Menu

Introduction to PCI DSS (Payment Card Industry Data Security Standard)   Introduction to PCI DSS (Payment Card Industry Data Security Standard)   

Data Protection Act 1998   Data Protection Act 1998   

Secure HTML Practices   Secure HTML Practices   

SQL Injection Attack - Introduction and Mitigation Steps   SQL Injection Attack - Introduction and Mitigation Steps   

Cross Site Scripting (XSS) – Introduction and Mitigation Steps   Cross Site Scripting (XSS) – Introduction and Mitigation Steps   

Audit and Testing Tools for Web Application Security   Audit and Testing Tools for Web Application Security   

Threat Modeling for Web Application Security - Practice Guide   Threat Modeling for Web Application Security - Practice Guide   

Introduction to Sarbanes Oxley Act (SOX) and influence on IT Governance

Published on: 8/17/2014
Topic: Cyber Security Compliance Standards
Sarbanes Oxley Act (SOX) is a United States legislation enacted in response to the high-profile financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. The act contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the law.

SOX Influence on IT Governance & Financial Reporting

Sarbanes Oxley Act not only defines the guidelines for financial organization of corporations but it also influence the IT departments to ensure correct reporting of transaction data as used in financial reporting & auditing, securing financial data disclosure, ability to securely reporting & archiving financial data/reports for extended durations.


Abstract of Key Requirements influencing IT Governance


  • Sarbanes-Oxley defines which records are to be stored and for how long.

  • The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for “not less than five years.” Sec. 802(a)(1): “Any accountant who conducts an audit of an issuer of securities to which section 10A(a) of the Securities Exchange Act of 1934 (15 U.S.C 78j-1(a)) applies, shall maintain all audit or review work papers for a period of 5 years from the end of the fiscal period in which the audit or review was concluded.” The consequences for non-compliance are fines, imprisonment, or both. Hence IT departments are responsible for maintaining corporate records archive in a cost-effective but secure fashion that satisfies the requirements.

  • This third rule refers to the type of business records that need to be stored, including all business records and communications, including electronic communications. Sec. 802(a)(2): “The Securities and Exchange Commission shall promulgate, within 180 days, such rules and regulations, as are reasonably necessary, relating to the retention of relevant records such as work papers, documents that form the basis of an audit or review, memoranda, correspondence, communications, other documents, and records (including electronic records) which are created, sent, or received in connection with an audit or review and contain conclusions, opinions, analyses, or financial data relating to such an audit or review.”

  • Title III specifies the responsibility of corporate officers for the accuracy and validity of corporate financial reports.

  • Title IV states enhanced reporting requirements for financial transactions, including off-balance-sheet transactions, pro-forma figures and stock transactions of corporate officers. It requires internal controls for assuring the accuracy of financial reports and disclosures, and mandates both audits and reports on those controls.

  • Title V requires confidence in the reporting of securities analysts and disclosure of knowable conflicts of interest.

  • Title VIII require control & restriction on manipulation, destruction or alteration of financial records.


SOX – Compliance Costs


A study in 2006 indicated that, for 200 companies with average revenues of $6.8 billion, the average compliance costs were $2.9 million (0.043% of revenue), down 23% from 2005. Study in 2007 indicated that, for 168 companies with average revenues of $4.7 billion, the average compliance costs were $1.7 million (0.036% of revenue).


Cost for decentralized companies (i.e., those with multiple segments or divisions) were considerably more than centralized companies.


The Section 404 requires management and the external auditor to report on the adequacy of the company’s internal control on financial reporting (ICFR). This is the most costly aspect of the legislation for companies to implement, as documenting and testing important financial manual and automated controls requires enormous effort. Under Section 404 of the Act, management is required to produce an “internal control report” as part of each annual Exchange Act report.


SOX 404 compliance costs represent a tax on inefficiency, encouraging companies to centralize and automate their financial reporting systems. This is apparent in the comparative costs of companies with decentralized operations and systems, versus those with centralized, more efficient systems. Hence the cost of complying with SOX 404 impacts smaller companies disproportionately, as there is a significant fixed cost involved in completing the assessment.


Effects on non U.S. companies for U.S. exchange listing

The Sarbanes Oxley Act’s effect on non-U.S. companies listed in the U.S. is different, on firms from developed and well regulated countries, than on firms from less developed countries. Companies from badly regulated countries see benefits that are higher than the costs from better credit ratings by complying with regulations in a highly regulated country (USA), but companies from developed countries only incur the costs, since transparency is adequate in their home countries as well. On the other hand, the benefit of better credit rating also comes with listing on other stock exchanges such as the London Stock Exchange.


Summary of Sarbanes Oxley Act – 11 titles


The Sarbanes-Oxley Act is arranged into 11 Titles and each title consists of several sections. For compliance, section 302, 401, 404, 409, 802 and 906 are considered most important sections within these titles.


SOX Title 1 – Public Company Accounting Oversight Board (PCAOB)

Title I have nine sections and establish the Public Company Accounting Oversight Board, to provide independent oversight of public accounting firms providing audit services (“auditors”). It also creates a central oversight board tasked with registering auditors, defining the specific processes and procedures for compliance audits, inspecting and policing conduct and quality control, and enforcing compliance with the specific mandates of SOX.


SOX Title 2 – Auditor Independence

Title II have nine sections and establishes standards for external auditor independence, to limit conflicts of interest. It also addresses new auditor approval requirements, audit partner rotation, and auditor reporting requirements. It restricts auditing companies from providing non-audit services (e.g., consulting) for the same clients.


SOX Title 3 – Corporate Responsibility

Title III has eight sections and mandates that senior executives should take individual responsibility for the accuracy and completeness of corporate financial reports. It defines the interaction of external auditors and corporate audit committees, and specifies the responsibility of corporate officers for the accuracy and validity of corporate financial reports. It enumerates specific limits on the behaviors of corporate officers and describes specific forfeitures of benefits and civil penalties for non-compliance. For example, Section 302 requires that the company’s “principal officers”, typically the Chief Executive Officer and Chief Financial Officer, certify & approve the integrity of their company financial reports quarterly.


SOX Title 4 – Enhanced Financial Disclosures

Title IV consists of nine sections. It describes enhanced reporting requirements for financial transactions, including off-balance-sheet transactions, pro-forma figures and stock transactions of corporate officers. It requires internal controls for assuring the accuracy of financial reports and disclosures, and mandates both audits and reports on those controls. It also requires timely reporting of material changes in financial condition and specific enhanced reviews by the SEC or its agents of corporate reports.


SOX Title 5 – Analyst Conflicts of Interest

Title V consists of only one section, which includes measures designed to help restore investor confidence in the reporting of securities analysts. It defines the codes of conduct for securities analysts and requires disclosure of knowable conflicts of interest.


SOX Title 6 – Commission Resources and Authority

Title VI consists of four sections and defines practices to restore investor confidence in securities analysts. It also defines the SEC’s authority to censure or bar securities professionals from practice and defines conditions under which a person can be barred from practicing as a broker, advisor, or dealer.


SOX Title 7 – Studies and Reports

Title VII consists of five sections and requires the Comptroller General and the SEC to perform various studies and report their findings. Studies and reports include the effects of consolidation of public accounting firms, the role of credit rating agencies in the operation of securities markets, securities violations and enforcement actions, and whether investment banks assisted Enron, Global Crossing and others to manipulate earnings and obfuscate true financial conditions.


SOX Title 8 – Corporate and Criminal Fraud Accountability

Title VIII consists of seven sections and is also referred to as the “Corporate and Criminal Fraud Accountability Act of 2002″. It describes specific criminal penalties for manipulation, destruction or alteration of financial records or other interference with investigations, while providing certain protections for whistle-blowers.


SOX Title 9 – White Collar Crime Penalty Enhancement

Title IX consists of six sections. This section is also called the “White Collar Crime Penalty Enhancement Act of 2002″. This section increases the criminal penalties associated with white-collar crimes and conspiracies. It recommends stronger sentencing guidelines and specifically adds failure to certify corporate financial reports as a criminal offense.


SOX Title 10 – Corporate Tax Returns

Title X consists of one section. Section 1001 states that the Chief Executive Officer should sign the company tax return.


SOX Title 11 – Corporate Fraud Accountability

Title XI consists of seven sections. Section 1101 recommends a name for this title as “Corporate Fraud Accountability Act of 2002″. It identifies corporate fraud and records tampering as criminal offenses and joins those offenses to specific penalties. It also revises sentencing guidelines and strengthens their penalties. This enables the SEC to resort to temporarily freezing transactions or payments that have been deemed “large” or “unusual”.


Similar laws in other countries


Bill 198 – Ontario, Canada Act

J-SOX – Japanese equivalent of SOX

German Corporate Governance Code

CLERP9 – Australian corporate reporting and disclosure law

Financial Security Law of France (“Loi sur la Sécurité Financière”) – French equivalent of Sarbanes Oxley Act

L262/2005 (“Disposizioni per la tutela del risparmio e la disciplina dei mercati finanziari”) – Italian equivalent of Sarbanes -Oxley Act for financial services institutions

King Report on Corporate Governance – South African corporate governance code

Clause 49 – Indian equivalent of SOX

TC-SOX 11 – Turkish equivalent of SOX


[Show All Sections]