Introduction to SOX Compliance
SOX, is short for the Sarbanes-Oxley Act, this act was passed by the United States Congress way back in 2002. The act was named after its sponsors who were Senator Paul Sarbanes and Representative Michael G. Oxley.
A lot of people who are reading this article or are working in smaller nonpublic based companies and are based outside of the US, may never have heard of this Act before. This is because it was primarily brought in to protect US based companies after all the financial scandals which had happened before the act. For example, when the large corporations such as Enron, Woldcom and Tyco were faced with fraud charges.
Due to these financial related fraud accusations and WorldCom going bankrupt with over $104 billon dollars, enough was enough and things had to change.
This was a time when the dot-com bubble had just burst around the year 2000, lots of tech related companies were starting up, funds and investments were being given to just about any company that was running at the time and the amount of fraud reported was going through the roof.
Between 2001 and 2002 the US started to investigate a lot of the larger corporations and indictments for fraud were starting to be talked about. Then in 2002 the US congress passed the Sarbanes-Oxley Act which was based around financial oversight of companies. Congress had woken up to the fact that there needed to be stricter and tighter controls which governed the auditing and internal controls of companies as well as ensuring that companies met strict regulations that were set out.
So what is SOX compliance? Without having to go into too much detail and bore everyone to death, SOX compliance is an Act which states that any public company is obliged to provide accurate proof of their financial reporting. This means that primarily it is only associated with public companies, although all companies should know and adhere to it, to ensure that they are on the right side of the playing field. Companies should ensure that they are keeping data safe and secure and free of tampering.
They should ensure that they are logging and tracking any security breaches of their information and/or systems and should have processes in place to ensure that lessons are learnt, and systems are hardened. Logs of everything should be put in place and kept securely, these should be made readily available for auditing if required. Companies must also prove their compliance for the past 3 months, or 90 days.
Now some of the UK or European based people watching this video may think some of this sounds familiar, this is because a lot of these controls and processes are in place for the General Data Protection Regulation, or the GDPR. GDPR although doesn’t concentrate around strict financial regulations and auditing, but it does concentrate on the protection of data.
So what does achieving SOX compliance for a business mean? When a SOX audit is performed, it is usually up to the IT department to prove that the company complies with the necessary areas of compliance. This can be performed by providing the necessary documentation, such as logging, access controls, change control and the list continues. This documentation can help show that the company has met the financial transparency and data security controls.
Although it may not be primarily the IT departments focus, the IT department will work with a wide range of business services to ensure that compliance is met. For this to work efficiently however, the IT department and its staff must be familiar with the standard and controls which are set out. The IT department must ensure and be aware that logs must be kept for a minimum amount of time, that they must be kept secure and tamper free and that is people ask for evidence, they must provide it to be transparent.
As part of the SOX act, section 302 states that the executive officer and chief financial officer must sign and review their quarterly and annual reports and agree that they certify to the best of their knowledge that the information is correct and truly reflects the business financial position, thereby certifying to SOX Compliance.
Section 404 of the SOX act, mandates that all public companies have the necessary systems in place to ensure that data is available for audits and meets the necessary controls.
What software can you use to help comply with the SOX act? This can be a how long is a piece of string type question and it can depend a lot upon what technologies the company uses already, what licenses they have access to, do they outsource their IT and so forth.
But Ensuring that a SIEM is in place to keep track and log events, alerts and help to analyse trends in systems and access will help a lot to identify any breaches and unauthorized access to information. Ensuring that you have email archiving in place and that backups are performed (and checked) regularly will also help. Ensuring that least privilege access is in place and people only have access to what they need access to, will reduce the chances of tampering. Implementing and using data loss prevention software will also help ensure that information is kept within the company and is not accidently sent out of the company borders.
And that’s it, I hope this makes sense to you all, and if anyone comply with SOX in their company, I’d love to hear your thoughts and what you use and why in the comments.