Deriving its name from Paul Sarbanes and Michael Oxley, the Sarbanes-Oxley Act 2002 (SOX) is a law meant to implement regulations on firms that are publicly traded. The U.S. Congress passed the law in 2002 following a series of scandals by large organizations such as Tyco International PLC, WorldCom, and Enron Corporation that resulted in plunging of the stock market a few months before elections were held in 2002.
The legislation was meant to calm fears of misconduct in the corporate world and impose accountability by the Board of Directors and management of companies when reporting their financial data. Although the Sarbanes-Oxley was planned to implement these regulations simply, it soon turned into more complex legislation.
The Key Requirements of Sarbanes-Oxley
The Sarbanes-Oxley Act of 2002 comprises of five key provisions. Firstly, it shaped the Public Company Accounting Board or PCAOB as well as restricting auditors of public accounting companies. Secondly, it created requirements for corporate governance in a bid to create audit committee protections. Thirdly, it imposed requirements for firms to disclose their financial reports and having press releases. Fourthly, the legislation outlined criminal penalties that CFOs and CEOS and companies would face in cases where they falsely certified financial statements. Lastly, the act also established criminal penalties whereby those obstructing justice for security fraud would face 20 to 25 years in jail to prevent the types of fraud activities that led to the scandals experienced in 2002 and 2001.
Sarbanes-Oxley Compliance Requirements
The requirements of Sarbanes-Oxley compliance fall into many categories, with most of them focused on corporate governance and responsibility. Within the requirements, however, there are still some specific provisions for information security, which make many businesses overwhelmed.
SOX Section 302
Section 302 is mainly about Disclosure Control and Procedures. It entails quarterly reports discussing all the controls and processes for public disclosures. The section also entails the personal accountability that signing officers should have.
The Sarbanes-Oxley Act of 2002 (SOX) states that the signing officer reviews the report and confirms that the financial report doesn’t contain any false statement or any omitted fact to their knowledge. It also further details that the signing officer acknowledges that the financial statement alongside any other accompanying financial information in the report abides to the financial conduction of operations of the issuer during the period presented in the report. Simply put, this implies that, if an executive officer proceeds to sign a document, they have to take personal responsibility for it being accurate.
SOX Section 401
This section focuses on two notes. One, it talks about financial disclosures created following a set of accounting standards in a bid to guarantee investor confidence. Two, the section requires off-balance sheet disclosure reporting to ensure the transactions conform to the standard accounting requirements. The reports relate to quarterly and annual financial reporting that had been previously altered during the WorldCom and Enron scandals. These disclosures go through a public accounting company, unlike the 302 disclosures.
SOX Section 404
Section 402 mainly covers the adequacy and scope of the internal procedures and controls for financial reporting. Considering that this section has far more reaching tentacles compared to any other section, most companies usually struggle and spend most of their efforts in this Sarbanes-Oxley compliance. According to the SEC’s brochure, which outlines all the steps to evaluate and document internal controls, a firm needs to assess its reporting risks (both internally and externally), whether they come from historical transactions, process or authorization reflected in their financial statement.
Once an organization evaluates the outlined steps, the next stage is to determine if the controls work and what risks they expect should the controls fail. Generally, the higher the chance of a risk occurring, the more evidence they will need to support effective controls. The third stage would be providing a report on these conclusions covering overall deficiencies and effectiveness.
SOX Section 409
This section is known as the ‘Real Time Issuer Disclosure.’ According to the Sarbanes-Oxley Act, issuers are required to disclose any information on material changes in their financial operations or condition to the public and do it on an urgent basis. Moreover, the disclosures are to be provided in easy-to-understand terms and have supporting graphic presentations with qualitative information as appropriate. In other words, the organization needs to communicate with the stakeholders and shareholders immediately. One of the material changes considered essential to communicate in the world of information security is a data breach.
SOX 806 mainly entail protections of whistleblowers. In a bid to offer protection to employees who are looking to speak out, Sarbanes-Oxley granted protection control to the U.S. Department of Labor to ensure the protection of such employees. If an organization retaliates against employees doing speaking out on violation, the responsible parties can be charged by the Department of Justice.
This section emphasizes the corporate responsibility when it comes to filing financial reports. It states that standard reports have to be prepared by the CFOs and CEOs over of time and submit them with their SEC financial statement report. The SOX 906 certifications are usually straightforward, unlike the 302 certifications.
Sarbanes-Oxley Compliance and Information Security
When it comes to SOX compliance, the overlap between SOX 404 and SOX 302 creates a lot of risks for those in the field of information security. Whereas SOX 302 talks about the CEO and CFO personal certification on financial reporting controls, SOX 404 is broader, focusing on the term “internal controls.” The two sections don’t have a specific definition for control, which leaves room for interpretations especially for professionals in information systems.
The PCAOB was created out of the Sarbanes-Oxley to provide directions to the auditor for the best practices. According to a 2004 SANS white paper, the PCAOB selected the COSO (Committee of Sponsoring Organizations) framework in a bid to create guidelines that would help structure all internal controls.
The COSO framework discusses areas of compliance, which include monitoring, information and communication, risk assessment control activities, control environment, and information security controls.
To be fully compliant, many companies turn to COBIT (Control Objectives for Information and related Technology) framework, which outlines 34 IT processes into various categories including monitoring, delivery and support, acquisition and implementation, and planning and organization. A specific organization will be able to come up with the appropriate program for Sarbanes-Oxley compliance by ensuring that it has physical security, segregation of duties, effective monitoring, network security details, authentication and access procedures, security standards, and security policy.
One of the biggest challenges that IT security departments face lies in appropriate access. There’s a specific requirement that these departments should monitor user access to data. To effectively achieve this, it requires well-thought-out procedures for granting, de-provisioning, and provisioning of privileged access to either administer or modify data systems. Sarbanes-Oxley requires IT personnel and auditors to review practices regularly, with senior-level management also needed to sign off the reviews.
Sarbanes-Oxley did not just shake up the corporate world in 2002; its ongoing legacy has allowed the establishment of trust in financial reporting and best practices in information security.