Pc01-20 Checklist

[Leonides Suttle]

Thepassing of the Sarbanes-Oxley Act (SOX) in 2002 established rules to protect the public from fraudulent or predatory practices by corporations and other business entities. The act increased transparency in financial reporting by corporations, and established a system of internal corporate checks and balances.

SOX compliance is a legal obligation and, in general, just a smart business practice: to safeguard data, companies should already be limiting access to internal financial systems. By implementing SOX financial and cybersecurity controls as well, businesses can also reduce the risk of data theft from insider threats or cyberattacks.

Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH-4) wrote the bill in response to several high-profile corporate incidents in which a lack of financial reporting and transparency produced massive losses for investors, the public, and government agencies. In particular, the Enron, WorldCom, and Tyco scandals provided much of the impetus and necessity for a piece of legislation like SOX.

SOX applies to all publicly-traded companies in the U.S., in addition to any wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States. SOX also regulates accounting firms that audit companies subject to SOX compliance.

Private companies, charities, and nonprofits are generally not required to comply with all SOX requirements. However, private organizations who knowingly destroy or falsify financial data can still be penalized under certain SOX language. Private companies planning an initial public offering should prepare to comply with SOX before they go public.

Generally speaking, SOX requirements encompass both business controls and information technology (IT) controls. On the business side, SOX controls focus on the accuracy and security of data that feeds into financial reporting. In terms of technology, there are IT general controls and application controls. The goals for IT controls are to ensure all systems are accurate, complete, and error-free in ways that could potentially impact financial reporting.

CEOs and CFOs are directly responsible for the accuracy, documentation, and submission of all financial reports to the SEC, as well as the internal control structure. SOX also requires an internal control report that states management is responsible for an adequate internal control structure for their financial records. Any shortcomings must be reported up the chain as quickly as possible.

SOX mandates formal data security policies, communication of those policies, and consistent ongoing enforcement. Companies should develop and implement a comprehensive data security strategy that protects and secures all financial data stored and used during normal operations.

Finally, companies need to maintain and provide documentation proving compliance. Documentation should clearly show the organization is continuously monitoring and measuring SOX compliance objectives throughout the year.

SOX compliance is imperative in protecting your data and keeping the integrity of your financial transactions intact. The best way to ensure compliance is to follow a checklist heavily anchored on sections 302 and 404 of the act.

Employ systems and software that can record timestamps of activities on all transactions and data related to SOX guidelines. Encrypt the recorded data in a secure location or database to avoid tampering. Activity documentation is critical to ensure that the correct information is easy to find during your SOX audit.

Implement software capable of receiving data and messages from all digital sources such as FTP, databases, and computer files. These controls should also be able to identify and track external entities breaching and attempting to tamper with your data. Detailed cybersecurity tracking and visualization tools, such as DatAdvantage, are extremely helpful in monitoring access controls on an ongoing basis.

Install detection software that can dissect and identify suspicious activities on all systems relevant to SOX compliance. This software should have the ability to detect, assess, and document threats in real-time, and send detailed reports to your incident management system to be addressed immediately.

Constant communication with your SOX auditors can go a long way. This best practice and the next two steps are aspects that every company that's succeeding in SOX compliance has in common. Your auditors should have access and limited control to all your safeguarding protocols, software, and systems so that they can diagnose and troubleshoot working issues, and identify improvement opportunities.

Install systems that can detect and document security breaches, as well as immediately alert your SOX auditor about the incident. This will mitigate the overlooking of threats and allow your auditors to address issues as soon as possible. Using a data classification engine, for instance, can help both determine what data to protect most and alert you to any breach or compromise.

SOX mandates that companies complete yearly audits and that they share the results with stakeholders as requested. To prevent any conflict of interest, companies hire independent auditors for these specific audits. SOX compliance should be treated as a year-round endeavor, continually preparing for the next audit.

Your SOX auditor will have access to all relevant security controls, and you should also be prepared to provide documentation about changes or improvements that you made to comply with SOX. Auditors will also look closely at financial reporting and filings to ensure accuracy and that there are no signs of malfeasance.

Access means both physical controls (doors, badges, locks on file cabinets, etc.) and electronic controls (login policies, least privileged access, and permissions audits). For example, you might place a biometric scanner on the entrance to a server room that houses critical data to ensure only authorized personnel can enter. Maintaining privileged access management with a least-privilege model (meaning each user only has the access necessary to do his or her job) is a requirement of SOX compliance.

Next, evaluate how your company backs up data and key systems. Data backup is critical because it minimizes disruption and data loss in the event of a system-wide disaster. Both original systems and data center devices containing backups must be safeguarded and handled in a SOX-compliant fashion. You should also consider maintaining SOX-compliant offsite backups of all of your financial records.

Have defined processes in place to add and maintain users, install new software, and make any changes to databases or applications that manage your company's financials. Anytime you add new employees, computing infrastructure, or software, changes must be recorded and monitored for potential resulting abnormalities.

SOX provides the framework needed for companies to be better stewards of their financial records, which in turn benefits many other aspects of the company. Much like ISO 27001 compliance, being in alignment with SOX promotes efficient and accurate financial reporting that fosters a higher level of financial caretaking in your organization.

SOX-compliant companies report more predictable finances and easier access to capital markets. Whether producing reports for investors, auditors, or regulators, your reporting capabilities will be much improved with SOX.

By implementing SOX, companies are safer from cyberattacks and the expensive aftermath of a data breach. Data breaches are difficult to manage and remediate, and some companies never recover the damage done to their brand. The security controls that SOX requires will go a long way toward reducing the potential of a malicious hack or insider threat.

SOX compliance builds a cohesive internal team and improves communication between departments involved with the audits. The benefits of a companywide program like SOX can have other tangible effects on the company, including improved cross-functional communication and cooperation.

3a8082e126