The Sarbanes-Oxley Deed explained: Definition, purpose, and provisions

This mail service-Enron police force that aimed to protect investors past preventing fraudulent accounting and fiscal practices has major implications for information memory and security.

Contributing writer, CSO |

compliance / regulations / rules / law / standards / policies
Cnythzl / Monsitj / Getty Images
Table of Contents
  • What is the purpose of the Sarbanes-Oxley Deed?
  • Who does Sarbanes-Oxley utilize to?
  • Sarbanes-Oxley provisions
  • Sarbanes-Oxley requirements
  • Sarbanes-Oxley controls
  • Sarbanes-Oxley compliance
  • Sarbanes-Oxley penalties
  • Sarbanes-Oxley Act: Cases and examples

Show More

Sarbanes-Oxley Act: Summary and definition

The Sarbanes-Oxley Act (sometimes referred to every bit the SOA, Sarbox, or SOX) is a U.S. law to protect investors by preventing fraudulent accounting and financial practices at publicly traded companies. Passed in 2002 in the wake of a series of corporate scandals and the bursting of the dot-com chimera, Sarbanes-Oxley imposed a number of reporting, accounting, and data retention mandates to ensure that business organization practices at big companies remain above board.

While many Sarbanes-Oxley provisions eye on financial and bookkeeping matters, proper treatment of corporate information is the cornerstone to many aspects of how the police force works—and that has a huge impact on Information technology, which nosotros'll focus on in this article.

What is the purpose of the Sarbanes-Oxley Act?

The Sarbanes-Oxley Act is a product of a series of scandals that took identify effectually the turn of the millennium. Several publicly traded companies—Enron and WorldCom were two of the most prominent—used accounting trickery, shell corporations, and other fraudulent techniques to hibernate concern losses from the public and keep stock prices artificially loftier. Executives and board members used this deception to enrich themselves, cashing out and leaving investors (and, in Enron's case, employees who had been urged put their retirement into company stock) belongings the handbag when the charade could no longer exist maintained and the stock price complanate.

These scandals unwound around the aforementioned time dot-com stock prices complanate, and while none of those early-stage internet companies perpetrated fraud on quite such a calibration as Enron, many people believed that they had inflated reports of their earning potential in advance of initially lucrative IPOs, substantially enriching company founders at the expense of investors.

The Sarbanes-Oxley Act imposed a heavy regulatory burden in an attempt to prevent these kinds of abuses from happening again. The law aims to better corporate beliefs by making sure companies produce and retain accurate data most their own finances, and that they be able to make that data available to investors and regulators in nearly-existent time. For IT, that means huge amounts of corporate information has to be kept meticulously authentic and absolutely safe—from both internal and external threats—and has to be available to auditors and investors on brusk notice.

Who does Sarbanes-Oxley apply to?

A few provisions of Sarbanes-Oxley apply to privately held companies—the police force forbids such companies from destroying records to impede a federal agency's investigation, for instance, or from retaliating against whistleblowers. However, mostly the provisions of the law we'll exist discussing hither utilise to companies whose shares are traded on public stock exchanges, or that are putting together an IPO to go public. The data transparency that the police force mandates is meant to protect investors or potential investors from misjudging a company's finances due to manipulation by insiders.

Sarbanes-Oxley provisions

The provisions of the Sarbanes-Oxley Act are cleaved down into numbered sections. Let's have a look at the sections of most involvement in terms of It and information security:

  • Section 302: Public companies need to file regular reports with the Security and Exchange Committee. Top executives must personally vouch for the information contained in these reports and are responsible for establishing internal controls of data.
  • Section 404: Annual financial reports must include a section on those internal controls assessing their effectiveness; whatever shortcomings discovered in those controls must exist disclosed. Registered external auditors must vouch for management's assessment of the internal controls.
  • Section 409: Any material changes in the financial atmospheric condition or operations of the company must be disclosed to the public in a timely way.
  • Sections 802 and 906: These are the sections that bargain with penalties. We'll become into the details after in the article, but they prevent altering documents in a bid to impede an investigation and too brand information technology illegal for anyone to certify a misleading or fraudulent fiscal written report.

Of these sections, 404 is considered the most complex and nearly onerous. Not only must elaborate technical systems exist set upward to maintain data integrity and protection, only company management and outside auditors must regularly assess and document the effectiveness of those systems.

Sarbanes-Oxley requirements

Those are a lot of provisions to assimilate, and y'all'll need to dig deep into the specific mandates they impose. But hither is a high-level summary of what the law requires that's worth keeping in mind as a x,000-foot view:

All applicable companies must establish a financial accounting framework that tin generate financial reports that are readily verifiable with traceable source data. This source data must remain intact and cannot undergo undocumented revisions. In addition, whatever revisions to financial or bookkeeping software must be fully documented as to what was changed, why, by whom and when. [Source: Sarbanes Oxley 101]

You'll recognize elements here of the CIA triad and its variants. In particular, information integrity must be protected, information must be bachelor to those who demand it, and not-repudiation must be enforced to ensure that it'southward possible to know who created or altered information.

Sarbanes-Oxley controls

The means by which Sarbanes-Oxley requirements are implemented inside an system are referred to as controls . A control in this context is an internal rule intended to preclude or detect errors or malfeasance inside a cycle of financial reporting.

Sarbanes-Oxley mandates that controls exist implemented across a visitor. The Varonis blog gives some specific examples of the kinds of rules that would be investigated as part of a Sarbanes-Oxley audit process:

  • Access: You'll need to take rules that cover both physical admission to your offices and paper files and electronic access to your data. The law mandates a least permissive admission model, under which employees only have access that'southward as all-encompassing as needed to do their jobs only no more extensive than that.
  • Data backup: Fiscal records must exist backed upward offsite in ways spelled out by the law.
  • Security: You'll need a set of rules that demonstrate that y'all have protected your data against breaches, though the implementation is left up to your discretion within reasonable bounds.
  • Alter management: You'll need to take defined procedures for adding or changing the databases and software that manage your corporate finances, also as adding new users to your systems.

You lot'll notice that these controls are described in abstract ways. In full general, controls are spelled out in terms of what they do (or prevent), and it'southward up to It to figure out how to implement them. For instance, the rules on electronic access may place the job titles whose holders are allowed to modify a visitor's internal financial data, simply it volition be up to the company'south IT department to make sure the correct individuals accept the proper permissions on the relevant systems to do and so (or be prevented from doing so).

This obviously makes for a lot of piece of work, and has perhaps unsurprisingly created a cottage industry of software packages prewritten to help implement standardized Sarbanes-Oxley controls.

Sarbanes-Oxley compliance

Sarbanes-Oxley compliance, and so, consists of conforming your visitor's procedures to all these mandates by taking the following steps, as summed up in the Varonis weblog:

  1. CEOs and CFOs must accept responsibleness for fiscal reporting and internal controls
  2. An internal command report must be drafted that takes an honest look at the company's controls
  3. Formal data security policies must be drafted and consistently enforced, and a data security strategy must be adult
  4. All compliance steps must be recorded and continually documented

All of this takes a lot of work on the part of companies, and many expect for assistance doing it. One organisation that offers resources is the Commission of Sponsoring Organizations of the Treadway Commission, or COSO. Formed in 1985 to help fight corporate fraud, COSO has for years maintained a framework for internal controls that companies tin follow in club to implement all-time anti-fraud practices. The most recent revision, which dates from 2013, specifically outlines how it can assist you lot achieve Sarbanes-Oxley compliance.

Exabeam has a keen seven-indicate loftier-level Sarbanes-Oxley compliance checklist that gives you a quick sense of everything you'll demand to cover:

  1. Prevent data tampering
  2. Tape timelines for key activities
  3. Build verifiable controls to track access
  4. Test, verify, and disembalm safeguards to auditors
  5. Report on the effectiveness of safeguards
  6. Notice security breaches
  7. Disclose security breaches and failure of security controls to auditors

RSI security has a more in-depth wait at what you need to do when facing a Sarbanes-Oxley compliance audit that has lots of bully details.

Sarbanes-Oxley penalties

Sarbanes-Oxley penalties can exist quite serious—and, importantly, they apply to individuals in positions of power at companies straight, not but the companies as institutions. While corporate officers mistakenly signing off on erroneous reports can be punished for information technology, the worst treatment is reserved for deliberate fraud. For instance, a CEO or CFO who knowingly certifies a report that violates the Human action can exist fined upward to $five million dollars or sent to prison house for up to 20 years.

Sarbanes-Oxley Act: Cases and examples

At that place are definitely occasions when the U.South. federal government uses the weapons that Sarbanes-Oxley provides. For instance, in 2003, not long after the law was passed, employees from Ernst & Young were arrested for destroying documents pertaining to one of their clients. in 2014 the FEC brought charges against the CEO and CFO of a Florida calculator company for misleading auditors on the state of their internal controls.

But in practice, some view Sarbanes-Oxley as a missed opportunity when it comes to prosecuting corporate fraud. Even when financial reports can exist shown to be fraudulent, information technology can be hard to prove that CEOs and CFOs knew about the fraud when they signed off on the reports—and if prosecutors exercise have strong show of this, they almost always can utilize the testify to file even tougher fraud charges that aren't part of the Sarbanes-Oxley suite of options. Still, police professor Peter Henning says that the law has had a positive upshot as a deterrent: it's established that "bookkeeping shenanigans aren't going to be tolerated anymore." Hopefully that makes you feel like the struggle for certification is worth it.

Josh Fruhlinger is a author and editor who lives in Los Angeles.

Copyright © 2020 IDG Communications, Inc.