Sarbanes-Oxley Act
In 2002, the United States Congress passed the Sarbanes-Oxley Act (SOX) to protect shareholders and the general public from accounting errors and fraudulent practices in enterprises, and to improve the accuracy of corporate disclosures. Congressmen Paul Sarbanes and Michael Oxley drafted the act to improve corporate governance and accountability and to protect investors from fraudulent financial reporting by corporations.
In this article, you will read about:
What is SOX Compliance?
Key provisions and requirements
Rules for Management of Electronic Records
SOX Compliance and Security Controls
Data Protection and Compliance
Sox Compliance Audits
Costs to Businesses
How Rainbow Secure Partners can help make your business SOX compliant
What is SOX Compliance?
The Sarbanes-Oxley Act of 2002 is a federal law that established sweeping auditing and financial regulations for public companies. The Act contains provisions affecting corporate governance, risk management, auditing, and financial reporting of public companies, including provisions intended to deter and punish corporate accounting fraud and corruption. The Act came into force in light of the financial scandals that occurred at Enron, WorldCom, and Tyco, among others. While, Enron was considered one of the largest, most successful, and most innovative companies in the United States.
- Around 2000, Enron unraveled in less than two years as both the company’s fraudulent practices and its executives’ criminal activities came to light.
- The telecommunications giant WorldCom became embroiled in scandal due to its fraudulent accounting practices. After filing for bankruptcy in 2002, the company was hit with a $750 million SEC fine. Its chief executive officer (CEO) was sentenced to 25 years in prison, and the chief financial officer (CFO) received a five-year jail sentence as a result of criminal charges in the case.
- The financial scandal at Tyco International also preceded the Act. In this case, the company’s former CEO and CFO were convicted of stealing hundreds of millions of dollars from the company, falsifying business records, and violating other business laws. The Act enhanced accounting compliance regulations to keep such a scandal from occurring again.
All public companies now must comply with SOX, both on the financial side and the IT side. How IT departments store corporate electronic records changed as a result of SOX. While the act does not specify how a business should store records or establish a set of business practices, it does define which records should be stored and the length of time for storage. To comply with SOX, corporations must save all business records, including electronic records and electronic messages, for “not less than five years.” Consequences for noncompliance include fines or imprisonment, or both.
Key provisions and requirements of SOX
The Sarbanes-Oxley Act is arranged into 11 sections or titles. The SOX Act consists of eleven elements (or sections). The following are some of the important sections of the Act:
Section 302
Financial reports and statements must certify that:
- The documents have been reviewed by signing officers and passed internal controls within the last 90 days.
- The documents are free of untrue statements or misleading omissions.
- The documents truthfully represent the company’s financial health and position.
- The documents must be accompanied by a list of all deficiencies or changes in internal controls and information on any fraud involving company employees.
Section 401
Financial statements are required to be accurate. Financial statements should also represent any off-balance liabilities, transactions, or obligations.
Section 404
Companies must publish a detailed statement in their annual reports explaining the structure of internal controls used. The information must also be made available regarding the procedures used for financial reporting. The statement should also assess the effectiveness of the internal controls and reporting procedures.
The accounting firm auditing the statements must also assess the internal controls and reporting procedures as part of the audit process.
Section 409
Companies are required to urgently disclose drastic changes in their financial position or operations, including acquisitions, divestments, and major personnel departures. The changes are to be presented in clear, unambiguous terms.
Section 802
Section 802 outlines the following penalties:
- Any company official found guilty of concealing, destroying, or altering documents, with the intent to disrupt an investigation, could face up to 20 years in prison and applicable fines.
- Any accountant who knowingly aids company officials in destroying, altering, or falsifying financial statements could face up to 10 years in prison.
Rules for Management of Electronic Records
As a result of SOX, IT departments are responsible for creating and maintaining an archive of corporate records. They seek out ways to do that cost-effectively and ensure are in complete compliance with the requirements of the legislation. Three rules in Section 802 of SOX affect the management of electronic records.
- First rule: This rule concerns the destruction, alteration, or falsification of records and the resulting penalties.
- Second rule: A rule that defines the retention period for records storage; best practices suggest corporations securely store all business records using the same guidelines as public accountants.
- Third rule: This rule outlines the type of business records that need to be stored, including all business records, communications, and electronic communications.
The Act primarily sought to regulate financial reporting, internal audits, and other business practices at publicly traded companies. However, some provisions apply to all enterprises, including private companies and non-profit organizations.
SOX Compliance and Security Controls
The best plan of action for SOX compliance is to have adequate security controls in place to ensure that financial data is accurate and protected against loss. Developing best practices and relying on the appropriate tools helps businesses automate SOX compliance and reduce SOX management costs.
Data classification tools are commonly used to aid in addressing compliance challenges by automatically spotting and classifying data as soon as it is created and applying persistent classification tags to the data. Context-aware solutions can classify and tag electronic health records, cardholders, and other financial data, confidential design documents, social security numbers, PHI(Personal Health Information), PII(Personal Identification Information), and other structured and unstructured data that is regulated.
Data Protection and Compliance
Data classification enables security teams to monitor and enforce corporate policies for data handling. Depending on the sensitivity of data and its applicable regulations, it may need to be encrypted, compressed, or saved to a different file format. With the correct policies in place, corporations can prevent unauthorized users, even those with administrative rights to the system, from viewing regulated data. The best solutions can also prevent data egress through copying to removable storage devices. Another feature of security solutions is their ability to safeguard shared data. Data “masking” features give users access to necessary information while ensuring compliance with regulations.
SOX Compliance Audits
Being SOX compliant and complying with other regulatory standards is nearly impossible without the correct security solutions in place. Providing evidence of compliance is even worse because evidence must prove written controls are in place, communicated, and enforced while supporting non-repudiation. The correct security software solution provides evidence so that all of your compliance efforts are worthwhile.
A software solution for meeting compliance requirements should be able to monitor data, enforce policies, and log every user action. Protect your data and your business with a software solution that ensures SOX compliance.
Costs to Businesses
While the Sarbanes-Oxley act benefited investors, compliance costs rose for small businesses. According to a 2006 SEC report, smaller businesses with a market cap of less than $100 million faced compliance costs averaging 2.55% of revenues, whereas larger businesses only paid an average of 0.06% of revenue. The increased cost burden was mostly carried by newer companies that had recently gone public. A more granular view of the compliance costs experienced by businesses can be found in the chart below:
However, according to Harvard Business Review, there have been unexpected benefits of the Sarbanes Oxley Act. In their review, they highlighted how PepsiCo uses an annual survey of about 100 senior executives to demonstrate the condition of its control culture. PepsiCo states that “A focus on the control environment helps ensure that the controls themselves are the second and third lines of defense, not the first.”
With the advent of Sarbanes-Oxley, Paul Audet (former CFO and now chief executive of the company’s cash management business of BlackRock, an investment firm with more than $450 billion in assets under management) saw an opportunity to overhaul the job description documentation. The benefits of doing so have been especially noticeable during employee absences and periods of high turnover because the revised documentation has helped recruits become acclimated more quickly. BlackRock’s documentation efforts have also increased employees’ understanding of operations. PepsiCo has also benefited from updating its documentation processes.
The Review also mentions a CFO of a Fortune 1000 real estate company who informed them of another documentation benefit from Sarbanes-Oxley. This executive approached Section 404 documentation confident that his company’s sign-offs had been unfailingly executed, only to make what he referred to as a “humbling” discovery: The people signing off on the documents had been merely glancing at the contracts and leases in question. That lack of attention left the company susceptible to unenforceable contract provisions, miscalculated rent escalations, and unexecuted underlying agreements. After disciplining the negligent parties, the company instituted far more rigorous cross-checks of contracts and leases.
Yankee Candle CFO Bruce Besanko, who was working at another consumer products company when Sarbanes-Oxley was enacted, says that the Act changed the atmosphere on that company’s audit committee.
How Rainbow Secure Partners can help make your business SOX compliant
- Ensure ownership of data and accounts with the help of Rainbow Secure authentication and Single Sign-on
- Ensure Data Protection by implementing data access controls using custom APIs from Rainbow Secure
- Implement SOX Compliance and Secure compliance data stores with services from Rainbow Secure Partners
Rainbow Secure can help secure your customer interactions, data sharing, and employee logins that have access to customers’ sensitive data. Rainbow Secure offers multilayer graphical login solutions, secure business email, and encryption for achieving data health and managing data privacy. Businesses can use it to securely administer data regardless of whether the data is in the cloud or on-premises. Rainbow Secure enables businesses to keep their data in compliance with data privacy, data security, and data governance best practices, laws, and regulations. It lets organizations classify data, secure it and restrict its access. To know more, schedule a call today or email us at hello@rainbowsecure.com.