The early 2000s were a turbulent time for the U.S. financial markets as large financial and accounting scandals rocked the entire nation. Corporate heavyweights such as Enron and Tyco faced consequential fraud charges, while WorldCom buckled down in a $100 billion bankruptcy.


The discovery of accounting malpractices and fraud in large enterprises caused share prices to plummet, which thoroughly shook public confidence in the U.S. securities markets. The damage, caused by the dot-com bubble burst and associated financial scandals, is estimated to be over $6 trillion in household wealth.


In the wake of this notorious financial crisis, the US Congress passed the Sarbanes-Oxley (SOX) Act, which aimed to enhance corporate transparency and bring accountability to financial reporting.


“But what does a law governing accounting and financial reporting have to do with IT?” That’s a great question! In the following sections, we will provide an answer to that and other questions related to SOX and IT.

But before tackling the bigger questions, let’s go over the basics… 

The SOX Act, named after its sponsors Senator Paul Sarbanes and Representative Michael G. Oxley, was passed into law by the US Congress in 2002. It was also known as the "Corporate and Auditing Accountability, Responsibility, and Transparency Act".


The goal of the SOX Act is to protect shareholders and the general public from fraudulent accounting practices in enterprises and to improve the accuracy of corporate reports. To achieve this goal, the SOX Act places requirements and responsibilities on the boards of directors and management of all US public companies as well as on public accounting firms. Some of the provisions of SOX also apply to privately held companies.


In total, it contains eleven sections that lay out the requirements and mandates the Securities and Exchange Commission (SEC) to implement rulings on compliance. While the SOX Act is quite complex, the SOX Compliance is simpler to understand and refers to the annual audit, which requires public companies to provide proof of accurate financial reporting.

SOX compliance applies to the following entities:

• All publicly-traded companies in the United States,

• Wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States,

• Accounting firms that audit companies requiring SOX compliance, and

• Applies partially to private companies, charities, and non-profits.

Private companies that are planning to go public should also prepare for SOX compliance before they go public.

The most important requirements of SOX compliance are listed below:

• CEOs and CFOs are personally accountable for the accuracy, documentation, and submission of all financial reports.

• The management is responsible for an adequate internal control structure for financial records.

• The company must implement, communicate, and enforce formal data security policies. It should also implement a comprehensive data security strategy.

• Companies must continuously monitor and measure SOX compliance objectives and be able to provide documentation proving compliance.

Unsurprisingly, all of the key requirements of SOX are related to financial reporting and accounting. So where does IT come into the picture?

Although SOX seeks to govern the financial operations and reporting of enterprises, its impact is not limited to the finance department. In fact, SOX compliance specifically involves the IT department since it is responsible for access rights, internal security controls, and data security that encompass the safety of financial records.

The following sections of this blog post outline how organizations can prepare their IT for SOX compliance and the tools that can aid in achieving compliance.

To achieve SOX compliance, the IT department must be able to demonstrate adequate controls in the following areas:

• Access Management

Access management controls can range from simple physical controls such as door locks, access badges, sign-in logs, etc. to more complex virtual controls such as Zero Trust Security, and Principle Of Least Privilege (PoLP), which, in fact, is a requirement of SOX compliance.

• Data Security

Companies are required to demonstrate adequate protection against data breaches. The controls can be policy-based controls such as data classification and data usage policies or technical controls such as encryption and Access Control Lists (ACLs).

• Data Backup

Companies must maintain SOX-compliant off-site backups of all financial records.

• Change Management

Companies are also required to document all changes made to databases or applications that manage their financials. There need to be defined processes for adding users, installing new software, and making changes to systems and evidence showing adherence to the processes.

IT Systems That Assist With SOX Compliance Audits

Meeting the requirements of extensive documentation, meticulous change management, strict access management, and robust data security can be onerous, if not impossible. Thankfully, many readily available software and tools can make meeting SOX compliance requirements a whole lot easier.

Here’s a list of a few important ones:

• Security Information and Event Management (SIEM)

Companies use many security tools and systems such as endpoint security, threat detection, network security, etc. These tools generate useful information about anomalies and threats but since they work in isolation, the information generated by one is not automatically available to the other.

SIEM software collects log and event data generated by isolated applications, security devices, and systems into a single centralized platform. This allows a thorough analysis of data leading to better insights and detection of anomalies and threats that could otherwise remain undetected.

In addition to threat detection, SIEM helps with compliance by simplifying reporting. The consolidation of security data allows the creation of data dashboards that organize, monitor, and retain the data required for SOX audit reporting.

• Data Loss Prevention (DLP)

Data Loss Prevention (DLP) consists of systems, processes, and tools that prevent unauthorized access to a company’s sensitive data. DLP systems are capable of classifying data, tracking access and sharing, identifying violations, and preventing unauthorized access.

The policies defining how data can be accessed or shared will be governed by SOX compliance requirements. DLP systems also provide forensics and incident response capabilities that are necessary for SOX compliance.

• Identity And Access Management (IAM)

Identity and access management (IAM) solutions tackle the problem of ensuring appropriate access to corporate resources. The age of remote work has brought an increasingly heterogeneous environment consisting of diverse applications, technologies, and devices that requires a security system far more robust than the traditional username-password combination. And IAM fills this role.

IAM solutions elevate security by incorporating multi-factor authentication, machine learning, artificial intelligence, and risk-based authentication into access management. It offers a robust mechanism for regulating access and applying role-based access controls, thus helping meet SOX compliance requirements.

• Data Backup

Data backup is a fundamental part of data security. Keeping periodic, retrievable copies of data stored safely provides safeguards against system failures, data corruption, accidental deletion, and ransomware attacks.

A robust data backup strategy utilizes the industry best practice of the 3-2-1 backup, which requires maintaining 3 copies of the data, stored on 2 different storage media, 1 of which must be located off-site. As we mentioned earlier, off-site backups of all financial records are mandatory for SOX compliance. Therefore, this backup strategy is a perfect fit for companies that need to meet SOX compliance requirements.

Conclusion

SOX compliance is impossible to achieve without well-prepared IT systems and robust data security. So before embarking on a SOX compliance project, it is critical to perform an audit of internal security controls, including policies, processes, applications, and systems.

Achieving compliance can be a challenging task, but it is definitely worth the effort because SOX compliance doesn’t just bring transparency and credibility to accounting and financial reporting but also equips companies to better deal with security threats. SOX compliant companies are, in general, safer from data breaches and resulting damages.

Unsure about the adequacy of your IT systems to meet compliance requirements? Reach out to us by clicking the button below to learn how we can help with IT security and compliance.

If you liked the blog, please share it with your friends