Sarbanes Oxley (SOX) Compliance
In the wake of financial reporting scandals at Enron, WorldCom and other companies, the Sarbanes-Oxley Act of 2002, or SOX, was established to implement greater corporate accountability among U.S. publicly traded companies and publicly traded non-U.S. companies doing business in the U.S. Section 404 of the law requires the annual assessment of internal controls that oversee financial reporting.
Overview:
Section 404 of SOX requires two things of public companies.
- Section 404(a) requires that they assess and document, in an annual report, the effectiveness of their internal controls over financial reporting.
- Section 404(b) requires that the report also includes attestation from an independent auditor that the controls are effective. Companies with a market capitalization of less than $75 million are exempt from this requirement.
Because Section 404 is short and broadly written, it has been criticized as being open to interpretation, thus resulting in onerous costs on companies, especially smaller businesses. In 2007, a series of reforms were enacted to respond to these complaints.
Most notably, the U.S. Securities and Exchange (SEC) issued voluntary guidance — aligned with the Public Company Accounting Oversight Board's Auditing Standard No. 5 — to help companies conduct more streamlined assessments and customize audits based on the size of their organization. A 2009 study from the SEC determined that Section 404 compliance costs diminished after the reforms.
Studies have shown that compliance to Section 404 reduces the likelihood of financial misstatements. On a broader security level, it forces companies to develop better operational awareness and corporate governance habits and also helps prepare them for other, more prescriptive, regulations and requirements, such as the Payment Card Industry Data Security Standard (PCI DSS).
Consequences:
Since SOX was enacted, enforcement is on the rise, although no chief officer has gone to prison. However, the SEC enforcement actions are continuing, with settlements continuing a steep increase, reaching 714 in fiscal year 2012, the highest number since 2007. Meanwhile, median settlement values for individuals have more than doubled since 2009, and reached a post-SOX high of $221,000 in fiscal year 2012.
Penalties for non-compliance with SOX can be harsh. CEOs or CFOs who submit inaccurate certifications face up to 10 years in prison and a $1 million fine, while corporate officers who purposefully submit wrong certifications face up to 20 years in prison and fines up to $5 million.
Meanwhile, the Public Company Accounting Oversight Board (PCAOB), which was created under SOX and controlled by the SEC, oversees the audits of public companies. The nonprofit is empowered to investigate and discipline public accounting firms. A failed inspection could lead to civil penalties and/or the revocation of an accounting firm’s registration.
Solutions:
Trustwave provides a comprehensive portfolio that can help organizations of any size respond to SOX regulations.
Plan and Prepare
Conducting a Risk Assessment is the first step to identifying and implementing safeguards necessary to meet compliance. Trustwave helps you find gaps that may exist between your current security posture and SOX requirements. The customizable assessments, scaled individually for your organization, include identification of key assets and IT systems, assessment of controls and frameworks and a review of third-party providers and incident response programs.
Access Gaps and Vulnerabilities
SOX requires that publicly traded companies are able to attest to the effectiveness of their internal controls over financial reporting. Here are some of the ways we can help:
Data Loss Prevention
Allows you to discover and classify sensitive data and prevent it from leaving the network.
Intrusion Detection and Prevention
Strengthens your perimeter defenses to protect against attacks that threaten financial systems.
Network Access Control
Ensures managed and unmanaged devices connecting to the network comply with policies and do not introduce malware.
SIEM
Helps you gain broad visibility of threats to your network and improve your compliance process through logging, monitoring, and analysis of events.
Vulnerability Scanning
Identifies weaknesses in your financial controls before they are exploited by attackers.
SSL Certificates
Protects sensitive data being transmitted across web-enabled applications.
Automate and Manage Compliance
TrustKeeper Compliance Manager helps you to centrally automate and manage controls, policies and procedures across multiple compliance frameworks, including SOX. Compliance Manager is delivered through our cloud-based management portal TrustKeeper, which provides a real-time view into the status of your compliance and security programs and offers access to all of your managed services. Through one easy-to-use dashboard, you can submit support requests, see event history, run reports and manage your account at any time.