Under the Sarbanes-Oxley Act, all listed US companies are required to submit accounts certified by their representatives to the SEC (Securities and Exchange Commission). However, this law does not only influence American companies. After that, the same applies to European companies that have interests linked to the United States, such as companies that have subsidiaries in the United States or even companies that have commercial relations with the United States.
Let’s know about what is SOX compliance
Sarbanes-Oxley Act Law was enacted on July 30, 2002, by the United States government in response to the accounting scandals of Enron, Tyco, and n other words companies, because of the aim of restoring the confidence of the nation and the world, particularly of investors in the corporate sector, by establishing new codes of self-regulation and legal obligations.
These obligations concern:
- The certification of all financial information
- Transparency of accounting records
- The preparation of internal controls for the regularity and traceability of financial information
- The personal and objective responsibility of the CEO (Chief Executive Officer) and the CFO (Chief Financial Officer) for financial reporting
- Increased penalties for false accounting and other tax offenses
- The establishment of the Public Company Accounting Oversight Board
Three main SOX principles are included in the law:
- The accuracy and availability of information
- The direct responsibility of the leaders
- Auditor independence
Six main chapters of SOX
- The direct responsibility of the managers (CEO and CFO)- In the event of irregularities, the leaders risk 20 years in prison.
- The accuracy and availability of the information- Additional information must be provided to the SEC.
- The existence of external auditors authorized to receive information or complaints from either shareholders or employees (hotline).
- The independence of the auditors will be guaranteed by their frequent changes.
- The establishment of a body (Public Company Accounting Oversight Board) in charge of regulating and supervising the companies’ declarations.
- Above all, The strengthening of sanctions.
SOX impact on information systems
Information systems must also be transformed, in particular, because of sections 409, “Real-Time Issuer Disclosure” and 404, “Management Assessment of Internal Controls.”
Section 409, among other things, requires companies to be able to close their accounts as quickly as possible (two days).
Section 404 is much more restrictive. For instance, This requires companies to put in place internal controls whose effectiveness must be demonstrated.
In addition, SOX checks relate to:
- Password management: security level, change at regular intervals;
- The computer network: verification of access authentication, protection of the network by two firewalls, control of Internet access and good use of the Internet, revocation of access in the event of the employee’s departure;
- Antivirus management: virus analysis, checking for updates;
- ERP security: access control, long passwords, restriction of data access to users;
- Backups: regular restoration tests;
- Vulnerability management;
- Protection of buildings;
- In addition, Physical security: setting up of restricted access areas, registration of visitors.
In conclusion, Many companies have turned to a COBIT infrastructure that details the assessment of IT controls. Indeed, the Ensure Systems Security activity is particularly suited to the Sarbanes-Oxley SOX law. Its main objective is to “provide controls protecting information against any unauthorized use, disclosure or modification and against any damage or loss using controls.”