The Sarbanes-Oxley Act of 2002 (SOX)
By: Edris Ahmady
Introduction
When a new law is introduced, it is meant to address either an issue a nation is facing currently or will face in the near future. In this case, the SOX act of 2002 was meant to address widespread corporate fraud that existed within the financial industry in the United States. The two most notable corporate frauds that occurred which prompted the SOX act was the scandals involving Enron Corporations and WorldCom Telecommunications. Both these scandals resulted in over forty-thousand people losing their jobs and investors losing over two-hundred billion dollars in the span of just two years. With that being said, let’s take a deeper dive into the SOX act and try to understand exactly what this law entails.
Overview
The Sarbanes-Oxley act of 2002 was brought forth by two United States Senators by the names of Paul Sarbanes and Michael Oxley. Its goal was to force all publicly traded companies to create and implement various accounting controls which then needed to be reported to the Securities and Exchange Commission (SEC). Additionally, it went on to create the Public Company Accounting Oversight Board (PCAOB) which is a nonprofit organization tasked with auditing public companies, insuring no false financial reporting was done. Moreover, the act added a provision in which company heads such as CEOs and CFOs must sign off on all financial reporting to insure accountability and integrity. Failure to do so may result in fines of up to five million dollars and jail time of up to twenty years. To this day, the Sarbanes-Oxley act of 2002 remains as one of the most authoritative legislatures to ever pass within the financial auditing industry.
Are You SOX Compliant?
In order to be SOX compliant the signing officer must attest to the accuracy of all data reported in the following domains. To ensure accuracy, an organization must implement Enterprise Resource Planning systems (ERC) and Governance, Risk and Compliance systems (GRC) within these domains.
- Establish safeguard to prevent data tampering: The organization in question must have safeguards in place to prevent data tampering, unauthorized access to sensitive data, and have the ability to execute proper access management.
- Establish safeguards to establish timelines: The organization in question must implement controls that allow time stamps on all data processes when they occur, additionally all data being processed must be safely and securely offloaded to an alternate site following best data management and data security practices.
- Establish verifiable controls to track data access: The organization in question must have controls put in place that allows an organization to receive data messages from large amounts of traffic. This means that the organization would need to implement file queues, FTP transfers, and databases.
- Ensure that safeguards are operational: The organization in question must have the ability to verify possible faults that exist within its operations and have the means to remediate them in a timely manner.
- Periodically report the effectiveness of safeguards: The organization in question must have the ability to generate reports of alerts that may be generated by the system. Additionally the organization must utilize many forms of reporting such as automated messages, alerts and ticketing systems which allows for an opportunity to archive events and alerts.
- Detect Security Breaches: The organization in question must have the ability to monitor systems in real time, by being able to detect breaches or threats as they occur. These controls that are put in place must have the ability to provide analysis reports that will update the incident management systems.
- Disclose security safeguards to SOX auditors: The organization in question must have the ability to provide access to auditors in order for them to carry out auditing tasks effectively. Additionally the access granted to auditors must allow them to thoroughly view system controls without the ability to add any changes.
- Disclose security breaches to SOX auditors: The organization in question must share all security incidents to security personnel in real time, while keeping record of any and all security incidents.
- Disclose failure of security safeguards to SOX auditors: The organization in question must have the ability to periodically test security safeguards and create reports that will later be reviewed to provide improvements to said security safeguards.
In the end…
I hope you were able to understand the SOX act and its significance. This act provided much needed oversight over the financial industry and gave auditors the power to effectively ensure fraudulent financial activities never happen again. If you would like to read the act in its entirety, there is a link at the bottom that will take you to the entire proposed act.
The SOX act of 2002 in its entirety: https://www.congress.gov/bill/107th-congress/house-bill/3763