What Is SOX Compliance? [2021 Definition & Guide]
Introduction to SOX Compliance
Professor George L. Kelling of Rutgers University once predicted that removing all graffiti in the New York subway would deter violence. The 5-year period during which the study was observed saw a decrease and eventual reversal in the area’s crime rate. Kelling’s hypothesis was born out of the idea that promoting civil compliance helps to establish an environment where everyone feels responsible for complying with the law.
The theory that maintaining order at the most basic and manageable level has a domino effect can be exemplified in various areas of life. The “broken windows” theory is a famous psychological framework that claims that fixing broken windows within a given environment has a positive impact on community safety. There is also the concept of traffic lights: on a granular level, they sometimes feel to us individuals like an unnecessary restriction, and only when we imagine the calamity resulting from every driver on the road ignoring them do we realize their true value.
On a corporate level, the idea that compliance by all fosters the safety and well-being of many translates strongly into efficiency and risk management.
When top management is committed to promoting compliance, they not only improve their corporate value, but they also reduce their organization’s reputational risk.
A 2017 study published by the American Accounting Association (AAA) showed a link between companies with weak internal control systems and incidents of undisclosed fraud. The report also showed that companies with weak internal controls consistently underperformed on the market.
Between 2000 and 2002, multiple public companies in the U.S. were involved in scandals involving the American public and its representatives in Congress.
One of those companies was Enron, which at the time had been perceived as one of the most financially sound organizations in the country.
Their positive reputation quickly took a downturn when they became responsible for their shareholders’ devastating losses — losses that could have been prevented had Enron not produced inflated earnings reports, embezzled corporate funds and illegally manipulated the energy market.
As a result of various corporate fraud instances taking place in public companies like Enron nationwide, legislation known as the Sarbanes-Oxley Act (SOX) was drafted in order to protect investors.
In this guide, we’ll explain what the SOX Act is, explore the definition of SOX compliance, detail SOX compliance requirements, and reveal the audit steps and fines that enforce those requirements. We’ll also explain why SOX compliance software is the best way to equip your organization with the tools needed to carry out assurance duties in a simple and timely manner.
What is SOX Compliance?
Sponsored by U.S. Senator Paul Sarbanes and U.S. Representative Michael Oxley, The Public Company Accounting Reform and Investor Protection Act of 2002 is also known as the Sarbanes-Oxley (SOX) Act.
The act was created to protect investors by improving the accuracy and reliability of corporate disclosures. This critical change to federal securities law came as a result of the corporate financial scandals involving the aforementioned Enron, along with many other publicly-traded companies like WorldCom and Global Crossing.
As a result of the SOX Act, all public and some privately-held companies are required to comply with the SEC by implementing and reporting internal accounting controls.
At the most basic level, SOX protects shareholders by:
- Closing loopholes
- Strengthening corporate governance
- Increasing accountability
- Requiring corporate transparency
- Protecting whistle-blowers
- Penalizing malfeasance
Authorizing the Public Company Accounting Oversight Board (PCAOB) to monitor corporate behavior.
SOX Compliance Definition
So how does the SOX Compliance Act impact the operations at your organization?
As of 2006, when it went into effect, it is your job to make certain that your company is staying compliant with the act’s requirements.
This entails identifying risks, designing controls to address vulnerabilities, mapping controls to key objectives, testing controls for effectiveness and reporting to regulators. For financial reports, it forms an important part of the overall Governance, Risk & Compliance landscape.
Who Must Comply With SOX?
All USA-based, publicly traded companies must comply with SOX. Publically traded foreign companies and wholly-owned subsidiaries that do business in the U.S. are held to the same requirement. Non-profit organizations and private companies aren’t legally required to comply with SOX, but many find that following it is a good practice. Some countries have their own standards such as J-SOX for Japan or C-SOX for Canada, which affects non-public companies. Insurance agencies are also subject to MAR, the regulatory counterpart to SOX for private insurers.
If a company plans to go public, it must comply with SOX once it makes an initial public offering (IPO). Complying with SOX before an IPO can help make the process smoother, as the company will need to demonstrate compliance before it goes public.
How SOX Affects IT Departments
IT departments play a critical role in ensuring an organization’s SOX compliance. The IT department needs to provide evidence that internal processes abide by the data security requirements included in the SOX act.
To comply with SOX, an IT department must:
- Be aware of access policies
- Aim to continuously improve security risk remediation
- Increase transparency of financial data security practices
- Follow log management standards for financial records
SOX Compliance Requirements
There are eleven sections of the SOX Act, and eight of them detail the most important requirements for remaining in compliance. See below for a summary pulled from Sarbanes Oxley 101:
Section 302: Corporate Responsibility for Financial Reports
This pertains most directly to the responsibility of the CEO and CFO. It requires that they review all financial reports, and also ensure that the reports do not contain any misinterpretations or are presented in an unfair way. The CEO and CFO are made responsible for the internal accounting controls and must report any deficiencies and material changes within them, as well as any fraud involving the management of the audit committee.
Section 401: Disclosures in Periodic Reports
Section 401 states that all financial statements and their requirements must be accurate and correctly presented and not admit to state material information. The financial statements must also include all material off-balance sheet obligations, transactions and liabilities.
Section 404: Management Assessment of Internal Controls
This section speaks to the annual financial reports. Such reports are required to include an Internal Control Report stating that management is responsible for an adequate internal control structure and a management assessment. Shortcomings in these controls must also be reported, and registered external auditors must confirm the accuracy of the company management’s assertion that the internal accounting controls are operational and effective.
Section 409: Real-Time Issuer Disclosures
To uphold section 409, information concerning material changes in a company’s financial condition or operations must be disclosed on an almost real-time basis.
Section 802: Criminal Penalties for Altering Documents
Section 802 details the specific penalties for knowingly altering documents in an ongoing legal investigation, audit or bankruptcy proceeding.
Section 806: Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud
This authorizes the U.S. Department of Labor to protect whistleblower complaints against employers who expose information about a company. It further authorizes the Department of Justice to criminally charge those responsible for retaliating against that company.
Section 902: Attempts & Conspiracies to Commit Fraud Offenses
This section makes it clear that it is a crime for any person to corruptly alter, destroy, mutilate or conceal any document with the intent to impair the object’s integrity or availability for use in an official proceeding.
Section 906: Corporate Responsibility for Financial Reports
SOX 906 speaks to the criminal penalties for certifying a misleading or fraudulent financial report. It details the furthest degree these penalties may be carried out to.
What Is a SOX Compliance Audit?
A SOX compliance audit reviews a company’s procedures and internal controls, such as IT security, data backup and access controls. The audit analyzes a company’s log collections and monitoring systems.
You may also like: What Is SOC 2 Compliance?
SOX Compliance Audit Steps
Certain sections of the SOX Compliance Act require various parameters and conditions to be monitored, logged and audited by an independent external SOX auditor.
The auditor reviews controls, policies and procedures to ensure compliance. The auditor will examine personnel and may also interview staff to confirm consistency with job descriptions and adequate competencies.
Let’s examine how a SOX IT audit would be carried out.
Log collection and monitoring would be aimed to provide an audit trail for things like:
- Internal controls
- Network activity
- Database activity
- Login activity
- Account activity
- User activity
- Information access
As mentioned in the list above, internal controls refer to all IT assets of a company. This may include any computers, network hardware and other electronic equipment that financial data passes through. A SOX IT auditor may examine the following internal control items:
IT security – Ensuring that proper controls are in place to prevent data breaches and taking note of whether the right tools were at their disposal to remediate incidents. If they find areas of improvement, they would advise an investment in services and equipment that could protect the organization’s databases.
Access controls – Keeping servers and data centers in secure locations and implementing effective password controls are examples of access controls. It pertains to the physical and electronic controls that prevent unauthorized users from viewing sensitive information.
Data backup – Backup systems that house sensitive data need to be protected. Any data that is stored off-site or by a third party are also being examined and held to the same SOX compliance requirements, just as those that are hosted on-site.
Change management – Anything related to adding new users and computers, updating or installing new software or making changes to databases or infrastructure falls under the umbrella of change management in an IT audit. To comply, it’s important to keep records of what exactly was changed, when it was changed and who changed it.
Related post: SOX VS SOC Guide
Consequences of Not Complying With SOX
The penalties for non-compliance with SOX depend on the action type and who is responsible. Consider an example where the compliance issue occurs at the company level. If a company submits a report that doesn’t follow the guidelines or ignores SOX entirely, it can be delisted — taken off the public stock exchange.
Company executives can also face consequences for non-compliance. If an executive knows that a SOX report is insufficient and doesn’t meet the requirements, but submits the report anyway, they can face up prison time or a hefty fine.
Executives who certify SOX reports that do not meet requirements and do so with the full knowledge that the reports are inadequate also face penalties, including time in prison or massive fines.
SOX Compliance Fines
Essentially, lying to pass a SOX audit is synonymous with fraud. Noncompliance with the SOX Act can result in several types of penalties. You may face a lawsuit after being sued for lacking corporate responsibility. That public information would then make its way to consumers, damaging your reputation. Noncompliance can also result in a jail sentence of up to 10 years, while false reporting can earn you up to 20 years.
If you’re found guilty of SOX noncompliance, you’ll suffer tremendous financial loss one way or another; whether you lose money in court, experience decreased brand approval as a result of the scandal or become a financial burden from behind bars. On top of that, the direct fines for ignoring SOX are hefty.
A corporate officer who does not comply with SOX or submits an inaccurate certification could be fined up to $1 million.
If the certification is wrong and is proven to have been submitted purposely, the fine may be up to $5 million.
SOX Compliance Challenges
Complying with SOX is a necessity, but it can be complex. Companies often face two challenges regarding compliance. The first challenge concerns the cost of compliance. Companies must dedicate significant resources to ensuring they abide by the rules. For some companies, the expense can be substantial.
Another challenge involves the process of maintaining compliance. Many audit projects require a significant number of attributes and details. If a company uses spreadsheets to sort and hold its data, information can get lost, data sets can be corrupted and input errors can cause confusion. Fortunately, software solutions can streamline the process and solve some of the most pressing compliance concerns.
Software for SOX Compliance
With its complex and extensive requirements and severe penalties, it’s no wonder why SOX gained a terrible reputation upon its 2002 debut.
Its reputation started to improve in 2007, when the concept of Enterprise Risk Management (ERM) and more specifically Top Down Risk Assessment (TDRA) was introduced. This empowered organizations to prioritize key controls and tests by linking them to risk.
TDRAs are a formalized recognition that a risk-based SOX approach is valuable and cost-effective. Implementing an ERM software can assist in the process of linking controls and risks through a risk assessment process. This is because it allows process owners to focus on accomplishing multiple goals within an ongoing, consolidated assessment instead of getting buried in administrative work. A smart SOX software also allows financial control analysts to prioritize their work to only material risks.
It’s important to find the right SOX compliance software for you. LogicManager’s centralized SOX compliance software erases pain points in one fell swoop by allowing you to:
- Upload your risk-control matrix and keep it up to date in one centralized framework
- Customize SOX testing with optional sampling, step-by-step instructions for users, document management and attestations
- Maintain visibility into the status of SOX compliance through easily accessible to-do lists and real-time alerts
- Meet regulatory pressure head-on with accurate, customizable reports built in our robust reporting engine
- Standardize your approach to SOX compliance with pre-built control frameworks based on predefined scoring, criteria and best practices
- Identify issues found in testing and engage relevant parties in remediation activities with automated tasks, notifications and reminders
- Easily aggregate information and present it to key personnel responsible for reviews and SOX certification sign-off with intuitive dashboards and reports
- Leverage LogicManager’s financial compliance software to ensure adherence with other critical requirements like NAIC Model Audit Rule, NCUA Section 704.11, Bill 198 and more
Learn More About SOX Programs Today
SOX programs, including LogicManager’s solution, will continue to innovate and transform as long as SOX exists. As the corporate environment changes, so will compliance requirements, so having a software that will adapt to externally enforced, ever-evolving rules will afford you the time and resources to focus on taking your risk management program to the next level.
Through SOX compliance, your organization can increase investor confidence and decrease financial risk. If nothing else, the link between having a comprehensive SOX internal control system and high market performance demonstrates the wide-ranging benefits of having a mature ERM program. When you stay committed to promoting compliance, the resulting domino effect can propel your organization into extraordinary success.
With LogicManager’s SOX software and expert support, you can achieve compliance and financial reporting and leverage a broad scope of organizational knowledge to focus on strategic goals and operational risks to mitigate risks in your business.