Let’s Change the Narrative Around Compliance

All public companies in the United States must be compliant with the Sarbanes-Oxley Act (SOX). This act was originally passed after multiple cases of corporate fraud to protect shareholders from errors and fraud in an enterprise’s accounting. It also helps improve how accurate corporate disclosures are. Not only does SOX compliance impact the financial side of a business, it also impacts the IT side by regulating which documents businesses are storing, how access to them is being regulated, and for how long they are being stored.

Being SOX compliant means that your business follows the requirements set by the Sarbanes-Oxley Act; including annual audits that prove the company is reporting accurate financial records in a secure way. Not being in compliance with SOX could lead to large fines or even prison time. Even if your company is private or a non-profit, it is good business practice to meet SOX compliance requirements.

To be SOX compliant, your company must complete a variety of actions related to security. Here is a checklist of some of the requirements for SOX compliance:
Publishing annual financial reports at the end of each yearAll financial reports must include an Internal Controls Report to prove that the document is accurate and secureStrict logging and monitoring of all account and user activity as well as information accessAll access to and interactions with sensitive data must have clear audit trailsExternal auditors must conduct SOX audits that include the review of controls, policies, staff, and procedures

• Publishing annual financial reports at the end of each year
• All financial reports must include an Internal Controls Report to prove that the document is accurate and secure
• Strict logging and monitoring of all account and user activity as well as information access
• All access to and interactions with sensitive data must have clear audit trails
• External auditors must conduct SOX audits that include the review of controls, policies, staff, and procedures

In order to be SOX compliant, IT departments are required to create and maintain a corporate records archive. There are three rules to follow concerning electronic records.The first rule is related to the penalties of destructing, altering, and falsifying records. The second rule defines how long specific records must be stored. The third rule describes the type of records that must be stored. This includes business records and electronic communications.

In order to be in SOX compliance your company must go through an annual financial and security audit. The most time-consuming and complex part of a company’s audit is the deep dive into their internal security controls. This part of the SOX compliance audit includes a look into four key areas of focus:

• Access control: Making sure the company restricts access and implements measures to control access to sensitive information. This could include physical measures such as surveillance and locks as well as digital measures such as access and credential management.
• IT Security: Making sure the company has an identification and monitoring system to protect its sensitive data against cyberattacks. This can include security tools and staff management.
• Data Backup: Making sure the company is backing up data in a way that is safe and secure. This includes understanding what would happen if there were to be a disruption or loss of data after a disaster.
• Change Management: Making sure the company has a way of managing IT changes. These changes might include new or updated software and new employees.

Unfortunately, there is not an actual checklist associated with the SOX Act that you can use to be sure your company is SOX compliant. Generally speaking, here are few things to keep an eye on:

• Keep all logging and monitoring systems up to date
• Immediately investigate and fix things that come up in your annual SOX compliance audits
• Know when financial data is created
• Monitor user behaviors in order to spot activities that might lead to security breaches
• Regularly review and monitor permissions and access to sensitive information and company hardware and software
• Keep detailed documentation and tracking logs to be sure your auditors are able to do their jobs
• Train your staff on the best ways to handle financial data

A company who is in SOX compliance does not receive a certification, however there are a variety of certifications individual employees can receive in order to best help their company become SOX compliant. These programs help individuals understand the SOX requirements and best practices.

Being SOX compliant is not only the law, it is also helpful for your company. When a company follows the requirements to be SOX compliant they are operating in a more ethical and secure fashion. Being SOX compliant also helps protect companies from security threats and attacks through increased documentation and minimization of human errors. On the public side of things, being SOX compliant helps people to trust your company, making it easier to raise capital and gain support. Internally, SOX compliance can help you improve your company culture.

It is almost impossible to be in SOX compliance and prove this compliance without a SOX compliance software that makes sure the correct security measures are in place. Softwares, such as Lumos, help your company track and manage user access to accounts and sensitive information. These software programs make it much easier to prove SOX compliance during your company’s next audit.