Amidst several professional accounting credentials, SOX compliance holds a special niche which is in increasing demand on the backdrop of financial frauds. SOX stands for the Sarbanes-Oxley Act, a 2002 law US Congress passed to increase accountability in the financial sector. The law helps ensure public companies engage in non-deceptive business accounting practices. SOX offers several data storage & security-related compliance requirements in sections 302 and 404 of the law, which provide as follows:
1. Under Section 302, company officers are required to maintain internal auditing procedures for business accounting practices, as well as disclose any flaws that could compromise the corporation’s ability to record, summarize, process and report financial data.
2. Under Section 404, companies must send reports to the SEC that describe, and assess the effectiveness of, their internal control structures and procedures for financial reporting.
Maintaining and encrypting sensitive customer data and financial information can help companies become SOX-compliant, while non-compliance can result in penalties up to $5 million or up to 20 years of prison time.
The law is named after Paul Sarbanes and Michael Oxley, the two congressmen that drafted it.The legislation set new and expanded requirements for all U.S. public company boards, management, and public accounting firms with the goal to increase transparency in financial reporting and to require formalized systems for internal controls. In addition, penalties for fraudulent activity are much more severe.
The stated goal of SOX is “to protect investors by improving the accuracy and reliability of corporate disclosures. “As such, public company management must individually certify the accuracy of financial information. SOX also increased the oversight role of boards of directors and the independence of external auditors who review the accuracy of corporate financial statements.
Meeting SOX compliance requirements is not only a legal obligation but good business practice. All organizations should behave ethically and limit access to financial data. It also has the added benefit of helping organizations keep sensitive data safe from insider threats, cyber-attacks, and security breaches. The data security framework of SOX compliance can be summarized by four primary pillars:
Four pillars -Data security framework of SOX compliance
1. Ensure financial data security
2. Prevent malicious tampering of financial data
3. Track data breach attempts and remediation efforts
4. Keep event logs readily available for auditors and demonstrate compliance in 90-day cycles
1. Who Must Comply With SOX?
A. All publicly-traded companies, wholly-owned subsidiaries, and foreign companies that are publicly traded and do business in the United States must comply with SOX.
B. SOX also applies to accounting firms that audit public companies.
C. SOX places a barrier between the auditing function and accounting firms. The firm that audits the books of a publicly held company may no longer do the company’s bookkeeping, audits, or business valuations, and is also banned from designing or implementing an information system, providing investment advisory and banking services, or consulting on other management issues.
D. Private companies, charities, and non-profits generally do not need to comply with all of SOX, however, they shouldn’t knowingly destroy or falsify financial information, and SOX does impose penalties on organizations for non-compliance.
In addition, whistle-blower protection applies, such as retaliating against someone who provides a law enforcement officer with information relating to a possible federal offense and is punishable by up to 10 years imprisonment.
E. Private companies planning their Initial Public Offering (IPO) must comply with SOX before going public.
F. Finally, SOX contains mandates regarding the establishment of payroll system controls. A company’s workforce, salaries, benefits, incentives, paid time off, and training costs must be accounted for and certain employers must adopt an ethics program that includes a code of ethics, a communication plan, and staff training.
2. How SOX impacts Financial Reporting in India?
With the coming of SOX in U.S., India also took new corporate governance norms under Clause 49 of Listing Agreement which came into effect from 31 December 2005 and is mandatory for all listed companies.
Some of the important provisions are as follows-
As per the Clause 49, it is mandatory for a company with Executive Chairman, to have 50% independent directors on Board. If the company has no Executive Chairman, 1/3rd of the directors should be independent.
1. CEO/CFOs are required to assess internal controls and take corrective measures to check the deficiencies.
2. CEO/CFOs are also required to certify the Financial Statements.
3. All the companies are required to submit quarterly Compliance Reports at Stock Exchanges.
4. A Compliance Certificate from auditors is to be obtained and annexed with Directors’ Report.
5. Establishment of an Audit Committee.
6. Clause 49 was revised to incorporate wider definition of independent directors and increasing the responsibility of audit committee.
7. Whistle Blower Policy is to be set out to provide security to those who retaliate against wrong doers.
8. Formal Code of Conduct is to be laid down for Board of Directors and Senior Management of the organization.
9. Related Party Transactions are to be disclosed separately making the financial statements more transparent.
3. SOX IT Audits
Auditing the company’s internal security controls is often the largest, most complex and time-consuming part of a SOX compliance audit. This is because internal controls include all of the company’s IT assets, such as computers, hardware, software and all the other electronic devices that can access financial data.
3.1 SOX IT audits are focused on the following key areas
Companies need to ensure that they have a way to locate where sensitive data is, see who has access to it and monitor user interactions with it. Should an incident occur, the company needs to be able to take action to remediate it in an effective and timely manner. To do this adequately, it’s likely you will need strict policies and procedures combined with auditing and monitoring technology.
b. Access Controls
Ensure that only the right people have access to sensitive financial information, both physically and electronically, by limiting access and implementing controls on access. This could be securing servers behind biometric doors, implementing password policies and more.
c. Data Backup
Ensure that data is backed up so that, in the event of an incident, data loss is minimalized. Any data centre containing backed up data is also bound by SOX.
d. Change Management
Whenever your IT environment changes, such as new employees, new computers, updated software and more, records are kept of the changes and the appropriate security is maintained.
Thus, SOX is an essential law which has brought discipline in financial reporting process. The transparency brought by this act is boosting investor’s confidence that further helps building a strong capital market in the economy.
4. Benefits of SOX Compliance
SOX compliance provides companies with a way of improving their data security whilst simultaneously helping to restore public confidence in big business. Stockholders are happy that financial reporting is regulated and predictable, and it makes it easier for businesses to raise capital.
Companies adhering to SOX compliance will find that their ability to detect and react to security threats is greatly improved, which means that they are less likely to suffer devastating data breaches. The amount of inter-departmental communication that SOX compliance requires can also help to improve company culture and drive growth and collaboration.
4.1 What Types of Software Can Assist with SOX Compliance?
Understandably, providing extensive documentation of SOX compliance and keeping fastidious records of change management in privileged financial information for an entire company can be an overwhelming—if not impossible—task when done manually. Further, the organizational stakes of noncompliance are incredibly high.
According to Section 906 of the Sarbanes-Oxley Act, companies bear the responsibility for inaccurate reporting, regardless of intentionality. As it pertains to the “failure of corporate officers to certify financial reports,” false information reported accidentally is punishable by a fine up to $1 million or a prison sentence up to 10 years in length.
When misinformation is reported “wilfully,” officers face up to 20 years in prison and a fine up to $5 million. Due to the burdensome, confusing, and high-stakes nature of compliance reporting, it’s important to choose sophisticated software that automates many auditing responsibilities.
SOX compliance software is capable of tracking relevant data, flagging security threats, generating compliance reports in accordance with common templates, or populating easily individualized reports with catalogued data and computer-executed analyses.
4.1.1 SIEM software
SIEM software is most helpful in its ability to consolidate log management to analyze trends and flag the most salient information. Many SIEM tools automatically detect security threats with intelligence feeds that identify malware, hackers, and unauthorized personnel.
Additionally, these tools recognize familiar suspicious activity and push notifications or set alarms to indicate potential sources of trouble. Of course, cybersecurity entails more than policing, or offensively detecting data loss, and who has breached secure data—it’s preventative as well, regulating who has access to data in the first place.
To identify unauthorized users who have tampered with financial records, for example, IT departments must have already systematically secured files by giving full access to privileged users, endowing others with read-only access, and restricting access entirely for some.
4.1.2 Access rights management tools
Access rights management tools provide a holistic view of access across servers and locations, preparing information for compliance reports, minimizing guesswork, demanding auditing operations, and reducing data loss.
4.1.3 Email archiving solution
Another option is to utilize an email archiving solution. These tools permanently store messages in a centralized and safe location, where they’re easy to access if needed. This helps you demonstrate SOX compliance, since you’ll be able to store and retrieve your organization’s email records at any time.
4.1.4 Mail Assure
Mail Assure (from the SolarWinds family), is an all-in-one email management tool that can help. Along with robust email archiving, it also offers advanced threat protection for both inbound and outbound emails, and a variety of other handy features. Plus, it’s a great option for managed service providers, since it can be used to handle email archiving for a high volume of individual clients’ businesses.
5. SOX Compliance Certification Course by Uplift PRO
No advanced preparation or prerequisites are required for this course.
The SOX compliance certification course has been divided into 4 modules covering the following aspects:
· SOX Overview, background and corporate governance.
· Major provisions of SOX 2002, affecting Directors, CEO & CFO’s
· Understanding Internal Controls
· SOX Compliance issues, Penalties for non – compliance
Course Duration: The course is of 6 months duration with self-study package.
This program is intended for managers and employees of firms demanding qualified professionals that meet the fit and proper requirements in risk and compliance management.
The SOX program is intended for managers and employees of firms demanding qualified professionals that meet the fit and proper requirements in risk and compliance management.
Sarbanes-Oxley knowledge is a very important asset is a resume, and the CSOE program is recognized by the industry in many countries. SOX has allowed companies to standardize and consolidate key financial processes, eliminate redundant information systems, minimize inconsistencies in their data loss prevention policy, automate manual processes, reduce the number of handoffs, and eliminate unnecessary controls.
In short, the benefits of SOX compliance are:
· A strengthened control environment
· Improved documentation
· Increased Audit Committee involvement
· Convergence opportunities
· Standardized processes
· Reduced complexity
· Strengthening of weak links
· Minimization of human error
Choose the best US CPA, US CMA, US CIA, SOX Compliance Certification institute in India, Africa, and Middle East – Uplift Pro
Uplift Pro is one of the top training institutes for the US CMA, US CPA US course, US CIA course, SOX Compliance Certification, Enrolled Agent course in India, Africa, and Middle East. Uplift Pro is also an Indian partner of GLEIM, US and an IMA US authorized CMA US study center.
Our team consists of seasoned professionals and entrepreneurs from IIEST, IITs, London Business School, and ULCA who have decided to provide a strong backup to young ambitious students and professionals to reach their desired career destinations in an organized way.
Some of the exclusive features include –
A. Authorized partner of IMA and Gleim in India
B. High pass rate of 85 %
C. Live online classes ensuring that the regular office working hours is least impacted
E. Affordable course fees
Request for Live Demo class / contact at +91-8787088850 to book your seats now.