to help companies build their cybersecurity defenses with an external team. We can perform penetration tests, draft breach response plans, and ensure your company’s financial data is stored per SOX requirements. These days, maintaining quality cybersecurity practices is as valuable as the information your company is responsible for safeguarding. We encourage you to visit our website and see which services appeal to you. We are standing by and ready to assist you.

Herman McCargo

Herman is a Microsoft Certified Security Engineer and Cybersecurity Specialist. He’s been in the technology field for over 20 years and has expertise working with the most critical technology infrastructures. He has a deep understanding of cyber risks, threat mitigation and prevention, and overseeing infrastructure.