Insights

Risk Advisory

SOX and Its need in current scenario : Everything You Need to Know in 2022

September 22, 2022

Introduction

When companies make the decision to enter the public market, whether through a traditional initial public offering (IPO) or through a special-purpose acquisition company (SPAC), they all have one thing in common—they must all comply with the Sarbanes-Oxley Act of 2002 (SOX). With all the competing priorities and other requirements of a public offering, focusing on becoming SOX compliant may be challenging to balance. While compliance with this federal regulation has been a requirement for publicly traded companies for years, companies may still struggle with how to practically prepare for and comply with SOX.

Background

SOX is a United States federal law enacted on July 30, 2002, that mandated several reforms to enhance corporate responsibility and financial disclosures, as well as to combat corporate and accounting fraud. Among other things, SOX established the Public Company Accounting Oversight Board (PCAOB), strengthened penalties for corporate fraud, established certain internal control requirements for management, and established certain requirements for independent auditors to attest to management’s assessment of internal controls.

Who must Comply with SOX Compliance?

All publicly traded companies in the USA must comply with SOX, as well as any wholly-owned subsidiaries and foreign companies that are both publicly traded and do business with the USA. Any accounting firms that are auditing companies bound by SOX compliance are also, by proxy, obliged to comply.

Other companies, including private ones and non-profits, generally do not have to comply with SOX, although adhering to it anyway is good business practice. There are other reasons, beside good business sense, to comply with SOX even if you are not publicly traded. SOX does have some articles that state if any company knowingly destroys or falsifies financial data they could face punishment under the Act.

Companies that are planning on going public, perhaps via an IPO (Initial Public Offering) should prepare to be bound by SOX.

Road to SOX Compliance

  1. Scope, assess, and define

Before getting started, perform a risk assessment based on qualitative and quantitative factors to identify those areas that are most significant to the company. This will help to focus efforts and drive the scoping. After that, develop the project plan, including the objectives, timelines, budget, and resources.

  1. Identify and document controls

Gain an understanding of the overall processes that are included in scope, including the flow of transactions and the significant account balances by interviewing the process owners. During the interviews, document the processes, identify risks within the processes, and identify where controls have been implemented and where they should be implemented.

  1. Perform Control Testing

For those controls that have been implemented, perform control testing to determine whether those controls are operating effectively and identify those controls that are not operating effectively

  1. Execute remediation process

Consolidate the list of controls that were determined to either be missing or not operating effectively. Perform a severity assessment and prioritization of the control gaps to help focus remediation efforts. Assign ownership for each item to be remediated and establish a timeline and road map for remediation. Finally, perform testing and document the results of the remediated controls.

  1. Monitor, certify and assert

Develop a plan for continuous monitoring and evaluations of controls, and develop a process for control owners to certify the operating effectiveness of their controls to support the CEO and CFO quarterly and annual certifications. Finally, communicate to those charged with governance.

SOX IT Audits

Auditing the company’s internal security controls is often the largest, most complex and time-consuming part of a SOX compliance audit. This is because internal controls include all of the company’s IT assets, such as computers, hardware, software and all the other electronic devices that can access financial data.

SOX IT audits are focused on the following key areas:

IT Security: Companies need to ensure that they have a way to locate where sensitive data is, see who has access to it and monitor user interactions with it. Should an incident occur, the company needs to be able to take action to remediate it in an effective and timely manner. To do this adequately, it’s likely you will need strict policies and procedures combined with auditing and monitoring technology.

Access Controls: Ensure that only the right people have access to sensitive financial information, both physically and electronically, by limiting access and implementing controls on access. This could be securing servers behind biometric doors, implementing password policies and more.

Data Backup: Ensure that data is backed up so that, in the event of an incident, data loss is minimalized. Any data center containing backed up data is also bound by SOX.

Change Management: Whenever your IT environment changes, such as new employees, new computers, updated software and more, records are kept of the changes and the appropriate security is maintained.

Sox Compliance Checklist

There is no one size fits all checklist for SOX compliance, as each organization looks different. However, some general guidelines are as follows:

Review & monitor access controls

Ensure that you regularly review and monitor access controls and get real-time alerts following permission changes that could affect access to sensitive financial information. Ensure that you track anomalous logon attempts, and any tampering of financial records. As always, strictly adhere to the Principal of Least Privilege (PoLP).

Install updates

Ensure that all of your systems are up to date, including (and especially) your logging and monitoring software.

Investigate alerts

Ensure that any alerts you receive through your SOX audit solution are dealt with immediately and investigated appropriately.

Classify your sensitive data

Ensure that you regularly classify your sensitive financial data and know whenever financial data is created.

Monitor user behaviour

Ensure you are monitoring user behaviour and can spot anomalies that may lead to breaches in SOX compliance. For example, users should not be copying financial data to unsecured locations.

Maintain a SOX compliance status report

Maintain a regular and up to date SOX compliance status report. This will help you produce the required information in the event of a SOX audit.

Be transparent with the auditors

Grant SOX auditors access to the systems and data they need to do their job. Send activity reports directly to the auditors via email or some other method. Any technical difficulties relating to the security measures applied to financial data should be reported to the auditors.

Train staff

Ensure that all employees, old and new, are regularly trained on how best to handle financial data, including the SOX requirements.

Define breach notification procedures

Report security incidents and breaches in a timely manner and with as much detail as possible.

Maintain historical data

Keep an immutable record of all events surrounding data breaches and other security incidents. This will enable the security team to conduct a forensic investigation and demonstrate this knowledge to the auditors.

Prevent data loss

Have a robust data loss prevention strategy in place, which includes taking regular backups, monitoring suspicious file and folder activity and outbound network traffic.

Benefits of SOX Compliance

SOX compliance provides companies with a way of improving their data security whilst simultaneously helping to restore public confidence in big business. Stockholders are happy that financial reporting is regulated and predictable, and it makes it easier for businesses to raise capital.

Companies adhering to SOX compliance will find that their ability to detect and react to security threats is greatly improved, which means that they are less likely to suffer devastating data breaches.

The amount of inter-departmental communication that SOX compliance requires can also help to improve company culture and drive growth and collaboration.

Contact us to know more.

Please email us:- [email protected]

or contact us on +91 88601-90008

Article contributed by:

Team- Risk & Transaction Advisory Services


What can we help you achieve?

Stay one step ahead in a rapidly changing world and build a sustainable future with us.

Get a quote