Updated November 2022
Time flies when you’re having “fun.” It’s hard to believe Sarbanes-Oxley is twenty years old, isn’t it? And without a gray hair in sight since, like it or not, what’s one of the most stringent and robust regulations to hit public companies since the 1930s is just as relevant and impactful today as it was two decades ago. And that’s really saying something.
So to commemorate SOX turning the big 2-0, we thought it best to revisit SOX regulations, compliance requirements, and what all of it means for your controls, audits, corporate governance, and everything else its long tentacles can reach.
Defining SOX
The Sarbanes-Oxley Act of 2002 – courtesy of former legislators Paul Sarbanes and Michael Oxley – focuses on preventing corporate fraud and providing investors with clear, accurate, and timely information they can base their decisions on. Born of necessity – more on that in a bit – SOX is a comprehensive, sweeping set of laws establishing reforms and additions in four key areas:
- Corporate responsibility: Key organizational stakeholders – specifically, the chief executive and chief financial officers – are on the hook for accurate financial statements and reliable internal controls, as detailed in Section 302 of SOX.
- Increased criminal punishment: Section 906 discusses the criminal penalties for management if they certify fraudulent or misleading financials – up to a $5 million fine and 20 years in prison.
- Accounting regulation: SOX created a new auditor watchdog, the Public Company Accounting Oversight Board (PCAOB), to set standards for audit reports. All firms auditing public companies must register with the PCAOB and abide by their policies and procedures. For a look at the PCAOB from different angles, we suggest reading some of our previous insights here and here.
- New protections: Aside from the overall intention of SOX – to provide new protections for investors by way of accurate, reliable information – SOX also introduced legal protection for whistleblowers under Section 806. This portion of the act shields corporate whistleblowers from retaliation when they provide information on different types of fraud or Securities and Exchange Commission (SEC) violations.
Although SOX certainly has many moving parts that can appear confusing from a distance, just remember its primary intention if things start to get murky. At its heart, regulators created SOX to establish a set of internal checks and balances for public companies, along with strict criteria and guidelines for external auditors, all to provide investors with transparent, accurate financial information.
A Brief History of SOX
Let's begin our look at the history of Sarbanes-Oxley by taking a quick stroll down Memory Lane, circa 2002. Star Wars fans were knee-deep in the prequel nightmares, the first iPhone was still five years away, and names like Enron, Worldcom, Tyco, and Arthur Anderson were dominating the headlines – but not for good reasons.
So what do those four names all have in common? Fraud. In the case of the first three, they cooked the books to prop up their financial metrics and ratios, dragging down one of the largest auditing and accounting firms in the world at the time, Arthur Anderson, along with them. And for too many reasons to list in a short(ish) blog post, financials built on fraudulent data aren’t great for investors, confidence in the markets, or our financial infrastructure.
As these different scandals came to light, both the public and legislators were rightfully aghast, driving the two bills that would eventually become the Sarbanes-Oxley Act of 2002 ahead at light speed "to protect investors by improving the accuracy and reliability of corporate disclosures." To give you a clearer view of the climate and overwhelming fury over the assorted financial scandals at the time, the final bill only had three dissenters between both the House and Senate.
Does SOX Apply to You?
And that leads us to the present day. As is usually the case, today’s environment doesn't lack for financial scandals. Perhaps we're not seeing them at the scope of those at the turn of the century, but the need for transparency and accuracy into an organization’s financial condition is just as acute as it's ever been.
But that term we just used, organization, is quite broad. To narrow things a bit, SOX applies to all US-based publicly traded companies, along with wholly-owned subsidiaries and public foreign companies doing business in the United States. That, for the most part, excludes private companies, non-profits, and charities from the reach of SOX. It's important to note, however, that the SOX act does contain some provisions that apply to private companies as well, including:
- Violations of federal or state securities laws not dischargeable in bankruptcy
- Penalties for falsifying, destroying, or altering documents to impede a federal agency investigation
- Violation of whistleblower protection regarding a possible federal offense
Also, as a best practice, any private company with a possible IPO on the horizon should get the SOX wheels turning ahead of time to comply with the regulations before they go public.
SOX Compliance Requirements
So what, exactly, does SOX compliance – or non-compliance – entail? Plenty. In fact, even before Dodd-Frank amended SOX, the original bill was 66 pages long with 11 separate sections. Granted, congress spent many of those pages discussing the PCAOB, auditor independence, and other provisions that, while critical for protecting investors and markets, don't directly apply to a company's SOX compliance. But still – 66 pages is pretty beefy.
To separate the regulatory wheat from the chaff, however, there are four essential SOX compliance mandates that every company must meet if they fall under the regulations:
- As mentioned, CEOs and CFOs are responsible for the accuracy, documentation, and submission of both their financial reports and internal control structure to the SEC under Section 302.
- By way of management assessment, annual reports must include an Internal Control Report stating management is responsible for maintaining sufficient internal controls for their financials, as discussed in Section 404.
- Companies must have formal data security policies in place, communicate those policies, and enforce them consistently. This includes a thorough data security strategy that protects financial data used during normal operations.
- SOX is ongoing compliance, not one-and-done. Companies must maintain and provide documentation of continuous compliance, monitoring, and measuring of compliance objectives.
Prepping for Your SOX Compliance Audit
As stated in the SOX requirements, compliance goes far beyond keeping neat and tidy books. Your data and systems must be secure and running on all cylinders and at all times. Thus, prepping for your SOX compliance audit should include updating your internal audit and financial reporting systems.
Remember, it's not enough to simply be SOX compliant. You must also prove your compliance, something that companies can sometimes overlook. Whatever reports your auditor requests, you should be able to provide them quickly and efficiently. Because things can and do go sideways at the worst possible times, so preparing your systems and making sure they're running without a hitch can save a good bit of frustration come audit time. In other words, be organized and meticulous, documenting as you go.
Cybersecurity and General IT Controls
As part of your SOX compliance audit, independent auditors will also examine controls around your information technology environment with an especially discerning eye, using the COBIT framework as a guide rail. Given the critical role IT plays in your operations – and the emphasis on security from regulators – your IT controls will definitely have their moment in the SOX compliance spotlight. Therefore, you must demonstrate adequate IT controls to your auditor, particularly:
- Access management: We mean this for physical access to doors, security badges, and locking file cabinets, as well as electronic controls through login guidelines, permissions audits, and least privileged access. That last one, least privileged access, means you only give a person access to what they need to perform their job, nothing more.
- Security controls: How are you protecting your data centers and information systems from breaches and data loss? SOX doesn't specify what security controls you should or shouldn't use, just that it works.
- Information backup: You must demonstrate maintenance of off-site, SOX compliant backups for your financial documentation.
- Change management: Things change, and when they do, you must have well-defined processes to add and maintain users, implement new software, or change any applications or databases concerning your financial records.
When it comes to your SOX internal controls, consistent risk assessment on your part can be a lifesaver for your audit. For example, if you're testing and improving your internal controls frequently – and sharing that information with your auditor – then you don't automatically fail if they happen to identify a lacking or missing control during the audit. Otherwise, you have a poor control environment, and that isn’t great.
HR and IT’s Role in SOX Compliance
We concede that your accounting department bears much of the responsibility for your SOX compliance, but certainly not all of it. Everyone from HR to IT plays a role, some just bigger than others. Human Resources, for instance, typically houses much of a company's records, particularly for payroll. Just like the systems storing your financial records, those systems must be compliant under SOX Section 404.
Given the regulation's emphasis on information and system security, IT departments are another major factor in SOX compliance, and not just on the data security front as we discussed. Information systems must be primed and ready to go, providing your leaders and auditors the reports they need and, just as importantly, when they need them. Likewise, your systems should create a wide-open paper trail that provides any required documentation on a moment's notice. These responsibilities fall squarely on the capable shoulders of your IT team.
SOX Compliance Checklist and Best Practices
While what we've covered so far is somewhat high-level, we don't want you to think that Embark isn't giving you the roll-up-your-sleeves type of advice we usually do. Thus, for a closer look at how to get up and running, we urge you to read our SOX Testing: Everything You Need to Know, as well as our Roadmap to Implementing SOX Compliance, an especially helpful tool for companies and CFOs new to SOX.
But building on what we've covered today, we also have a checklist of tips to help you prepare for your adventure into SOX compliance. Note, however, that our checklist focuses on preparing for a SOX audit, not what to do during the audit itself. For that sort of information, you can take a look at our insights on The Differences Between an AICPA and PCAOB Audit as well as our SOX Roadmap. So on that note:.
- Start with the COSO framework and go from there. Doing so will help you stay on track and work from the same framework that your auditors use.
- Establish policies that spell out how you create, adapt, and maintain your accounting systems, including any applications using your financial data.
- Create and document a strategy for handling security breaches.
- Test your safeguards to protect against data breaches or tampering, ensuring they are operational and effective.
- Always monitor and document access to sensitive data.
- Document any previous breaches and security safeguard failures, sharing that information with your SOX auditor.
- Collect valid and recent control reports from all applicable service organizations.
SOX Compliance Software
Lastly, we want to touch on the technology behind your SOX compliance. We understand just reading the requirements might make it feel as if you need NASA-level tech to drive your compliance workflows. That said, there are plenty of useful solutions out there in the market, our preference being Workiva's platform with integrated SOX compliance abilities. But, as always, we encourage you to do some due diligence to find a solution that suits your organization and needs best.
If a designated system with helpful bells and whistles – think automation and real-time insights – isn't feasible for you right now, plenty of companies still rely on good ol' Excel, at least as a stop-gap measure. If you follow that route, however, just make sure you have the proper access controls in place and continually update the workbooks. Granted, something like an internal control matrix can quickly become unwieldy using a spreadsheet-based solution, so research into designated platforms that can automate most – if not all – of those tasks is time well-spent.
Above all else, if 20 years of Sarbanes-Oxley has taught companies anything, it’s that finding a partner with genuine SOX expertise and experience is an asset that’s hard to equal. So whether it’s cleaning up your records, implementing new systems, or just providing guidance, Embark is always here, ready to lead the way to SOX compliance success.