The Sarbanes-Oxley Act of 2002 (SOX), named after Paul Sarbanes and Michael Oxley, is a law that implements regulations on publicly traded companies. In 2002, the US Congress passed the Sarbanes-Oxley Act (SOX) after a series of public scandals by large corporations such as Enron Corporation, Tyco International PLC, and WorldCom that led to a stock market plummet only a few months before the 2002 elections. The legislation intended to quell public fears of corporate misconduct and to require greater accountability by management and Boards of Directors when reporting financial data. However, Sarbanes-Oxley turned into a larger and more complex piece of legislation than originally planned.
The Major Provisions of Sarbanes-Oxley
The Sarbanes-Oxley Act of 2002 presented five main provisions. First, it created the Public Company Accounting Oversight Board (PCAOB) and imposed restrictions on public accounting firm auditors including independence standards. Second, it established corporate governance requirements that created audit committee safeguards. Third, the legislation added disclosure requirements for the financial reports and press releases. Fourth, the Sarbanes-Oxley Act of 2002 established criminal penalties for public companies and the CEOs and CFOs in the event of falsely certifying financial reports. Fifth, Sarbanes-Oxley Act (“SOX”) established criminal penalties of 20 to 25 years for obstruction of justice and securities fraud in the hope of further deterring the types of activities that had led to the 2001 and 2002 scandals.
Sarbanes-Oxley compliance requirements fall into several different areas. Many of these areas focus on corporate responsibility and corporate governance. Within those, however, some specific issues for information security exist as well. Many feel overwhelmed by SOX compliance. As with any legislation, the reality lies in focusing on what pertains to an individual organization not just the overall law.
SOX Section 302
Section 302 focuses on Disclosure Control and Procedures. In short, SOX 302 disclosures are traditionally unaudited, but still reviewed by the independent auditors, quarterly reports that discuss all the processes and controls in place for public disclosures. This section of the legislation also focuses on the personal accountability of signing officers. The direct excerpt from the Sarbanes-Oxley Act of 2002 (SOX) notes:
- the signing officer has reviewed the report;
- based on the officer’s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading;
- based on such officer’s knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report;
In easy to understand terms, this means that if an executive officer signs a document, they personally take responsibility for it being true, for it fully disclosing all relevant procedures, and for it clearly detailing any changes that occurred during the period of the report.
SOX Section 401
SOX 401 includes two sections of note. First, it focuses on financial disclosures being prepared in accordance with specified accounting standards to ensure investor confidence Second, Sarbanes-Oxley 401 requires the reporting of off-balance sheet disclosures to ensure that those transactions meet these accepted accounting rules. The reports in 401 specifically relate to the annual and quarterly public financial reporting that had been misrepresented during the Enron and WorldCom scandals. Unlike the section 302 disclosures, these are formally audited by a public accounting firm.
SOX Section 404
At its basic level, Section 404 of the Sarbanes-Oxley Act (SOX) focuses on the scope and adequacy of the internal controls and procedures for financial reporting. This section of the Sarbanes-Oxley Act has farther reaching tentacles than any other and where most organizations struggle and spend the majority of their Sarbanes-Oxley compliance efforts. The SEC’s brochure outlines the steps to evaluating and documenting internal controls. First, a company needs to look at its reporting risks. These risks may be internally or externally inherent in the business. They may come from the authorization, process, and record transactions reflected in financial statements. When evaluating these, the United States Securities and Exchange Commission (SEC) suggests an organization ask the following questions:
- How do entity level controls relate to financial reporting elements? With what level of precision do they operate?
- Is there more than one control that addresses the same financial reporting risk? If so, which one provides the most efficient way for you to evaluate how well it works?
- Is the control automated? If so, how sturdy are the relevant IT controls? Or is the control manual – and if so, what is the risk of human error?
- Not every control within a particular process needs to be identified – only those that adequately address financial reporting risks.
The second step is to determine whether the controls work and the risk in the event that the controls fail. The greater the risk, the greater the evidence needed to support effective controls. The third steps would be reporting these conclusions on overall effectiveness and deficiencies. If an organization finds a material weakness, the controls cannot be considered effective.
The SEC guidance defines a material weakness as “one or more control deficiencies that create a reasonable possibility of a material misstatement in your company’s annual or interim financial statements. This does not necessarily mean that a material misstatement has occurred, but only that the controls might not be good enough to detect or prevent a material misstatement on a timely basis.” Materiality can differ from one company to the next, but it’s really about the logic behind the corporate decision and auditors’ evaluation of materiality. SOX 404 requires management maintain reasonable support for its assessment. These could include the design of the control, the way evidence was gathered and evaluated, or the basis of the assessment on the operating effectiveness of controls.
SOX Section 409
SOX 409 is referred to as the “Real Time Issuer Disclosures” section. The Sarbanes-Oxley Act states, “Issuers are required to disclose to the public, on an urgent basis, information on material changes in their financial condition or operations. These disclosures are to be presented in terms that are easy to understand and supported by trend and qualitative information of graphic presentations as appropriate.” In short, if an event occurs that leads to a big change in financial conditions or operations, the company needs to tell shareholder and stakeholders right away. In the world of information security, a security breach would be considered a material change.
SOX Section 806
SOX 806 focuses on the whistleblower protections. In an attempt to protect employees wanting to do the right thing, Sarbanes-Oxley gave the U.S. Department of Labor protection control of these employees. If a company retaliates against an employee for providing information of a violation, the Department of Justice can criminally charge the responsible parties.
SOX Section 906
SOX 906 forces corporate responsibility for filing of financial reports. Over the course of time, standard documents have been drafted for CEOs and CFOs to submits with their periodic SEC financial statement reports. Unlike the SOX 302 certifications that include the concept of “knowingly” within them, the SOX 906 certifications are more straightforward.
Sarbanes-Oxley and Information Security
For information security professionals, the overlap of SOX 302 and SOX 404 creates the most risk in terms of SOX compliance. 302 discusses the personal certification of financial reporting controls by the CEO and CFO. 404 focuses on the broad term “internal controls.” Neither of these sections specify a definition for control leaving it open for all interpretations, including those related to information systems.
Sarbanes-Oxley created the PCAOB to guide the auditor through best practices. However, the standards provide little insight into the terms IT controls. A 2004 SANS white paper provides a detailed look at how to piece together Sarbanes-Oxley compliance and IT controls. The PCAOB did select the Committee of Sponsoring Organizations (COSO) framework to create guidelines for structuring every internal control. Although the legislation does not specifically require the COSO framework, the PCAOB’s adoption of it makes it a safe choice.
The COSO framework addresses areas of compliance such as information security controls, control environment, risk assessment control activities, information and communication and monitoring.
To close the last gap of compliance, many organizations turn to the Control Objectives for Information and related Technology (COBIT) framework. COBIT organizes 34 IT processes into categories of planning and organization, acquisition and implementation, delivery and support, and monitoring. Finally, by ensuring that an organization has a security policy, security standards, access and authentication procedures, network security details, monitoring, segregation of duties, and physical security, a company will be able to put together an appropriate Sarbanes-Oxley compliance program.
The biggest challenge for IT security departments lie in appropriate access. Although the security requirements appear more lax than other regulations like the Payment Card Industry Data Security Standard (PCI DSS) or ISO 27001, it often leads to the foundation of best practices. Jeff Jenkins from Travelport notes on TechTarget,
One of the most specific requirements involves monitoring user access to data. This requires mature procedures for user provisioning, de- provisioning and granting privileged access to modify or administer data systems. Nearly every IT security standard includes requirements to monitor and control system and data access, and Sarbanes-Oxley requires auditors and IT personnel to regularly review practices such as access rights. Under Sarbanes-Oxley, however, senior-level management is also required to sign-off on those reviews, so SOX-compliant organizations tend to have more mature access control procedures.
Regular access reviews can not only lead to SOX compliance, but as a best practice ensure security for the organization. In this manner, Sarbanes-Oxley compliance has the unintended benefit of helping to protect companies from malicious intrusion.
While Sarbanes-Oxley may have been a great shake up to corporate culture in 2002, its ongoing legacy helps to establish not just financial reporting trust but also information security best practices.
If you’re looking for ways to automate your Sarbanes-Oxley compliance to help streamline the process, please contact one of Reciprocity’s experts.