SOX Compliance: 2024 Complete Guide

SOX compliance is an annual obligation derived from the Sarbanes-Oxley Act (SOX) that requires publicly traded companies doing business in the U.S. to establish financial reporting standards, including safeguarding data, tracking attempted breaches, logging electronic records for auditing, and proving compliance.

What is Sarbanes-Oxley? The act demands internal controls for financial records and requires the chief executive officer (CEO) and the chief financial officer (CFO) to sign statements attesting to the accuracy of financial reports. The act also increases fines and criminal sentences for fraudulent reporting. Both stipulations aim to build trust in American corporate investment.

The provisions that most impact organizations’ accounting practices involve selecting and maintaining controls on the security of financial documents. They’ll also be held to a higher level of reporting on financial documents and SOX security controls.

SOX was enacted in 2002 to prevent accounting failures that led to Americans’ loss of confidence in securities markets. It started due to an outcry from investors following the fraudulent activities of companies such as Enron, WorldCom, Tyco, and Global Crossing, in a string of corporate scandals that piled pressure on government regulators to protect shareholders.

The bill overwhelmingly passed in both the House of Representatives and the Senate. It was signed into law by President George W. Bush, who likened SOX to the far-reaching business reforms made by Franklin D. Roosevelt in the wake of the Great Depression.

Overall, here’s a simple definition of SOX: it stands for the Sarbanes-Oxley requirements, a set of bipartisan legal standards meant to stabilize markets, benefit investors, and protect the American public. The purpose of the Sarbanes-Oxley Act was to restore trust in financial reporting.

Why Do We Need SOX Compliance?

In early 2000, Enron investors felt their money was safe, assured by financial reports of the company’s profitability, assets, and liabilities. But Enron was insolvent, and its stock would plummet from $90.75 in late 2000 to just $0.26 by its 2002 bankruptcy.

Investors became incensed when a whistleblower detailed the company’s practices using future projections. They’d switched to an accounting practice called mark-to-market (MTM or M2M), which paved the way for inflated valuations to be recorded. The company also used off-balance sheet (OBS) special-purpose vehicles to hide bad debt.

These accounting practices were not fraudulent in themselves. In fact, the Securities Exchange Commission (SEC) had approved mark-to-market accounting for Enron. But the use of the accounting method to mislead investors did prove fraudulent. It called attention to the need for regulation.

SOX has eleven provisions, most of which apply to publicly traded U.S. companies or publicly traded companies in other countries that do business in the U.S. These companies are required to make and maintain internal controls and audit them. They also have reporting and auditing requirements, including utilizing a rotating, independent accounting firm to ensure quality reports. Off-balance-sheet actions require reporting, too.

Ultimately, companies publish annual reports for the public with the goal of making their financial statements both reliable and transparent. That makes American markets trustworthy and boosts stock sales. It also reduces financial fraud.

So why is SOX compliance required? It helps American businesses find investors, as SOX policies and procedures are designed to instill trust.

Nonprofits, Privately Held Companies, and Accounting Firm Requirements

Certain other SOX guidelines apply to privately held companies and nonprofits. These organizations must comply with provisions that forbid knowingly destroying or falsifying financial documents. In addition, they must comply with federal investigations around financial reporting.

Audit firms must also comply, remaining in good standing with the Public Company Accounting Oversight Board (PCAOB). That includes continuing education for relevant practitioners on accounting ethics and standards and the impact of SOX requirements.

According to the Protiviti report, “SOX Compliance and the Promise of Technology and Automation,” compliance costs average between $181,300 for small firms with less than $25 million in revenue to $2,014,100 for firms with over $10 billion in revenue per year—and costs are rising. Yet the overall trend is misleading as large companies are able to lower the cost of compliance by automating several processes. In contrast, smaller firms’ costs increase under the weight of added time spent on managing compliance. 

Is the cost of compliance worth it? Overall, the answer is yes. While multiple companies went private and deregistered their stock from the market following SOX regulations and smaller companies incurred high costs, the effect did not last long. Today, a stronger market and more predictable IPO offerings suggest that SOX rules stabilized the market and increased corporate financial reliability.

Benefits of SOX Compliance

For individual companies, the benefits of SOX compliance include:

• Identifying and strengthening internal controls: Sarbanes-Oxley legislation, much like SOC 2 compliance, gave companies a baseline for understanding the internal control standards that safeguard their data and protect their businesses. What is SOX compliance in accounting? It’s simply the SOX policies and procedures that protect companies from data theft.

• Reliable, efficient audits: SOX made executive teams accountable for audit results, and internal audit teams have more specific responsibilities for SOX data documentation and SOX testing. That makes the work of external audit teams more efficient, too.

• Processes primed for growth: With documentation processes in place early, audits are efficient, but so are other company processes, such as staying focused on high-risk priorities and the most appropriate company controls to handle them. There’s integration with IT and across siloed departments early on. Organizations can build security-minded, financially healthy processes from the beginning, minimizing auditing costs and maximizing financial growth.

Downsides of SOX Compliance

Complying with the Sarbanes-Oxley Act isn’t simple. With costs running into the millions for large companies, it means an added burden not directly related to business outcomes. While the Sarbanes-Oxley Act can arguably mean a payoff for company trust in the markets, the benefit is difficult to quantify when weighed against costs. Downsides include:

• Establishing new internal controls: Constructing processes for financial information, confirming the accuracy of reports, and adding brand new controls to meet the SOX criteria are all burdensome.
• Hiring new employees and contractors: IT processes need to be reviewed for compliance, and new procedures added, then managed in the long run. Segregated accounting duties (adding controls to internal accounting practices) also require new workers.
• More audits: Increasing audits and accounting firms ensures accounting objectivity but increases costs.
• More penalties: Failure to sign or publish financial statements, on top of added penalties for fraud, can make executives and private organizations hesitant to take on accountability.
• More regulation: Accounting costs are higher, and resources are diverted to financial reporting that could have been used for primary business functions.

At a high level, what are SOX compliance requirements? It’s a four-step process. The Sarbanes-Oxley Act requires each of the following:

1. Providing financial statements that have been audited by a third party to the SEC
2. Reporting material changes to the public
3. Designing, implementing, and testing internal controls
4. Composing an annual statement on internal controls and their adequacy, signed by management and audited by a third party

That third requirement takes the most time for a company that’s new to SOX regulatory compliance, as it involves changes to a company’s IT structure to ensure the security of financial data.

Internal Controls Requirements

Application of SOX at the IT level warrants management of the internal controls in a digital SOX environment, with components such as

• Access control
• Security and cybersecurity
• Segregation of duties
• Change management
• Backup systems

There are multiple frameworks for addressing these areas from nonprofit industry groups, such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and Control Objectives for Information and Related Technologies (COBIT). There’s even the National Institute of Standards and Technology (NIST) for federal agencies, and ISO 27001, recognized internationally as a data security certification. (Although no SOX certification exists, SOX compliance does.)

These frameworks offer companies a process to link business and IT goals, build controls, set objectives, assign responsibilities, and measure performance.

Section 404 of the SOX Act requires companies to implement internal controls and verify them in an audit. But no SOX compliance definition or set SOX controls apply to all organizations. An IT controls audit will focus on each IT area, from access control to backup systems. For example, companies might test internal access management systems when auditing access control and scrutinizing authentication management.

An audit starts with a risk assessment to define the scope of SOX-compliant requirements. The PCAOB accounting standards should help identify these areas where controls are needed. Identify critical controls first, then test to make sure they’re not only working to prevent breaches, but are also operated by the right owner. Taking these steps for each control is essential when using a SOX framework to tighten data security.

The full form of SOX includes eleven sections. Those having the most impact on businesses embarking on a SOX implementation are described below.

SOX 302

Corporate Responsibility for Financial Reports

Section 302 requires public companies to file financial reports with the SEC. Those reports must be signed by the CEO and CFO, both of whom are held responsible for report accuracy. The officers are required to attest that the reports are correct and include all essential information. Companies must have internal controls to prevent erroneous information, and the officers must attest that those controls had been validated within 90 days of the report.

SOX 303

Improper Influence on Conduct of Audits

“Materially misleading” statements are at the heart of this section, which forbids misleading, coercing, manipulating, or influencing auditors. Doing so can result in civil penalties enforced by the SEC.

SOX 401

Disclosures in Periodic Reports

This section declares that annual and quarterly financial reports filed with the Commission must include material off-balance-sheet transactions, arrangements, and obligations, even if those obligations are contingent. The rule ensures that changes in financial condition, liquidity, capital expenditures, and resources are transparent to investors.

Section 401 also stipulates that reports should not contain any misleading statements, let alone untrue statements or errors of fact.

SOX 404

Management Assessment of Internal Controls

Management is accountable for adequate internal controls. Both management and external auditors report on the adequacy of controls and report gaps. Since 2007, the SEC has helped small businesses by issuing its own guidance on internal controls, so companies have an easier time compiling their own SOX 404 compliance checklist. SOX 404’s meaning is that teams are accountable for internal controls, so they need tools to confirm reports or face SOX penalties for false reporting.

SOX 802

Criminal Penalties for Altering Documents

Employees who make changes to a financial document that can affect the SEC’s administration, or who conceal or falsify a record, are subject to criminal penalties from fines to imprisonment for up to 20 years.

SOX 806

Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud

The section protects the employees and officers of a company who knowingly aid an investigation, come forward with information, testify in an investigation, or cause information about a company’s financial fraud to be released. Employees are protected from losing their positions and from harassment, demotion, suspension, or any other discrimination. Section 806 outlines compensatory damages for SOX violations.

SOX 906

Corporate Responsibility for Financial Reports

Employees who submit false or misleading reports in violation of SOX are subject to criminal penalties, including fines or imprisonment, for up to 20 years. The full form of SOX delineates individuals who are responsible, with contractors, employees, agents, and execs all playing a part.

SOX 1107

Retaliation Against Informants

Further strengthening protections against whistleblowers, this section sets federal criminal penalties of fines or less than ten years' imprisonment for retaliating against an informant. That includes taking any retaliatory action against their person or employment.

Following the enactment of the Sarbanes-Oxley Act, other countries and international organizations followed suit. For example, “EuroSox” in 2008 attempted to establish accounting and audit parameters and direct member nations to make the provisions a national law. Other countries enacted their own versions:

Canada: The Keeping the Promise for a Strong Economy Act of 2002, also known as C-SOX

Germany: The German Corporate Governance Code of 2002

Netherlands: The Netherlands Corporate Governance Code, 2004

South Africa: The King Report on Corporate Governance (multiple reports have been released since 1996)

Australia: Corporate Law Economic Reform Program, 2004

India: Clause 49 of the Indian Stock Exchange listing agreement

France: Financial Security Law of France, 2003

Italy: The Investor Protection Act of 2006

Japan: The Financial Instruments and Exchange Act of 2006, sometimes called J-SOX

United Kingdom: The Restoring Trust in Audit and Corporate Governance report seeks to introduce criminal penalties to the UK’s existing internal controls framework, 2021

Advance preparations will help companies eliminate surprises and reduce the cost of SOX auditing. At a minimum, all companies go through these phases:

1. Scoping Sarbanes-Oxley compliance requirements
2. Developing and documenting controls
3. Implementing controls
4. Testing controls
5. Conducting an internal audit

The first two steps are time-consuming for newly public companies. They involve scoping Sarbanes-Oxley Act requirements, then developing controls that can be broken down into multiple phases of their own. Let’s look at some of the common sub-tasks associated with these two steps.

The Planning Phase of a SOX Audit

Here are some standard components related to taking a SOX inventory:

1. Planning for future goals and growth: What accounting processes and controls can scale with the company? A primary benefit of Sarbanes-Oxley legislation is that it nudges companies to develop methods in both IT and financial systems that support more robust SOX reporting and security as they grow. For example, onboarding and revoking access privileges should not be an overwhelming or manual process, even if automation is not needed yet.
   
   
2. Choosing a framework to undergird SOX compliance: Familiarize yourself with COSO, COBIT, and the Information Technology Governance Institute (ITGI) frameworks that apply to SOX compliance. ITGI, for instance, uses components of both COSO and COBIT frameworks but is known for its emphasis on security. Decide which is suitable for your company.
   
   
3. Undergoing a risk assessment: Identify areas in the company subject to SOX compliance. Use the PCAOB accounting standard and identify risks along with their business impact.
   
   
4. Conducting a gap analysis: Some areas subject to compliance requirements may already have strong controls, while others may not. A gap analysis identifies missing or inadequate controls, so you can prioritize processes with the highest risk and the least coverage.
   
   
5. Conducting a materiality analysis: In this phase, companies locate material accounts and assess their reporting risk to know where to implement controls. Which items are material to the business’ income statement? In other words, which items could influence the financial decisions of investors? What amounts and in which accounts are material?
   
   
6. Conducting a fraud risk assessment: If you have not yet considered assessing where fraud is likely to occur, a SOX analysis can help. You’ll want to consider ways to ensure early detection, reduce the opportunity for fraud, and mitigate impacts.

The meaning of SOX compliance differs across companies, but SOX engagements typically begin by identifying where companies secure financial data, aligning systems with SOX accounting requirements, and thinking of systems in the bigger context of business risks and processes. The following IT SOX audit checklist will help cover core areas when designing controls:

• Breaches: Can you currently detect data security breaches? Is there an incident team ready to respond? How? Can you handle ransomware? Phishing attacks? Do you have software that can help detect a breach, whether it happens in a database, website, or storage?
  
  
• Storage: Speaking of storage, is your data stored in the cloud? SOX compliance has different data storage period requirements for different types of data. It needs to be indexed, searchable, easily retrievable, and encrypted. Data centers should be compliant with SOX regulations.
  
  
• Access: Who has access to your data? Do users have unique login credentials? Can sessions on your network be traced to users? Can users share logins? What happens when employees change roles or leave the organization? Do you track access to your sensitive data, as with an ERP system?
  
  
• Reporting: You may have thought about verifiable reporting for financial and business records, but data security demands automatic, verifiable reporting, too. Do you have a security tool that keeps logs and allows them to be searched and filtered? Where are those logs kept, and do they have controls to prevent tampering?
  
  
• Escalating incidents: When a security incident is detected and logged, does your system generate tickets to address and resolve issues?
  
  
• Segregation of duties: Train employees on the SOX Act and develop systems. Part of compliance is separating duties within multiple job roles. For example, managers will want to make sure that a single user does not both order and receive inventory. Do you have strategies to prevent and detect different types of embezzlement and fraud, including those related to separation of duties? Do employees understand their roles?
  
  
• Audit trail: Do you have systems that timestamp data and user access in real-time?
  
  
• Backup systems: Do you have documentation and a policy for backing up systems? Do you conduct quarterly data restoration tests? How do you demonstrate that backups are accurate and tamper-proof?

What Types of Software Can Assist with SOX Compliance?

SOX compliance software: Dedicated SOX software solutions that scan for security threats and flag them, track data, and generate reports.

Access management software: Software to secure a company network, limiting external access and minimizing the chance of unauthorized internal access.

Log management: Manages access logs created in real-time, provides an audit trail, and lets system administrators detect threats immediately.

File transfer software: Certain tools are designed to protect data transfers, such as enabling organizations to approve what type of data may be transferred.

Examples of SOX controls testing include all the above applications, as long as the customer data they capture includes financial records and is included in financial reporting. Examples of SOX controls can include: 

• The limits you set on external access
• Automated backups
• Policies that prevent a single person from changing and then transferring data

StrongDM’s Dynamic Access Management (DAM) platform helps you manage permissions in a faster—and compliant—way. For instance, it makes onboarding and offboarding employees lightning fast. Users get the resources they need when they need them. Privileged access can be granted and revoked quickly or even just temporarily, allowing teams to stay compliant with SOX financial regulations.

Besides providing compliant access management, StrongDM offers robust reporting that lets you capture detailed logs, including every query in every session across all your systems. You’ll collect evidence for SOX compliance automatically, making audits easier, faster, and less expensive. It’s all part of a SOX system that emphasizes automation to simplify ongoing compliance.

Want to simplify your SOX Compliance? Try a 14-day free trial of StrongDM today.

More SOX Compliance Resources

• Simplify Compliance Certification
• NIST Compliance: 2022 Complete Guide
• SOC 2 Compliance: 2022 Complete Guide
• ISO 27001 Compliance: 2022 Complete Guide