As a result of major corporate financial scandals involving Enron, WorldCom, and Global Crossing, the Sarbanes-Oxley (SOX) Act of 2002 was passed by US congress to enforce financial reporting accountability and control. SOX represents a huge shift in federal securities laws, where effective in 2006, all public companies in the US are required to implement and report their internal accounting controls to the Securities and Exchange Commission (SEC) for compliance. On top of that, certain sections of SOX also apply to privately-held companies.
One of the most challenging aspects of the SOX act is that while it highlights various requirements that companies have to meet, it doesn’t really provide any guidelines to achieve compliance goals. The SOX act does, however, establish extensive civil and criminal penalties for non-compliance, and executives who approve faulty documentation can face fines of up to $5 million and jail time of up to 20 years.
The SOX act consists of multiple sections that require compliance, but in this article, we’re going to take a closer look at sections 302 and 404 – the principle sections that relate to security. We’ll also look at a few straightforward best practices that you can put into place to make sure you start the year off on the right foot!
Section 302: Corporate Responsibility for Financial Reports
Section 302 essentially holds executives accountable for flaws in financial reporting. It states that a company’s Chief Executive Officer (CEO) and Chief Financial Officer (CFO) must not only personally certify that financial reports are accurate and thorough, they also have to assess and report on their company’s internal controls around financial reporting.
This section of SOX clearly places responsibility for precise financial reporting on the highest echelons of corporate management. CEOs and CFOs now face the potential of criminal fraud liability if there’s anything found to be fishy in their organization’s financial reports, or the internal controls that process and report finances. What’s challenging is that whereas the possible penalties are laid out in the act (we talked about a couple of the more severe ones above), section 302 does not distinctly list which internal controls must be assessed in a company’s quarterly or annual reports.
Section 404: Management Assessment of Internal Controls
Section 404 outlines that a corporation must assess the effectiveness of its internal controls and report this assessment annually to the SEC. The annual assessment must also be evaluated and deemed sufficient by an external auditor, which in most cases is an accounting firm who’s expertly familiar with SOX best practices. It’s argued that Section 404 is the most complicated, most contested, and most expensive to implement of all the SOX Act sections for compliance. Like section 302, the wording of section 404 is broad and again does not provide specific guidelines as to which controls need to be assessed within an organization, making it an intimidating task for many.
Many Chief Information Officers (CIOs), third party information security consultants, and auditors specializing in SOX compliance use frameworks like COBIT (Control Objectives for Information and Related Technologies) to set up internal controls that safeguard against data tampering, establish timelines, and track data access to help companies meet and maintain compliance.
Major challenges associated with SOX compliance
The truth is, there are many obstacles that stand in the way of ensuring proper compliance with the multitude of regulatory SOX expectations. Among other things, SOX requires monitoring of sensitive data access, failed login and database activities, user privilege escalation, and privileged user actions.
In a conducted by global consulting firm Proviti, a few of the key challenges to compliance that respondents identified were:
Time: Two out of three survey respondents reported that for them, compliance can be a time-consuming exercise. Compliance has been a hot topic this past year, especially with major regulations like GDPR about to come into play, so it’s understandable that compliance activities have ramped-up recently.
Cost: For many companies who implement internal control frameworks such as the ones defined by COSO (The Committee of Sponsoring Organizations of the Treadway Commission) costs can get high. As high as $50,00-$100,000 as indicated by the report. Financial services organizations spend more than those in other sectors, followed closely by energy/utilities, manufacturing, and technology/telecommunications. For companies with multiple locations, the cost of getting compliant internal controls in place can get even higher, with some reporting having paid up to $2M.
Compliance shifts: It’s been challenging for companies to build and maintain a solid SOX framework when compliance efforts continue to be impacted by new and emerging influences such as the Financial Accounting Standards Board’s (FASB) new revenue recognition standard, as well as growing cybersecurity concerns and their impact on financial reporting.
In a Deloitte SOX report, “Lack of an enterprise-wide, executive-driven internal control management program” was identified as a major threat for companies who are working towards achieving SOX compliance. This is to say that while many organizations have refined their financial reporting at the leadership level, these internal controls may not always become company-wide best practices in day-to-day operations.
If any of the above challenges sound familiar, don’t worry. Gearing up to become more compliant can’t be done in one shot – it’s an ongoing process. Here are a few tips that will help towards building a SOX compliant environment.
Engage outside expertise
Although there was a time when SOX compliance may have 100% been handled on-site, more and more enterprises are realizing that it’s an ongoing, challenging, and evolving process. In recent years, this has given business process outsourcing (BPO) providers plenty of opportunities to provide SOX support services.
BPO organizations are well-versed in the ever-shifting compliance landscape, so they can help mitigate risk at any phase of a SOX compliance implementation strategy. They’ve also been known to save companies 30%-40% on SOX compliance costs compared to their previous internal processes. Working with BPO providers enables companies to strategize their SOX compliance end-to-end – from initial documentation and testing to establishing sustainable, year-over-year processes that work.
Start with your IT department
As the hub for the platforms on which most corporate communications take place, good governance policies for financial reporting start in the IT department. By treating the IT department as a “business within a business”, IT administrators can take a look at what controls currently exist and what may be lacking and start to implement governance processes before going company-wide. Be mindful of the challenges you face such as technical roadblocks and process adoption by users and develop strategies for dealing with these issues before processes are gradually put into play on an organizational level.
Once controls are in place and a sound strategy is formed, tackling financial systems and getting the CFO on board will be much easier.
Leverage existing technology… and consider new tools
Technology plays just as much of a key role in solving compliance challenges as strategizing and adopting internal control processes in 2018. By defining security settings, storage and auditing policies, and expiration actions for sensitive information in accordance with compliance regulations, you can help ensure your mission critical data is controlled and managed effectively.
Companies who incorporate secure file exchange solutions into their technology framework, for example, automatically check several items off their compliance checklist. Data officers who maintain audit records for quarterly or annual reporting can save time and tedious workload with solutions that provide digitally signed audit records every time a file exchange takes place.
Are you looking for solutions that automate workflow, save costs, and enable a more SOX compliant work environment? Speak with an expert today to learn more!