SAP Logo LeanIX is now part of SAP
The Definitive Guide to

SOX Compliance

SOX law is a federal law that was established to enact auditing and regulation practices. It was enforced to help protect employees, shareholders, and the public from accounting errors and fraudulent practices within companies.

What is Sarbanes-Oxley (SOX) compliance?

Are you looking for an accurate SOX definition? In the next paragraphs, we will explain the actual meaning of SOX compliance, so you get to develop a good understanding of the law itself, what it regulates, and how you can comply.

First of all, it is important to know that the SOX law is a federal law that was established to enact auditing and regulation practices. The Sarbanes-Oxley Act was enforced to help protect employees, shareholders, and the public from accounting errors and fraudulent practices within companies.

At this point, all public companies have to comply with SOX on a financial and IT level. This also means that the way IT departments store corporate records has to be adjusted in order to comply with SOX.

However, the act does not outline any specifics on how a business should store records. And it does not establish distinct business practices either. In fact, SOX only defines which records should be stored as well as the duration of the storage period.

To comply with SOX, corporations are obligated to save all business records – including electronic records and messages – for at least five years.

It is vital to understand the SOX definition in order to properly grasp its impact and use. While SOX compliance deals with the regulation of financial reporting on publicly traded companies, it also contains provisions that apply to all private companies and not-for-profit organizations.


History of the Sarbanes-Oxley Act of 2002 (SOX)

The Sarbanes-Oxley law is more commonly known as SOX. Its aim was to improve financial reporting practices in public companies. It was a way to boost investor confidence after an increase of high-profile corporate crime cases.

George W. Bush signed the act into law on July 30th, 2002. He assured that SOX compliance was the most far-reaching reform impacting American business practices since Franklin Delano Roosevelt.

Some of the financial scandals prompting this act included Enron, WorldCom, and Tyco, among others. Enron's scandal was also covered in an Alex Gibney documentary titled “Enron: The Smartest Guys in The Room.” It depicts how in less than two years, a multi-billion company unraveled, ruining thousands of lives.

WorldCom was part of a scandal that involved fraudulent accounting practices. After a bankruptcy filing, the SEC (U.S. Securities and Exchange Commission) hit the company with a $750 million fine. The responsible CEO was sentenced to 25 years in prison, while the CFO received 5 years.

Tyco is another example that lead to SOX. In this case, the former CEO and CFO purloined hundreds of millions of dollars by falsifying business records and breaking numerous laws.

The examples above as well as many other similar events created the necessity for the SOX law. Now, with SOX compliance in place, corporate fraud has become much more difficult.

However, this has not stopped companies like Wells Fargo, HSBC, and Valeant, among others, from engaging in harmful business practices. These new cases show that even with the SOX laws in place, fraud cannot be completely eliminated.


Legal Requirements for IT Compliance

As an IT expert, you need to know which parts of the SOX compliance you should worry about. But before we dive into that, it is crucial for you to understand that the main goal is to achieve complete transparency when it comes to financial reporting. So, with SOX IT, your role lies in identifying and minimizing risks effectively.

Any company in the U.S. or overseas that is registered with the SEC has to commit to SOX compliance. And according to the companies registered, more than half of the fortune 500 publicly traded companies will spend more than $1 million to enable SOX compliance.

In the following, we will take a closer look at the most important SOX IT sections 302, 404, 409, and 802.


SOX Section 302

Section 302 is all about keeping the executives informed. SOX compliance is achieved when the CEO and CFO vouch for the accuracy of the company’s financial records. They have to attest that they have evaluated ICFR within 90 days of certification of the financial results.

Here, your SOX compliance involves delivering real-time reporting on the internal controls. In order to succeed, you will need to automate tasks like evidence-gathering, testing, reporting on remediation efforts.

It is important to note that reports need to be written in an accessible language for both the auditor and the executives.


SOX Section 404

In this section, the focus lies on establishing SOX compliance controls to ensure that financial reporting is accurate. According to SOX, all businesses need to have internal controls to ensure transparency and accuracy in financial reporting.

An external auditor should review the controls every year and determine how well the business is documenting, testing, and maintaining its internal controls. The SOX compliance 404 checklist involves application testing, security, and verifying software integrations and automated testing of the process.

The aim is to ensure that the procedures collectively support an accurate and complete data transmission of financial records. At the same time, the procedures have to keep asset-bearing accounts that are immune to unauthorized access.


SOX Section 409

Section 409 focuses on the timely delivery of disclosure. When there are events like mergers, acquisitions, bankruptcy, dissolution of major suppliers, or data breaches, a company's fiscal aspects usually undergo massive changes.

To ensure SOX compliance, timely disclosure of any information that might affect the company's financial performance is necessary.

SOX IT requires departments to use SOX compliance software that triggers timely disclosure alerts. The mechanisms have to quickly inform shareholders and regulators when there are changes in the financial statements.


SOX Section 802

With modern technology, it is easy to keep both physical and electronic copies. This section of SOX compliance focuses on record retention. SMBs (Small and Medium Business Solutions) facilitate bookkeeping as all records can be easily stored on digital drives.

Spreadsheets on a user's computer, IMs, emails, recorded calls about financial matters, financial transactions, and other information about the company's resources must be preserved and made available to auditors for at least five years.

The goal of SOX IT compliance is to ensure that the internal processes are automated to capture all the important and sensitive financial information needed to make the records complete. The proper functionality of such management systems falls on IT experts.

Archiving the details is part of this task. IT departments have the organizational control to maintain the records and migrate old technologies to new ones, establishing a unified library. That way, all information is procured and backed up for future audits.


What you need to know about the Unified Compliance Framework (UCF)

The Unified Compliance Framework unifies all the requirements that a business or company has to adhere to. It includes regulations from SOX, HIPAA, PCI DSS, among others. Thus, the framework encompasses all federal and state laws that help companies stay compliant.

This is important because an IT team can adopt a set of controls that can satisfy the compliance requirements for multiple regulations.

The management body behind UCF is Network Frontiers. The group keeps these frameworks updated to ensure that new regulations aren’t ignored or missed. This offers IT experts one reliable source and is a great time saver as they don’t have to track changes themselves.

The approach of using frameworks is extremely convenient because it is a “test once, comply with many”-approach. The best way to use this information is to come up with a unified platform that allows an automated workflow.

One solution is the integration of the configuration management database (CMDB) that serves like an IT system for record keeping.

Through the database, information is documented and packaged in a way that makes it accessible for outside auditors. Thus, it prevents time-consuming preparation periods right before an upcoming audit.

With the unified frameworks, you save the most valuable resources a company has: time and money.

In the next section, we will address the unified frameworks in greater detail.


The COBIT Framework

The COBIT framework was developed by ISACA to help develop, organize, and implement necessary changes. With this tool, compliance with SOX's internal requirements are facilitated by raising awareness of risks and technical issues.

COBIT helps companies to effectively guide their IT teams to success. It supports an IT department’s efforts to achieve easy corporate governance throughout an organization.

The role of the IT team is to simplify the auditing process by proper documentation and packaging of information. With this kind of framework, a company can ensure that it maintains accounting oversight.

Cobit_Framework_for Finance_Industry

Figure 1: COBIT Principles*


The COSO Framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has established a five-component framework. You can use these components to help create the foundation for organizational control.

The goals are achieved through directed leadership, a culture that emphasizes accountability and shared values. The COSO framework stands for a risk-based approach that identifies and assesses risk at every level of the company.

The COSO framework was established about a decade before SOX. However, it has a high standing with the SEC and the PCAOB.


Figure 2: COSO Framework**


What works better for you?

To fulfil the SOX IT requirements, you can either choose one suitable framework or combine multiple. Combining several frameworks ensures that you cover all aspects on your SOX compliance checklist.

The level of accuracy you can achieve with a unified framework is much higher than that of a singular framework. To be clear, you need to find out what kind of information the auditors are looking for. Based on that, you can establish a framework that best works for your specific needs.

Other frameworks include the Information Technology Government Institute Framework (ITGI) and the Statement on Standards for Attestation Engagement (SSAE-18).


Checklist for SOX Compliance

It is much easier to understand what is expected of you when you work with a SOX compliance checklist. Audits are different for every organization. Therefore, the notion that SOX compliance looks the same for all companies isn’t very useful.

However, there are some things that every business should consider before any kind of audit:

  • Are you using an accepted framework (COSO, COBIT, or ITGI or a combination)?
  • Are there policies that outline how to create, maintain, and modify accounting systems, including computer programs that handle financial information?
  • Are there protocols on how to deal with potential security breaches?
  • Are there mechanisms to record and monitor all access to sensitive data?
  • Are there mechanisms that prevent tampering with sensitive data? Are they tested and proven to be operational?
  • Have there been previous breaches and failures, and if so, have you disclosed them to your auditors?
  • Are there records of recent and valid SAS 70 reports from all service organizations?

With this checklist, it will be easier to catch anything you could have missed.


Figure 3: COBIT Framework*



Most people affected by the SOX legislation view it as a way to look ahead and anticipate financial problems in the future. Others see it as the recession precipitator by including unattractive costs for people interested in doing business in the U.S.

However, SOX compliance doesn’t have to be difficult. After all, many of the functions that SOX IT encompasses can be automated. Furthermore, it can be easier to resolve permission issues, locate hidden SOX data, and detect any errors in financial files.

But SOX compliance is an almost impossible task if you’re not working with the best security solutions. And this is because SOX IT needs to make sure that evidence compliance, security measures, and software solutions that automate functions are all up to speed.

With data protection and a fully functional unified platform, IT teams are always prepared for an audit.


Free White Paper

How to Manage IT Regulations with an EA Management Tool for Financial Institutions

Preview the first 7 pages

Page: /

Fill out the form to get the full version