What is SOX Compliance?
SOX stands for the Sarbanes-Oxley Act drafted by congressmen Paul Sarbanes and Michael Oxley, and passed by congress in 2002. The idea behind this act was to protect shareholders and the general public from both accounting errors and fraudulent practices in companies through improving the accuracy of corporate disclosure – meaning, your data needs to be safeguarded.
Bringing transparency in corporate governance and formalizing a system of checks and balances has proved important after the financial scandals at Enron, WorldCom, and Tyco. Since this act has passed, it is required that all public companies must comply with SOX.
The IT side of this bill mostly has to do with the way IT departments store corporate electronic records. The act doesn’t set out a way in which to store the data or a data plan for companies, but it does specify the length of time and the type of records that should be stored.
SOX compliance applies to public companies in the US, any international companies that have registered equity or debt securities in the US, and any accounting firm or other third party that provides financial services to either of the aforementioned businesses.
SOX Sections for IT Departments
IT departments need to pay close attention to two sections of the SOX act.
- Section 302: relates to a company’s financial reporting. The act requires a company’s CEO and CFO to personally certify that all records are complete and accurate. Specifically, they must confirm that they accept personal responsibility for all internal controls and have reviewed these controls in the past 90 days. These internal controls include a company’s information security infrastructure inasmuch as its accounting and reporting is performed electronically. In other words, for almost all modern businesses there is a clear mandate to ensure high security standards are enforced.
- Section 404: stipulates further requirements for the monitoring and maintenance of internal controls related to the company’s accounting and financials. It requires businesses to have an annual audit of these controls performed by an outside firm. This audit assesses the effectiveness of all internal controls and reports its findings back directly to the SEC.
These sections have huge implications for your IT department and understanding these sections will help to guide your IT team’s policies, hardware implementation, and software implementation.
Your SOX Audit
Knowing where you stand helps you gage the policies that need to be put into place.
What data do you have? What categories does that data fall under? What precautions need to be made for what data?
Once your audit is complete, you can put the right security tools and processes in place.
SOX compliance is nearly impossible without both tools and processes to secure your data. Written evidence of your controls are required, and beyond that, there must be evidence that these controls have been communicated and enforced.
A SOX audit is good to do once a year. Based on your findings, you may need to update some of your controls. This is an audit that is good to have done by an outside company so the results are unbiased.
If your accounting leader is part of the audit, they may go easy on the audit. An un-involved third party will give it to you straight.
There are four internal controls that are most important to have in place. Review these controls as part of your yearly audit.
- Access: Physical and electronic access should be taken into account. Who can get to your data? How can they get to it? Keep your servers in secure locations and implement effective password protections.
- Security: For SOX, we are referring to preventing breaches and having tools to remedy incidents as they occur. Your internal cyber security policies should be much more comprehensive than that, of course, but for SOX these are the two important pieces.
- Change Management: Your IT department has processes in place to add new workstations, update and install software, make Active Directory changes, and more. Having a record of these activities, what was changed and when, will simplify your SOX IT audit.
- Backup: Your backup procedures should be in place to protect your sensitive data. Data can be both lost or stolen, and your company is not immune to such a disaster. Data centers with off-site data backups through your company or a third party are good to have for SOX and for your cyber security plan.
Management of Electronic Records
With or without SOX, most record keeping has migrated to electronic records, and more recently, the cloud. This means measures must be in place to keep that data safe.
Through SOX, however, IT departments are responsible for creating and maintaining an archive of all corporate records. Finding the best way to keep these records in compliance, manageable, and cost effective is the real trick.
Destruction, alteration, or falsification of records is the first concern of IT departments managing records. The next concern is the retention period of records storage, including best practices for securely storing public accounts. The last concern is the type of business records that need to be stored which can include business records, communications, and electronic communications.
These three main concerns translate to rules that IT departments need to comply with. As part of their record and data management plan, they must address how to prevent falsification of records, how to properly destroy data, especially sensitive data, and how to manage alterations and versions of data.
This can all get pretty messy. The retention period of the data often depends on the data itself and the SOX guidelines help corporations better understand what they must keep and for how long.
Much like a statute of limitations, some data can be destroyed after a certain period of time. That brings us to the third concern of our guidelines, which is the type of data that must be stored. This cannot be ignored, as outlined by the SOX Act.
Data Protection and Compliance
How can your team more easily monitor your data and enforce corporate policies for data handling?
It all starts with proper data classification methods. When your data is properly classified, your team knows what precautions must be taken and for what data. For instance, some data has to be encrypted and compressed, while other pieces of data have to be in a certain file format. It all depends on the data itself. Classification is the first step to making sure all data will be properly stored.
Preventing corruption through ensuring unauthorized users within your own network cannot access certain pieces of information is one safeguard many decision-makers often overlook.
On a related note, when data is passed from person-to-person or system-to-system, it’s important to mask the data in transfer as part of protection and compliance; therefore, your protection plan should include a way to monitor data, enforce your policies, and log every user action.
This may seem like over-kill, but when it comes to your data, you simply cannot leave anything to chance. Not only could be it bad for business, but being outside of SOX compliance can lead to some pretty serious consequences.
As you can tell, keeping up with your SOX compliance takes dedication. This is not an area that you can push off or leave to chance. If your IT department has the bandwidth to keep up your SOX compliance, that’s great. It’s just your job to ensure all policies are completely communicated to your team.
If you’re not sure this is something you can take on internally, you may need to consult an outside company. A tech consulting company can complete your audit, recommend tools, set up your policies, and monitor your data.
For more information, feel free to contact us.