Although the Sarbanes-Oxley Act of 2002 (SOX) has been around for nearly two decades, many companies still struggle to meet compliance requirements. Initially enacted in response to public companies mishandling financial reporting, SOX is a compliance requirement for all public companies. Understanding SOX compliance, as well as its requirements and controls, helps organizations create more robust governance processes.
What is SOX?
In 2001, multiple public companies - Enron, Tyco, and WorldCom - became the public face of a corporate scandal. In response to these companies purposefully inflating their financials and lying in public reports, the US government enacted SOX.
Fundamentally, SOX focuses on establishing governance and forcing accountability on senior leadership and Boards of Directors. SOX established the Public Company Accounting Oversight Board (PCAOB), directing it to:
Inspect, investigate, and enforce compliance across auditors, including public accounting firms, their associated persons, and certified public accountants (CPAs)
What are SOX compliance requirements?
To outline a process for corporate governance, SOX consists of ten different titles.
Title I: Public Company Accounting Oversight Board
By establishing the PCAOB, SOX created a standard for governing how audits should be done and principles for auditors to follow.
Some primary components of Title I include:
Establishing the PCAOB
Requiring accounting firm to register with the PCAOB
Establishing auditing standards, including evaluation of internal control structures, assurance over transaction documentation, reporting of material control weaknesses, and noncompliance
Authorizing PCAOB to impose sanctions
Requiring the adoption of a principles-based accounting system
Title II: Auditor Independence
One of the reasons that Enron could falsely report their earnings was that their audit firm Arthur Anderson helped them and never reported their false financials. SOX set out multiple rules to govern auditor independence and ensure that audit functions never enabled clients again.
Some of the primary requirements include:
Prohibiting auditors from engaging in specified non-audit services while engaging in audit work for the client
Audit committee governance overall auditing and non-auditing services and disclosing approvals to investors
Audit reports that include critical accounting policies and practices used, alternate treatments discussed with management officials, auditor treatment preference, material written communications between the auditor and senior management
Audit committee pre-approval of all auditing and non-auditing services, disclosing pre-approval to investors
Prohibiting auditor from engaging with an organization if the auditor had previously employed the organization’s senior executives within the previous year to remove the conflict of interest issues
Constraints on how long an auditor can work with an organization
Title III: Corporate Responsibility
This section requires an audit committee to govern auditors and audits.
Some primary requirements under this title include:
SEC creating requirements that principal executive officer and principal financial officer are responsible for internal controls and receive all material information, certify that financial reports do not contain false statements or material omissions, and certify financial statement fairly present financial condition and operations
Senior officers certify that auditors and audit committee know all significant internal control deficiencies and any fraud
Corporate personnel attempting to exert improper influence on auditor is illegal
Senior leadership or Board of Directors activities that are illegal
Lawyer professional responsibilities
Establishment of civil penalties
Title IV: Enhanced Financial Disclosures
This section requires that SEC filings include disclosing material off-balance sheet transactions and relations that have material impact on financial and ensuring no misleading financial information by reconciling financial
Requirements under this title include:
SEC reports to Congress on off-balance sheet transaction and special purposes entity use, clear communications with investors off-balance sheet transactions, how special purpose entities are used for off-balance sheet transactions
Prohibiting personal loans by a company to its executives or directors
Senior management, directors, and principal stockholder disclosures around securities ownership
Annual reports include internal control report with senior leadership attestation for maintaining internal financial reporting controls, evaluates controls, requires auditing firm attestation around the report
SEC establishing code of ethical conduct
SEC review of periodic disclosures
Title V: Analyst Conflicts of Interest
To prevent potential securities analysts from having a conflict of interest, this section:
Restricts people engaged in investment activities from sharing reports
Requires that someone not engaged in investment banking activities to oversee analysts
Prohibits brokers or dealers from sharing negative reports that may hurt banking relationships with subject of report
Established review and oversight for securities analysts
Title VI: Commission Resources and Authority
This section allocates resources for the SEC for the fiscal year 2003.
Title VII: Studies and Reports
This section established a General Accountability Office (GAO) report to Congress on:
Public accounting firm consolidations and reduction in firms providing audit services
Impact consolidation has on capital formation and securities market
Investment bank and financial advisor roles in assisting public companies to misrepresent financials
It also sets out SEC reports to Congress:
On credit rating agencies in the securities market
Problems with securities professional enabling violations
Enforcement action taken for violations
Title VIII: Corporate and Criminal Fraud Accountability
This title imposes federal criminal penalties for individuals who intentionally obstruct a Federal investigation or bankruptcy case by destroying documents and auditors who do not retain documentation for the five-year required period.
Additionally, this title includes:
Disallowing debts incurred while violating securities fraud laws from being discharged during bankruptcy
Prohibiting retaliation against employees who assist in regulatory, Congressional, or supervisory investigations or shareholder fraud proceedings.
Establishing fines and prison sentences for people knowingly defrauding shareholders
Title IX: White-Collar Crime Penalty Enhancements
This title establishes criminal penalties for attempted and conspiracy to commit criminal fraud and increases criminal penalties for mail and wire fraud.
Additionally, this title includes:
A requirement that senior corporate officers certify in writing that all financial statement and disclosure comply with SEC rules and daily present all material information on operations and financial condition
Corporate officer criminal liability for not certifying report, including imprisonment for up to ten for certifying while knowing and up to twenty years for willfully certifying reports that violate the law
Title X: Corporate Tax Returns
This title sets out that the Chief Executive Officer (CEO) should sign the company’s Federal income tax return.
Title XI: Corporate Fraud Accountability
This title amends multiple federal criminal laws to increase criminal penalties and establish prison terms for violation of the law.
Damage to competitiveness, stock price, and long-term shareholder value
In order to comply with SOX, public companies need to ensure that they establish appropriate controls and security monitoring programs that mitigate risk.
In 2020, the SEC released new guidance “Cybersecurity and Resiliency Observations” (Resiliency Guidance) through its Office of Compliance Inspections and Examinations (OCIE). This revised guidance offered greater specificity for organizations that need to file public financial reports.
What are the SOX cybersecurity requirements and controls?
Under the Resiliency Guidance, OCIE set out seven primary requirements organizations need to meet.
1. Governance and risk management
Keeping the SOX theme of senior leadership and Board of Director accountability, the first requirement focuses on how organizations can establish cyber resilient programs.
Senior-level engagement: Assign board and senior leadership responsibilities for oversight.
Risk assessment: Develop and conduct a risk assessment that identifies, manages, and mitigates risk according to the organization’s business goals, including identifying and prioritizing vulnerabilities.
Policies and procedures: Adopt and implement comprehensive policies and procedures.
Testing and monitoring: Establish comprehensive testing and monitoring to validate security controls’ effectiveness.
Continuously evaluating and adapting to changes: Responding to any gaps or weaknesses by updating policies and procedures
Communication: Establish policies and procedures for internal and external communication for various stakeholders.
2. Access rights and controls
Access controls should limit user access according to the principle of least privilege, meaning the least amount of access necessary for a user to complete their job function.
User access: Understand access needs, limit access to sensitive systems and data according to the principle of least privilege, and periodically review access
Access management: Manage user access by:
Limiting access during user onboarding, transfer, and termination
Implement separation of duties to limit fraud
Recertify access periodically
Require strong, periodically changed passwords
Use multi-factor authentication (MFA)
Revoke system access upon employment termination
Access monitoring: Monitor use and develop procedures that:
Monitor for failed login attempts and account lockouts
Ensure appropriate handling of customer password/login requests and for authentication abnormal requests
Review system hardware and software changes
Ensure appropriate access requests processes and policies
3. Data loss prevention
Data loss prevention focuses on ensuring that sensitive data is not lost, misused, or accessed by unauthorized users.
Vulnerability scanning: Establish a vulnerability management program that scans all networks, endpoints, systems, and applications
Perimeter security: Control, monitor, and inspect all incoming and outgoing network traffic
Detective security: Implement endpoint security scanning for both signature and behavioral-based capabilities to prevent unauthorized software or malware from running
Patch management: Establish a program for installing security updates on all software, hardware, and firmware.
Inventory hardware and software: Maintain current inventory of hardware and software assets, including identifying critical assets and information
Encryption and network segmentation: Ensure appropriate:
Data-in-motion encryption both internally and externally
Data-at-rest encryption on all systems
Network segmentation and access control lists to limit data availability
Insider threat monitoring: Establish an insider threat program to identify suspicious behavior, including chain of reporting
Securing legacy systems and equipment: Before decommissioning hardware or software ensure:
Since mobile devices pose unique risks, organizations need appropriate security measures.
Policies and procedures: Establish mobile device use policies and procedures
Managing the use of mobile devices: Use mobile device management (MDM) or similar technology for the organization’s business, including a “bring your own device” policy
Implementing security measures: Require MFA for all internal and external users.
Training employees: Employ cyber awareness training for mobile device security and policies
5. Incident response and resiliency
Incident response includes detecting and disclosing information about incidents in a timely manner and assessing the corrective actions taken.
OCIE suggests the following for incident response planning:
Development of a plan: Develop a risk-based incident response plan for various, business-context drive scenarios using threat intelligence, including procedures for timely notification, escalating incidents through the management chain of command, and communicating with key stakeholders.
Addressing applicable reporting requirements: Comply with applicable federal and state reporting requirements, including:
Contacting local authorities or the FBI
Notifying customers, clients, and employees as necessary
Assigning staff to execute specific areas of the plan: Designate employees with specific roles and responsibilities in case an incident occurs.
Testing and assessing the plan: Test the plan and recovery times using a variety of methods, including tabletop exercises
OCIE suggests the following for resiliency:
Maintain inventory of core business operations and systems: Identify and prioritise core business services to understand the impact a system or process failure would have
Assessing risks and prioritizing business operations: Align the operational resiliency strategy with risk tolerance, including:
Determining systems and process that can mitigate business interruption
Ensuring geographic separation of backup data
Understanding the effects business disruption has on stakeholders and other organizations
Considering additional safeguards: Maintain backup data both offline and on a different network
6. Vendor management
Practices and controls around vendor management include conducting due diligence, monitoring, and governance, including vendors as part of risk assessment process, and assessing vendor security.
Vendor management program: Establish a vendor management program to ensure vendors manage security appropriately, including using questionnaires and independent audits. Establish procedures for terminating contracts, including for cloud-based service providers.
Understanding vendor relationships: Understand all contract terms around risk and security, including liability, right, responsibilities, expectations, and vendor security risk management.
Vendor monitoring and testing: Monitor the vendor relationship to ensure they meet contractual security requirements and ensure governance over services and personnel.
7. Training and awareness
Training helps employees mitigate cyber risks by understanding their responsibilities and heightening their cyber threat awareness.
Policies and procedures as a training guide: Train staff on the organization’s cybersecurity policies and procedures to build a culture of cybersecurity readiness and operational resiliency
Including examples and exercises in trainings: Provide specific cybersecurity and resiliency training, including phishing exercises, that educate on how to identify and respond to indicators of a breach.
Training effectiveness: Track and maintain records of training and assessment effectiveness.
SecurityScorecard: Continuous monitoring and vendor risk management for SOX compliance
SecurityScorecard’s security ratings platform enables organizations to continuously monitor their cyber risk posture. Our easy-to-read security ratings provide at-a-glance visibility into the strength of an organization’s security program, using A-F ratings.
SecurityScorecard’s platform scans networks to identify and detect devices, including workstations, servers, and Internet of Things (IoT) devices. Our alerts help prioritize risks and include actionable steps that security teams can take to remediate control weaknesses.
SecurityScorecard’s platform also monitors third-party vendors, giving insight into supply chain risk. With our Atlas platform, companies can compare vendor questionnaire responses to our security ratings, getting real-time, independent assurance over vendor risk.
Get Blogs In Your Inbox
Receive weekly releases of new blogs from SecurityScorecard delivered right to your email.