Organizations that offer stocks or securities must maintain both good financial practices and maintain data security standards. The higher the financial stakes, the higher the risk of being targeted for data theft and the greater the consequences of a successful attack.
The Sarbanes-Oxley Act of 2002 (SOX) was originally enacted to combat unethical corporate and financial practices, notably the Enron and WorldCom scandals. These scandals caused billions of dollars in losses for investors and eroded public confidence in the US stock market.
A major part of SOX regulations relate to information technology and security best practices. Because SOX is a mandatory standard that applies to all US-based public companies, it had the positive side-effect of encouraging robust information security practices.
What Is SOX Compliance?
The Sarbanes-Oxley (SOX) Act of 2002 is a regulation affecting US businesses. It was enacted by Congress in response to several financial scandals that highlighted the need for closer control over corporate financial reporting practices.
Goals: SOX aimed to increase transparency in corporate and financial governance, and create checks and balances that would prevent individuals within a company from acting unethically or illegally.
Applies to: The regulation applies to all public companies based in the USA, international companies that have registered stocks or securities with the SEC, as well as accounting or auditing firms that provide services to such companies.
Penalties: Non-compliance with SOX can lead to millions of dollars in fines or criminal conviction.
Benefits: SOX compliance is not just a regulatory requirement, it is also good business practice because it encourages robust information security measures and can prevent data theft.
Primary SOX Compliance Requirements
The following SOX Compliance Requirements are directly applicable to IT organizations within companies that are subject to SOX regulations, and will affect your information security strategy:
- Section 302—Corporate Responsibility for Financial Reports—public companies need to file reports of their financial situation with the Security Exchange Commission (SEC). SOX specifies that the CEO and CFO of the reporting organization must sign each report and be held personally accountable for its contents. CEOs/CFOs must attest that each report is truthful, does not omit essential information, that they have put controls in place to ensure this is the case, and validated these controls within 90 days before submitting the report.
- Section 404—Management Assessment of Internal Controls—SOX makes corporate management responsible for putting in place an internal control structure that is “adequate”. Both management and external auditors need to assess and report on the adequacy of the control structure and report any shortcomings.
- Section 409—Real Time Issuer Disclosures—if there is a significant change to a company’s financial situation or ability to operate, company officials are responsible for informing their investors and the general public in a timely manner.
- Section 802—Criminal Penalties for Altering Documents—company officials or others who make any change to a financial document or other material that can affect the SEC’s administration, conceals or covers up such a document or falsifies an entry, is subject to fines or imprisonment of up to 20 years.
- Section 906—Corporate Responsibility for Financial Reports—company officials who submit misleading or false financial reports can be subject to fines up to $5 million and imprisonment of up to 20 years.
SOX Compliance Audits
A SOX Compliance Audit is commonly performed according to an IT compliance framework such as COBIT. The most extensive part of a SOX audit is conducted under section 404, and involves the investigation of four elements of your IT environment:
- Access—physical and electronic measures that prevent unauthorized access to sensitive information. This includes securing servers and data centers, and authentication measures like passwords and lockout screens.
- Security—staff, practices and tools deployed to prevent security breaches on devices and networks that are used for financial data.
- Change management—how the organization defines new user accounts, performs software updates, and maintains audit trails of any change to software or configuration.
- Backup—how the organization ensures any sensitive data that is lost can be restored, including data stored off company premises.
SOX Compliance Checklist
The following checklist will help you formalize the process of achieving SOX compliance in your organization.
|1||Prevent data tampering||Implement systems that track logins and detects suspicious login attempts to systems used for financial data.|
|2||Record timelines for key activities||Implement systems that can apply timestamps to all financial or other data relevant to SOX provisions. Store such data at a remote, secure location and encrypt it to prevent tampering.|
|3||Build verifiable controls to track access||Implement systems that can receive data from practically any organizational source, including files, FTP, and databases, and track who accessed or modified the data.|
|4||Test, verify and disclose safeguards to auditors||Implement systems that can report daily to selected officials in the organization that all SOX control measures are working properly. Systems should provide access to auditors using permissions, allowing them to view reports and data without making any changes.|
|5||Report on the effectiveness of safeguards||Implement systems that generate reports on data that have streamed through the system, critical messages and alerts, security incidents that occurred and how they were handled.|
|6||Detect security breaches||Implement security systems that can analyze data, identify signs of a security breach and generate meaningful alerts, automatically updating an incident management system.|
|7||Disclose security breaches and failure of security controls to auditors||Implement systems that log security breaches and also allow security staff to record their resolution of each incident. Enable auditors to view reports showing which security incidents occurred, which were successfully mitigated and which were not.|
What is the COSO Framework?
The COSO (Committee of Sponsoring Organization) Framework is a framework for designing, implementing and evaluating internal control for organizations, providing enterprise risk management. It was published for the Internal Control Integrated Framework or ICIF and it is widely used in the United States. Executive Vice President and General Counsel, James C. Treadway, Jr, led a commission for creating this framework in conjunction with five private sector organizations:
- American Institute of Certified Public Accountants (AICPA)
- National Association of Accountants (now the Institute of Management Accountants (IMA))
- American Accounting Association (AAA)
- The Institute of Internal Auditors (IIA)
- Financial Executives International (FEI)
These organizations are called the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The goal was to create a framework for providing guidance on internal control, allowing organizations to establish controls throughout their environment.
What are the Five Principles of COSO Internal Control?
The five principles of COSO Internal Control are Risk Assessment, Control Activities, Information and Communication, Control Environment and Monitoring Activities.
- Risk Assessment
- All organizations have risks, meaning they may have factors that cause them not to reach their objectives, be they internal or external factors. Appropriate risk assessment is performed by providing reasonable assurance that organizations take only risks with an acceptable tolerance.
- Control Activities
- Control activities are those activities that are taken to help mitigate risk at all levels of the organization. The COSO framework helps to ensure that the activities taken by all members of the organization are those that would help the company achieve its goals without taking unnecessary risks.
- Information and Communications
- Every organization has communication occurring daily, both internal and external. The controls provided by COSO help to ensure that the communications that are occurring, internally and externally, are following best practices and working towards accomplishing the organization’s goals. They are also in place to ensure that only appropriate information is shared. Obviously, internal communication would have a different set of rules than external communication.
- Control Environment
- Establishing controls across the environment ensures that standard practices are used throughout the organization. It consists of a set of standards, processes and practices. These standards are overseen and enforced by management, creating a top-down approach, so that the practices are enforced throughout the organization. The guidelines for these are provided by the COSO Framework.
- Monitoring Activities
- Ongoing monitoring of all internal control systems is required to ensure the controls are working properly for the organization in the way of internal audits. Information is gathered and evaluated by regulators and select management regularly and reports are given to management and board of directors for ongoing evaluation. External financial reporting is also a critical process that occurs, helping with fraud deterrence.