SOX Compliance: Requirements and Checklist

cover-img

The Sarbanes-Oxley (SOX) Act of 2002 is a regulation affecting US businesses. It was enacted by Congress in response to several financial scandals that highlighted the need for closer control over corporate financial reporting practices.

Goals: SOX aimed to increase transparency in corporate and financial governance, and create checks and balances that would prevent individuals within a company from acting unethically or illegally.

Applies to: The regulation applies to all public companies based in the USA, international companies that have registered stocks or securities with the SEC, as well as accounting or auditing firms that provide services to such companies.

Penalties: Non-compliance with SOX can lead to millions of dollars in fines or criminal conviction.

Benefits: SOX compliance is not just a regulatory requirement, it is also good business practice because it encourages robust information security measures and can prevent data theft.

About this Explainer:

This content is part of a series about information security.

Who Must Comply with SOX?

The following entities must comply with SOX:

Accounting firms and auditing

SOX distinguishes between the auditing function and the accounting firm. The firm auditing the books of a publicly held company is not allowed to do this company’s bookkeeping, business valuations, and audits. It is also not allowed to design or implement an information system, provide investment advisory and banking services, or consult on various management issues.

Companies and non-profit organizations

Private companies, non-profits, and charities are not required to comply with all SOX regulations but should never falsify or knowingly destroy financial information.

Whistleblowers protection

SOX imposes penalties on organizations for non-compliance and those attempting to retaliate against whistleblowers — someone who provides law enforcement information about possible federal offenses. SOX whistleblower protection states that anyone retaliating against whistleblowers may face up to 10 years of imprisonment.

Initial public offerings (IPOs)

Private companies planning their IPO must comply with SOX before they go public.

Payroll system controls

SOX regulates the establishment of payroll system controls, requiring companies to account for workforce, benefits, salaries, incentives, training costs, and paid time off. Additionally, certain employers are required to adopt an ethics program with a code of ethics, staff training, and a communication plan.

Primary SOX Compliance Requirements

The following SOX Compliance Requirements are directly applicable to IT organizations within companies that are subject to SOX regulations, and will affect your information security strategy:

SOX Compliance Audits

A SOX Compliance Audit is commonly performed according to an IT compliance framework such as COBIT. The most extensive part of a SOX audit is conducted under section 404, and involves the investigation of four elements of your IT environment:

SOX Compliance Checklist

The following checklist will help you formalize the process of achieving SOX compliance in your organization.

#GoalPractical Steps
1Prevent data tamperingImplement systems that track logins and detect suspicious login attempts to systems used for financial data.
2Record timelines for key activitiesImplement systems that can apply timestamps to all financial or other data relevant to SOX provisions. Store such data at a remote, secure location and encrypt it to prevent tampering.
3Build verifiable controls to track accessImplement systems that can receive data from practically any organizational source, including files, FTP, and databases, and track who accessed or modified the data.
4Test, verify, and disclose safeguards to auditorsImplement systems that can report daily to selected officials in the organization that all SOX control measures are working properly. Systems should provide access to auditors using permissions, allowing them to view reports and data without making any changes.
5Report on the effectiveness of safeguardsImplement systems that generate reports on data that have streamed through the system, critical messages and alerts, security incidents that occurred, and how they were handled.
6Detect security breachesImplement security systems that can analyze data, identify signs of a security breach and generate meaningful alerts, automatically updating an incident management system.
7Disclose security breaches and failure of security controls to auditorsImplement systems that log security breaches and also allow security staff to record their resolution of each incident. Enable auditors to view reports showing which security incidents occurred, which were successfully mitigated, and which were not.

SOX Compliance with the Exabeam SOC Platform

Understanding the requirements of the regulation is only half the battle when it comes to SOX compliance. To achieve compliance effectively, you will need the right technology stack in place. Tools that help gather the right data and set up the security controls and measures required by SOX regulations will help you achieve compliance faster and reduce risks to your organization.

As the leading Next-gen SIEM and XDR, Exabeam Fusion provides a cloud-delivered solution for threat detection and response. Exabeam Fusion combines behavioral analytics and automation with threat-centric, use case packages focused on delivering outcomes. It can help improve your organization’s overall security profile, leaving you better equipped to maintain compliance with regulations such as SOX.

See Additional Guides on Key Information Security Topics

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of information security.

Authored by Cynet

Authored by Exabeam

Authored by Exabeam