SOX compliance is the act of adhering to the financial reporting, information security and auditing requirements of the Sarbanes-Oxley (SOX) Act, a US law that aims to prevent corporate fraud.
To be SOX compliant, public companies doing business in the US must:
- Implement internal controls to protect financial data from tampering.
- File regular reports with the Securities and Exchange Commission (SEC) attesting to the effectiveness of security controls and the accuracy of financial disclosures.
- Pass an annual independent audit of their financial statements and controls.
The SOX Act also sets rules for the accounting firms that audit public companies and the analysts who publish research on securities. The act imposes significant fines and criminal sentences for fraudulent financial activities and certain forms of noncompliance.
While SOX is a financial regulation, stakeholders from throughout the organization are involved in achieving compliance. IT departments and cybersecurity teams have become particularly important as organizations increasingly turn to technology solutions to protect financial information in complex enterprise networks.
According to a 2023 report by consulting firm Protiviti (link resides outside ibm.com), more than half of companies say SOX compliance takes longer to achieve now. The average organization spends more than USD 1 million on SOX compliance efforts every year.
Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM Security X-Force Threat Intelligence Index.
Register for the Cost of a Data Breach report
The Sarbanes-Oxley Act of 2002 is a US federal law co-sponsored by Senator Paul Sarbanes and Representative Michael Oxley. Congress enacted the law in the wake of several financial scandals at the dawn of the 21st century, including the collapses of Enron, WorldCom and Tyco.
In these and other instances, public companies used a mix of accounting loopholes and outright fraud to inflate their values, causing investors to lose billions. For example, when Enron's deceptions were uncovered, its stock price fell from USD 90.75 cents to just 60 cents per share.
In some instances, companies were aided by the external accounting firms that were supposed to be auditing them. Arthur Andersen, once one of the "Big Five" accounting firms, ceased operations because of its role in the Enron and WorldCom scandals.
SOX aims to prevent corporate fraud by setting strict regulatory mandates for how organizations protect financial records from tampering and making auditors more independent from their clients.
The act is a sweeping bill with 11 titles in total. Some of its most significant effects include:
- Creating the Public Company Accounting Oversight Board (PCAOB)
- Strengthening financial reporting requirements
- Making corporate executives personally responsible for financial disclosures and controls
- Increasing independence for external auditors and analysts
- Protecting whistleblowers
SOX established the PCAOB, a nonprofit corporation that sets financial auditing standards and regulates the accounting firms that audit public companies. The PCAOB can investigate firms suspected of noncompliance and discipline them by levying fines of up to USD 10,000 for individuals and USD 2,000,000 for organizations.
Under the Securities Exchange Act of 1934, public companies of a certain size already had to file annual and quarterly financial reports with the SEC. SOX stresses that these reports must be free of misleading statements. Reports must be prepared according to generally accepted accounting principles, a set of standards maintained by the Financial Accounting Standards Board (link resides outside ibm.com).
Some off-balance transactions that companies could previously leave off financial reports, such as debts held by unconsolidated subsidiaries, must now be reported if they would have a material effect on the company's financial status. Information is "material" if it would cause a reasonable investor to reconsider an investment decision.
Companies must also report to the public, in a nearly real-time manner, anything that constitutes a material change to their financial information.
Finally, companies must implement internal controls to protect financial data from tampering and fraudulent use by internal or external actors. This includes retaining financial records for certain periods of time.
Under SOX, the chief executive officer (CEO), chief financial officer (CFO) and any corporate officers performing similar roles are personally responsible for ensuring that financial statements are true and internal control structures are effective. Executives can face fines and criminal sentences if financial reports are inaccurate, even if they did not intentionally mislead investors.
Conflicts of interest contributed to the scandals that spurred the passage of SOX. The accounting firms that audited public companies' financial statements often provided lucrative consulting services to those same companies. Accountants felt incentivized to produce audit reports their clients found acceptable, or they risked losing these profitable arrangements.
Similarly, analysts who report on stock values often work for organizations that provide investment banking or other services to public companies.
SOX aims to eliminate these conflicts of interest in a few ways. First, it mandates that public companies create audit committees that are independent of management. These committees are responsible for hiring and coordinating with independent auditors. SOX also makes it illegal for organizations to attempt to influence the outcomes of audits.
Accounting firms cannot provide consulting or other services to the same companies for which they perform SOX audits, and organizations must rotate external auditors every five years.
Securities analysts must operate independently from their institutions' investment banking portions. They must also disclose any potential conflicts of interest when reporting on securities.
SOX makes it illegal to retaliate against employees who report potential fraud by demoting, firing, suspending, harassing or otherwise harming them.
SOX applies to all publicly traded companies doing business in the US and their wholly owned subsidiaries. It also applies to securities analysts and the accounting firms that audit public companies.
While private companies and nonprofits are not generally bound by SOX, there are some exceptions. Private companies preparing to go public through an initial public offering are subject to SOX when they file a registration statement with the SEC. Whistleblowers at private companies that provide services for public companies are protected by SOX when reporting on the misconduct of their public clients.
SOX makes it illegal for any organization—public, private or nonprofit—to destroy or falsify financial records to obstruct a federal investigation.
While SOX is a US regulation, it does have repercussions for organizations outside the country. Public companies headquartered outside the US must abide by SOX requirements if they do business in the US. The passage of SOX also inspired other countries to adopt their own laws combatting financial fraud, such as Canada’s Keeping the Promise for a Strong Economy Act (also called “C-SOX”) and Japan’s Financial Instruments and Exchange Act (also called “J-SOX”).
In Europe, many have noted significant overlap between SOX compliance and General Data Protection Regulation (GDPR) compliance. In particular, many of the same security controls and data protection processes that enable SOX compliance also support GDPR compliance. The European Union has implemented its own SOX-like rules surrounding the independence of financial auditors as well.
At the core, SOX compliance means that all of an organization's financial disclosures are entirely accurate and that the organization has controls and documentation to back up its financial statements.
However, the process of reaching SOX compliance can be complex. SOX does not exhaustively outline every control a company needs or every step auditors must take. Different organizations reach SOX compliance in different ways.
At a high level, SOX has three broad requirements:
- Filing accurate financial reports certified by corporate executives
- Implementing appropriate internal controls
- Passing regular audits
Under SOX section 302, "Corporate Responsibility for Financial Reports," a company's CEO, CFO or equivalent leaders must sign off on every annual and quarterly financial report filed with the SEC.
In signing off on the reports, the CEO and CFO must attest that the financial statements are completely accurate. They must also assert that the appropriate internal controls are in place and have been validated within the last 90 days.
Under SOX section 404, "Management Assessment of Internal Controls," every annual financial report filed with the SEC must contain an in-depth internal control report. The internal control report states that management is responsible for internal controls and assesses the effectiveness of the company's internal controls as of the end of the most recent fiscal year.
Organizations must report any material changes to their financial status promptly. While cybersecurity incidents can count as material changes under SOX, it's worth noting the SEC adopted new rules in July 2023 making the reporting requirements for these incidents even stricter (link resides outside ibm.com).
Notably, organizations must report cybersecurity incidents within four days of determining that the incident has had or could have a material impact. Companies must report on incidents at third parties, like cloud services, if they could materially affect the organization.
Companies implement SOX internal controls to prevent internal and external actors from fraudulently altering financial data or using it for illicit purposes.
SOX does not explicitly list all of the controls companies must implement. Organizations often rely on corporate governance frameworks like the Control Objectives for Information and Related Technologies framework that belongs to the Information Systems Audit and Control Association. The Committee of Sponsoring Organizations of the Treadway Commission framework is also popular. While these frameworks were not developed specifically for SOX, the control schemes they present typically meet SOX compliance requirements.
Organizations implement controls at the level of both business processes and information technology infrastructure.
Business process controls include things like training employees on SOX requirements and establishing secure reporting channels for whistleblowers.
Many companies also apply segregation of duties, a principle in which workflows are broken into multiple parts, and different employees are responsible for each step. The idea is that no single employee controls the entire workflow, and each person involved acts as a check on the others. A typical example would be making it so that the person who approves payments is not the same person who writes the checks from the company account.
Companies may also create processes for storing and preserving records to comply with SOX requirements for document retention. For example, auditors are required to save any work papers associated with an audit for seven years.
Automation has become increasingly important to SOX compliance efforts as enterprise networks grow more complex. According to Protiviti, the average company has 36 business applications that fall under SOX requirements (link resides outside ibm.com). IT security controls can help enforce SOX rules across all these apps.
Some organizations use specialized SOX compliance software to securely store SOX-related data and documents, track relevant activity and flag gaps in internal controls. However, companies can also use more general cybersecurity tools for SOX compliance purposes.
Data protection tools, like data loss prevention (DLP) solutions, can track where sensitive data is stored, who accesses it and what they do with it. Some DLP tools can also block users from making unauthorized changes to financial data or moving it to unauthorized locations. Organizations may also use automated backups so data can be recovered if destroyed or tampered with.
Identity and access management (IAM) solutions let organizations set granular access control policies following the principle of least privilege. Employees are only granted the lowest permissions they need to do their jobs. IAM platforms can also streamline change management so that organizations can quickly update and remove access permissions as people join the company, change roles or leave.
Companies can use security information and event management (SIEM) solutions to monitor network activity, detect security breaches and respond to incidents faster. SIEM solutions also preserve security logs that help organizations prove compliance during SOX audits. Some SIEM tools have built-in SOX-specific features or integrate with tools that do, allowing them to automatically record relevant information and generate compliance reports.
SOX's information security obligations extend to cloud data centers where organizations store or process financial information. Companies need to consider controls for these data sources as well.
As noted above, the CEO and CFO must vouch for the accuracy of every financial report and the effectiveness of internal controls. Regular audits give executives the proof they need to make these statements.
By conducting regular internal audits of financial reporting practices and data controls, companies can monitor compliance over time, identify gaps and remedy weaknesses.
The findings of internal audits can also assist the external auditors who perform annual SOX compliance audits. In the annual audit, an independent accounting firm conducts its own assessment of internal controls and financial reporting. The results of this audit are often included with the company's annual SEC report.
In the past, auditors had to report on whether they felt management's assessments of internal controls were accurate. This requirement was removed when the SEC adopted Auditing Standard No. 5 in 2007 (link resides outside ibm.com).
SOX does not specify exactly how managers and accounting firms should conduct their audits. Instead, the SEC states (link resides outside ibm.com) that auditors and managers should use a top-down risk assessment (TDRA) to determine the scope of their audits. A TDRA identifies the accounts, disclosures and other areas that are most at risk of material fraud and focuses on assessing the key controls that address those risks.
Becoming SOX compliant has benefits. Investors may be more confident in financial disclosures and, therefore, more willing to invest in SOX-compliant companies. SOX also reduces the incentives for corporate leaders to commit fraud by holding them personally responsible for financial statements.
SOX compliance may help organizations improve their cybersecurity postures overall. Many of the data security controls organizations use to prevent financial tampering can also combat cyberattacks. For example, IAM solutions help keep hackers out of users' accounts, and SIEM tools can help catch ongoing security incidents sooner.
Noncompliance with SOX can also lead to civil and criminal penalties for organizations and individuals.
Executives who certify an inaccurate financial report can be fined up to USD 1 million and imprisoned for up to 10 years. Executives who willfully certify misleading statements can be fined up to USD 5 million and imprisoned for up to 20 years.
Executives can also have incentive-linked compensation clawed back if an organization has to issue a financial restatement. Under SEC rules adopted in 2022 (link resides outside ibm.com), executives don't even need to be guilty of misconduct. Clawbacks are automatically triggered any time a restatement shows the incentive-linked goals were not met.
SOX also makes it illegal to damage, alter or otherwise interfere with financial records. Individual employees can face prison sentences of up to 20 years for doing so. Corporate officers who retaliate against whistleblowers face fines and prison sentences of up to 10 years.
The SEC can prohibit people who violate SOX rules from serving as corporate officers, directors, brokers, advisors and dealers. Companies can even be delisted from stock exchanges for significant noncompliance.
IBM Security QRadar SIEM compliance software reduces risk and helps to manage complex compliance requirements by running your SIEM log data through compliance extensions for most regulatory standards, including SOX.
IBM Security Guardium Insights enables you to automate and streamline your journey to data security and compliance with software that protects your data, wherever it lives.
AIX, IBM’s proprietary Unix operating system, drives innovation with hybrid-cloud and open-source capabilities that help you build and deploy modern, compliant applications within a secure and resilient environment.
The IBM Security X-Force Threat Intelligence Index 2023 offers actionable insights to help you understand how to proactively protect your organization.
GRC is an organizational strategy for managing governance, risk management and compliance with industry and government regulations.
SIEM is a security solution that helps organizations recognize and address potential security threats and vulnerabilities before they have a chance to disrupt business operations.