Sarbanes Oxley Compliance Audit – Readiness Assessment for 2023

Authored by : Tarun Kher

Overview of the Sarbanes-Oxley Act Compliance Requirements

The Sarbanes-Oxley Act (SOX) is a US federal law enacted in 2002 to safeguard the shareholders of publicly traded companies against major accounting frauds similar to the ones in the early 2000s, such as Enron and WorldCom.

SOX compliance audit is a mandated annual assessment during which certain classes of companies (described below) are obligated to prove the accuracy of financial reporting, including an Internal Controls Report that must be assessed by an independent external auditor covering aspects ranging from corporate responsibility to fraud accountability. Cybersecurity is becoming an increasingly important factor in SOX compliance audits with the added benefit of helping organisations keep sensitive financial data safe from insider threats and security breaches.

The data security framework of SOX compliance can be summarised by four key factors:

  1. Security of financial information
  2. Prevention of malicious intrusion efforts/ external attacks and/ or data breach attempts
  3. Maintenance of incident and audit logs
  4. Continuous monitoring of remediation efforts

The stated goal of SOX is "to protect investors, employees, clients, vendors and accounting firms by improving the accuracy and reliability of corporate disclosures." The objective of SOX Compliance Audit is to confirm the integrity of all data-handling processes while compiling the financial information including archiving of evidence for the performance of internal controls forming part of the SOX framework.

Sections 302 (Responsibility for Financial Reports) and 404 (Assessment of Internal Controls) are generally considered to be the most pertinent provisions for SOX compliance in terms of information technology. However, the below-mentioned sections are also of significant importance.

Section 401: Disclosures in Periodic Reports

Section 409: Real Time Issuer Disclosures

Section 802: Penalties for Altering Documents

Section 902: Conspiracies to Commit Fraud

Section 906: Responsibility for Financial Reports

Applicability | Types of Organisations requiring SOX Compliance Audit

The SOX Act applies to all companies that are publicly traded in the United States, including wholly-owned subsidiaries (i.e. companies whose common stock is 100% owned by a parent company). The Act also applies to foreign companies that are publicly traded and do business in the US. Private companies and companies that have less than USD 100 million in annual revenue are not required to comply with SOX. However, private companies who are planning to go public should prepare to comply with SOX before they enter the stock market.

The provisions of the Act also apply to accounting firms and third-party companies that offer services to any of the above companies. Further, there are several scenarios during which a private company might need to perform a SOX audit:

  • At business partners’ insistence - Insurance companies may request financial statement certifications before they approve Directors’ and Officers’ liability insurance.
  • Due diligence for prospective investors and buyers wherein they may require audited financials as well as assurances regarding the internal controls of the company to make an informed decision on acquisitions to mitigate risks.
  • Companies with a large external shareholder base may be asked to conduct a SOX audit, as well as companies with registered debt securities.
  • State security regulators might extend SOX compliance requirements to include certain private companies.

Oversight and Responsibility | Enforcing SOX Compliance Audit

The responsibility of overseeing and enforcing rulings on requirements to comply with the Act belongs to the Securities and Exchange Commission (SEC). For this purpose, the SEC established the non-profit Public Company Accounting Oversight Board, which oversees the audit of public companies to “protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports”.

Readiness Assessment for SOX Compliance Audit in 2023

As part of the readiness assessment procedures, the organisation should begin by updating its financial reporting and internal audit systems to retrieve initial data requests/ pertinent reports as requested by the auditors.

The SOX auditors focus on four main internal security controls as part of the yearly audit:

1.Access Control Management

Access control means physical controls like bio-metric, badges, electronic controls like role-based access control, the principle of least privilege, and permission audits. Should a breach occur, restricted user access can greatly prevent the risk of unauthorised access, tail-gaiting and unescorted visitors entering the premises.

2. Robust Information Technology Security Framework

Information Technology security entails evidence of the performance of controls that prevent data breaches, close data leaks, and mitigate external intrusion, including cyber-attacks. Organisations must invest in equipment and tools and services designed to monitor and protect their financial databases.

3. Demonstrate Data Backup Protocols

All financial records and other sensitive financial data must be backed up using appropriate storage systems, both on-site and off-site. Further, any central data centre containing backed-up data is also regulated by SOX.

4. Change Management

Organisations must have defined processes for adding and removing users and/ or devices, as well as installing and updating new software. Change management tickets should be used to track who made the change, what was changed and when the change was made to databases that manage the organisation’s financials.

SOX Compliance Checklist

Some generic questions that may be included in the SOX compliance checklist to monitor whether the organisation is on the right track are:

  • Whether the systems, especially for logging and access management, are up-to-date and have been tested prior to implementation?
  • Who within the organisation has access to financial information?
  • Whether user access reviews are being performed in time to monitor changes in permissions?
  • Whether there is role right review and adequate segregation of duties to ensure operation of internal controls?
  • Whether user behaviour is being continuously monitored to detect potential financial data breaches in time?

Consequences of Non-Compliance

For CXOs found guilty of intentionally submitting incomplete and incorrect documentation to SOX compliance auditors, consequences may include fines of up to USD 5 million, imprisonment of up to 20 years, or both. Cases where submissions of such nature have been made erroneously can attract fines up to USD 1 million and 10 years in prison. Furthermore, organisations that fail to comply with the provisions of the SOX Act can be delisted from stock exchanges.

Conclusion

Digital transformation is the key to the efficacy of standard processes for storing key financial information, making financial databases increasingly vulnerable to cybercriminal compromise. Future SOX audits may seem to largely focus more on the role of internal controls and cybersecurity frameworks in maintaining integrity, completeness and correctness of financial information.

To prepare for this inevitable future, organisations must implement attack surface monitoring solutions to secure their financial information and ensure compliance with the provisions of the Act.

Subscribe to receive the latest BDO News and Insights

Please fill out the following form to access the download.