What is Sarbanes-Oxley (SOX) Compliance?

The Sarbanes-Oxley Act was passed in 2002 by the U.S Congress to protect the public from fraudulent corporate practices

Image by mohamed Hassan from Pixabay  

Another quarter, another round of corporate financial statements. For those of you involved in the public financial markets this should be a routine time of the year. However, if you are new to public financial reporting this blog should give you a good overview of the SOX act of 2002 and why it is so important. As QoS Consulting Solutions is an organization focused on protecting and validating information technology controls, this blog will focus primarily on the IT General Controls (ITGCs) associated with SOX.

Brief History of the SOX Act

The Sarbanes-Oxley Act was passed in response to a handful of major scandals in the public financial markets involving companies such as Enron, Tyco International, and WorldCom. Believe it or not, prior to 2002 stock exchanges were mostly self-regulated and compliance was not rigidly defined, which gave way for companies to take advantage and falsely report financial statements. The scandals cost investors billions of dollars as the companies under investigation saw their stock prices plummet. As you can imagine, the fallout destroyed investor sentiment and trust in the markets was near an all-time low. The SOX act was passed to restore that confidence by improving the accuracy and reliability of corporate disclosures.

Who Must Comply with SOX?

All publicly traded companies, wholly owned subsidiaries of foreign companies, and foreign companies that raise debt or equity on the U.S public stock exchanges are required to be SOX compliant. However, there are a couple of exceptions, companies that have less than $100 million in annual revenue and less than $700 million in public float, and emerging growth companies have five years before they must be fully SOX compliant.

Let’s put SOX Into Perspective

Imagine managing your SOX controls like a restaurant owner manages their restaurant. If you have ever worked in food and beverage, you would have noticed there are two sides of the “house”: Front-of-house (Serving floor) and back-of-house (Kitchen). The front-side of the restaurant is customer-facing, like investors in a public market. If you are out at a nice restaurant and spending your hard-earned money, you expect what you order to be safe to eat. The backside of the restaurant is akin to a public company’s internal auditing team and the other personnel responsible for assuring financial statements are correct. The personnel outside the public eye are responsible for preparing the customers’ food to meet their expectations of excellence. Your order should arrive in a timely manner, complete with all ingredients stated on the menu, and taste delectable. There are also external spectators that visit restaurants every so often to give the establishment a rating to reinforce your confidence. This is usually a stamp of approval on the restaurant’s front door (A, B, or C rating).  These would be like the external auditing team, often a group from one of the Big 4 accounting firms assigned to your organization that come in to ensure the reports are accurate.

What are IT SOX Controls?

ITGC SOX controls are all about protecting the principles of availability, confidentiality, and integrity of information (CIA). There are three key areas you will need to adhere to in order to ensure that when your financial reports are submitted, they are perfect: IT Security Management, Change Management, and IT operations management. For those reading this that have some experience in the SOX world, Sections 302 and 404 of the SOX Act adhere specifically to ITGC controls.

IT Security Management

The controls that make up IT Security Management are focused on ensuring information is correctly safeguarded. This includes access privileges for employees and making sure their access to financial information is consistent with their role or function within the organization. Those specific access privileges should be defined in the documentation. Continuing our analogy from above, this is like protecting your world-famous recipes from prying eyes wishing to use the information for their personal gain. Here is a concise list of the types of actions you should perform for IT Security Management:

  • Properly record the approvals of the internal committees
  • The steps you take to deploy changes into production
  • Adequate segregation of duties between various functions and IT groups

Change Management

Your IT information systems scoped into your SOX environment should receive a hefty amount of TLC (Tender love and care). When changes or modifications are made, they should comply with your organization’s policies and good software development practices. Is the new item you recently added to your menu not selling as you’d hoped? Maybe it needs some changes, but line cooks should not just be adding ingredients with no approval from management. Here is what you should be focused on for Change Management:

  • Identity and Role Management
  • Password and Authentication Configuration
  • Privileged user management
  • Controls review for continuous implementation

IT Operations Management

You should always practice what you preach in terms of following your organization’s policies and procedures. If you are involved in cybersecurity, you should have heard of the CIA triad (Confidentiality, Availability, and Integrity). IT Ops Management applies mostly to the availability of information, as it should always be complete and accessible to your business. Customers get grumpy if their food takes too long to come out, so make sure you have your tickets in order and that the food is not getting cold in the delivery window. Take these processes for example:

  • Record the approvals of internal parties when new environments are spun up
  • IT incident handling
  • Data backup and recovery
  • Continuity of business operations

These next couple of weeks will be full of long-awaited financial reports from some of your favorite companies like Spotify, Royal Caribbean Cruises, Lyft, and many more so if you’re an investor, keep your eyes on the charts. Along with that, keep in mind the work that went into preparing those reports for your viewing. If you’re responsible for some of the SOX work or are the owner of a public company, have a night out, you deserve it.

For more information speak with a QoS consultant today, sales@qosconsultingsolutions.com, or reach out through our contact form on our website, www.qosconsultingsolutions.com