Introduction 

Sarbanes-Oxley Act (SOX) compliance is a critical requirement for businesses in the United States. The act was passed in 2002 to improve corporate governance and prevent fraudulent financial reporting. Since then, it has become an essential aspect of financial compliance for public companies. All US publicly traded companies larger than a certain size wherever their stocks are traded: NYSE, Nasdaq, and over the counter stocks are all subject to SOX compliance. 

In this blog post, we will discuss the SOX compliance requirements, providing tips and guidance on how to meet the requirements. We will also discuss how the view of SOX has evolved over the past twenty years and what that means today to companies and their internal control systems. 

Overview of SOX Compliance Requirements 

SOX requires strict auditing, logging, and monitoring across all internal controls. It is primarily aimed at ensuring transparency and accuracy in financial reporting. The act has several components, including Section 302, 404, and 409. 404 is the most talked about component, and rightfully so, but it is important to not lose focus on Sections 302 and 409. 

Section 302 requires CEOs and CFOs to certify the accuracy of financial reports submitted to the Securities and Exchange Commission (SEC). This section requires the principal officers of a company to certify that the financial reports are accurate and do not contain any material misstatements or omissions. 

Section 404 requires companies to assess their internal controls over financial reporting, also called ICFR, and provide a report on the effectiveness of these controls. This section requires management to identify and assess the risks associated with financial reporting and to implement internal controls to mitigate these risks. 

Section 409 requires companies to disclose material changes to their financial condition or operations on a real-time basis. This section requires companies to disclose information that is necessary for investors to make informed decisions. 

SOX also requires organizations to create and maintain a data security policy that protects the storage and use of all financial information, and requires organizations to consistently implement this policy, clearly communicating it to all employees. While data security can be quite broad, whom has access to transact in your financial system, including financial reporting, is paramount to ensure proper control around your company’s financial systems and associated records. 

 Simply put, SOX asks: 

• Where is your sensitive data stored? 
• Who has access to that data? 
• Why are they accessing it and what can they do with it? 

 And, in the event of suspicious activities, can an organization put a stop to them and remediate access quickly? 

Complying with SOX 

To be SOX-compliant, firms must create and maintain documentation that provides evidence to prove that not only are controls in place and documented, but that they are also communicated, followed, and most importantly, functioning as designed. Keeping large volumes of records for financial data and providing extensive documentation for SOX compliance can be overwhelming when done manually. One of the real complaints about SOX over the past twenty years is the amount of documentation or audit evidence that has been generated. In fact, it is near impossible to do this without the right technological solutions in place. Firms need auditing and monitoring tools that can provide three critical capabilities around their financial systems of record: 

1. Effective enforcement of Separation of Duties (SoD) policies 
   
   
2. Automatic logging and data tracking tools that generate clear reports throughout the year
   
   
3. Centralized administration of identity governance and access controls 

1. Effective Enforcement of SoD policies

Manually preparing a SoD review can takes a huge amount of manpower and hundreds of hours. In today’s interconnected world, gaining a clear line of sight into how tasks interact across a wide range of cloud, on-prem, and hybrid business systems is a huge challenge. Plus, as many legacy Governance Risk Control (GRC) systems do not have the capability to look at access across applications. For example, Oracle Cloud can look at Oracle’s security model, but it does not look for SoD violations outside of Oracle. A sensitive transaction that moves across multiple systems would go undetected.  For example, a sales order initiated in the CRM system, and then released in the finance or accounting system by the same user.   

Even GRC solutions that can look across systems are often limited to coarse-grain or a high-level view of user access. This is problematic since SoD violations that occur deep within a security model may not be identified. Systems like Fastpath provide fine-grained access controls, going deeper than just the entitlement level. This enables true preventative risk analysis by leveraging object-level security data, eliminating false-positives and more importantly, false-negatives in the SoD analysis. 

2. Automatic logging and data tracking tools that generate clear reports throughout the year

SOX requirements also state that organizations must provide an audit trail of all access and activity to sensitive business information. Many older systems do not have the advanced access tracking capabilities needed to understand how a problem occurred, or how to prevent it from happening again in the future. Additionally, manually reviewing user behavior and auditing access for hundreds or sometimes even thousands of users is not practical or sustainable. 

Fastpath helps organizations track and monitor changes to transactions, parameters, settings, and master data, identifying who made the changes, providing before and after values, as well as other metadata to determine the appropriateness of the change. With integrations into common ITSM platforms such as ServiceNow, Jira, and ZenDesk, it allows firms to close the loop by validating change tickets and approvals where required. It also automatically generates pre-defined audit reports, so teams spend significantly less time researching information for their auditors, as part of the control evidence or the dreaded prepared by client (PBC) list.

3. Centralized administration of identity governance and access controls

Complying with SOX is complex. To keep free and clear of violations, firms need visibility into their entire business application ecosystem. They need to remove manual processes that are prone to human error and which also require a huge amount of manpower, while at the same time stop using disparate tools that do not integrate across systems. 

Fastpath helps organizations to get a complete picture of user identities and their access, from the enterprise-wide role down to the lowest securable object or permission, highlighting areas of high-risk. We help businesses to automate audit and compliance procedures to meet SOX requirements, reducing the manual effort that is needed to prove controls, providing business-friendly workflows that are fully documented and audit-ready. 

Key Takeaways 

For many publicly traded companies, complying with SOX has become a challenge, as the complexity required to remain SOX compliance has consistently increased year-on-year. As organizations move to a best-of-breed system strategy, bringing in multi-applications to accelerate business performance, the growing list of controls needing to be tested grows. This increased growth can lead to more errors and omissions if manual controls are in place and may not fully represent all the system user data as well. The implementation of tools that can automate controls around your company’s financial systems, and other key systems in your business ecosystem is paramount to well controlled environment, one that will make it easier to not only successfully pass your next SOX audit, but also provide a sound foundation for growing internal control systems in today’s world of connected business systems.