<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=523033&amp;fmt=gif">

Use Case: SOX Compliance

SOX Compliance

The responsibility of maintaining the security of your financial systems from prying eyes has taken on increasing importance with the requirements for SOX compliance. Auditors want to know: Who has access to your financial applications? What are they doing with that access? And how confident are you in your financial statements?

In A Hurry? Download This Entire Page as a PDF ebook.

Download the eBook

SOX compliance is required for all publicly traded companies and companies ready to go IPO. In addition, the principles of SOX are sound business practices for any company. In this article, we cover:

What is SOX?

The Sarbanes-Oxley Act of 2002, also known as the "Public Company Accounting Reform and Investor Protection Act," the "Corporate and Auditing Accountability, Responsibility, and Transparency Act," or simply "SOX," is a US law designed to "protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws."

From 2000 to 2002, the investment community was shaken by a series of public company failures; among the most notable were WorldCom, Enron, and Tyco International. These failures stemmed from company management falsifying financial statements that misled the public investing community, resulting in billions of dollars of losses and causing a lack of trust in US securities markets.

SOX established new requirements for public companies and accounting firms to implement internal controls to ensure transparency in their financial reporting. The law also imposes criminal penalties and fines to corporate officers that engage in fraudulent practices.

The law, named after the bill sponsors US Senator Paul Sarbanes (D-MD) and US Representative Michael G. Oxley (R-OH), gives the Securities and Exchange Commission (SEC) the responsibility of enforcement. In turn, the SEC established the Public Company Accounting and Oversight Board (PCAOB), responsible for regulating and overseeing accounting firms that act as independent auditors for public companies.

Back to top.

Who is required to Comply with SOX?

Generally, public companies, wholly owned subsidiaries, and publicly traded foreign companies that do business in the US must comply with SOX.

In addition, the law prevents accounting firms that provide auditing services for public companies from performing bookkeeping, internal audits, information system implementations, or other services for these clients.

Private companies considering an Initial Public Offering (IPO) are required to comply with SOX before going public.

Back to top.

What are the benefits of SOX compliance?

The goal of SOX is to provide transparency and accuracy into the company's financial position for the benefit of investors, employees, and the general public. The law requires businesses to establish controls over their internal security and business systems and verify these controls by independent external auditors. The law also provides oversight over the actions of a company's CEO, CFO, and board of directors.

SOX Page Image 2Companies that adhere to SOX compliance requirements, whether legally bound to do so or not, have better control over the security of their premises, backup and recovery efforts, and access to critical financial and information systems.

These benefits translate into tangible benefits to the organization, including:

  • More secure facilities and information systems, resulting in less chance of cyberattacks and data security breaches.
  • Greater control over user access and segregation of duties, resulting in less chance of loss due to internal fraud and intellectual property theft.
  • Improved efficiency of business processes, systems, and procedures.
  • And, of course, more accurate financial statements for corporate leadership teams.


Back to top.

What are some of the challenges to SOX Compliance?

Probably the most significant challenge to SOX compliance is the cost.

Establishing and maintaining the infrastructure to ensure compliance with SOX requirements for security and accuracy can be challenging. Startup companies going IPO often have to completely rethink their business processes to meet SOX compliance restrictions regarding security and user access controls.

SOX requires annual external audits of equipment and processes to establish compliance including IT hardware, software, access procedures, and the security of anything within the scope of the law. These audits are costly and time-consuming.

Many companies conduct internal audits first to identify and correct compliance issues before bringing in the external auditor, adding to the cost of compliance.

Back to top.

What are Some of the consequences of Non-Compliance?

CEOs and CFOs who knowingly submit fraudulent financial statements can be charged fines up to $5 million and up to 20 years in jail. In addition, non-compliance can result in the company being delisted from public stock exchanges.

Back to top.

What is covered in a SOX audit?

Two sections of the Sarbanes-Oxley Act are of particular interest here.

  • SOX Page Image 1Section 302, Corporate Responsibility for Financial Reports – This section requires the CEO and CFO of companies affected by the legislation to be held personally accountable to provide accurate financial reports. The legislation allows for severe criminal and financial penalties to these individuals for non-compliance.
  • Section 404, Management Assessment of Internal Controls – Section 404 requires that affected organizations establish oversight in defining roles, responsibilities, policies, and procedures and have internal controls in place to detect and prevent fraudulent activity. Section 404a outlines management's responsibility to assert they have these controls in place in compliance with SOX. Section 404b outlines the requirement that an external auditor must attest that the company's controls comply.

While SOX does not offer a list of specific controls, it does expect organizations to show proof of security controls for areas such as change management, backup systems, and access to the company premises and business systems. In short, SOX is concerned with "establishing and maintaining an adequate internal control structure and procedures for financial reporting."

Back to top.

What are SOX controls? What is SOX controls testing?

Since SOX focuses on the accuracy of the data feeding the financial reporting, it requires that businesses have controls to ensure the financial systems and the IT applications supporting them are accurate. Any system involved with the capture of financial data that affects your financial reporting is within the scope of SOX.

Examples of SOX controls include segregation of duties mitigations, account reconciliations, using the principle of least privilege to minimize user access to business-critical applications, and removing the ability for developers to move their code into production without oversight.

Although these controls are critical to auditors, it is not the auditors who own the controls – it is the individual business process owners that are responsible for establishing the roles and maintaining the controls for a company.

SOX controls testing involves making sure the controls help the system remain free from fraud, errors, and risk. These tests should provide an auditable record of how these controls prevented or detected reporting erroneous transactions.

Back to top.

How does SOX affect companies looking to go public?

SOX requires that publicly traded companies certify that they have instituted controls over their financial reporting, among other stipulations. SOX compliance programs include Segregation of Duties controls in critical areas of financial responsibility. Effective management of segregation of duties conflicts and user access to business-critical applications can significantly improve a company's ability to meet SOX audit requirements.

While all public companies must adhere to Section 404a, SOX provides some latitude for small companies and companies that have recently gone public by offering them an exemption period before requiring full compliance with Section 404b of SOX. In addition, the Jumpstart Our Business Startups Act (JOBS Act) further extended the Section 404b exemption period up to five years for certain companies covered by the act.

SOX Page Image 3Regardless of the length of the exemption, all public companies must eventually demonstrate full SOX compliance. Therefore, it is in their best interest to put the necessary controls in place sooner than later.

Some questions that an auditor might ask include:

  • How do you know that your financial data is correct?
  • Can you produce management sign-off on each employee's request for access into each of your financial systems?
  • Do you have proof of regular reviews of users in your financial system?
  • Can you pass an audit of your financial systems today? How long would it take you to put all the documentation together? How confident are you in that documentation?

Back to top.

When should we start considering SOX compliance?

Going public is complex. Unfortunately, many growing companies do not have the proper controls processes in place. If you are considering taking the leap with an IPO, now is the time to invest in building your internal processes to support SOX reporting, governance, and compliance.

Ernst and Young recently stated, "Companies that exceeded overall market returns following an IPO have typically implemented critical organizational changes to begin acting like a public company a full 12 to 24 months prior to going public."

Whether the goal is expansion, retiring debt, increasing R&D, or buying out investors, the primary reason most companies go public is to raise capital.

Most public companies run their financials on Enterprise Resource Planning (ERP) systems, like Microsoft Dynamics, NetSuite, SAP, and Oracle Cloud, to name a few. The best time to institute secure access controls is when implementing a new ERP. Once the system is in place, changing the security profiles and processes becomes much harder to configure and implement.

Too often, the compliance team is left out during the implementation phase. Companies incur higher long-term costs if they must go back and redesign or retrofit their solution with compliant controls or security architecture.

If your company has already implemented an ERP, take the time to make sure you have SOX-compliant controls in place before moving ahead with your IPO. Configuring SOX controls should be treated with the same process used during the ERP implementation: a companywide project with executive-level commitment, budget, timeline, personnel, and project management.

Many companies wait to address these processes and tasks until after they go public. They think they can always go back and address these issues later as a short-term project. However, as the Hall of Fame basketball player and coach John Wooden once said, "If you don't have time to do it right, when will you have time to do it over?" Preparing for SOX compliance should occur concurrently with your other preparations for IPO rather than trying to fit it in after the fact.

Once you file your IPO, your company will be scrutinized by regulators, auditors, and investors, and any anomalies will be identified. The consequences of failing a SOX audit at this point will adversely affect investor confidence in your company, which, in turn, will affect your company's stock price.

Your access to capital can also be affected by fraud or misappropriation of company funds. It doesn't matter if your company is going public, is public, wants to remain private, or is seeking private equity funds, there are adverse consequences if, during the due diligence phase, it is discovered that someone has been embezzling funds. Undetected fraud can scare off potential investors and private equity firms, seriously derailing your chances of accessing new capital.

Back to top.

How can Fastpath Help?

Auditors and regulators are looking closely at how companies of all sizes address internal security and access risk management. Fastpath enables organizations to streamline and automate key processes by delivering a variety of preventative, detective, and reactive control capabilities.

Fastpath Assure is a cloud-based risk and compliance management platform that helps companies achieve process efficiency, reduced costs, and enhanced control over their fraud, auditing, and compliance efforts.

With Fastpath, you can:

  • Automate your business processes, reducing or eliminating errors made by manual processes.
  • Reduce the risk of internal fraud through Segregation of Duties (SOD) analysis, automated management approval for access requests, and a verifiable audit trail.
  • Identify SOD risk at a granular level across all your critical business systems: ERP, HCM, CRM, and more. Fastpath's SOD tools come with pre-defined and easily modified rulesets built by Fastpath's team of certified internal auditors.
  • Automate Access Reviews and Access Certifications, notifying the necessary parties of the tasks requiring sign-off, following up on incomplete assignments, and generating reports for audit compliance.
  • Provide auditable reports for your SOX controls testing across multiple business systems.

Other security tools available from Fastpath include:

Audit Trail – Track user activity, noting changes to critical data and configuration settings, including before and after values, when, and by whom.

Identity Manager – Streamline user setup and provisioning while adding approvals and audit trails into the process.

Security Designer – Create new roles or edit existing ones and identify where conflicts exist vs. where they would exist if the proposed changes were implemented. Decide which model best fits your needs with the lowest possible risk level before provisioning.

Risk Quantification – Quantify the financial exposure of Segregation of Duties conflicts in your ERP environment and assign a value to those risks. Delivering this critical information to auditors allows them to focus on the areas with the most significant monetary impact on the organization.

SAP Custom Code Checker – Interrogate the target SAP environment line by line to determine if indirect, unintended access is granted to users.

Transaction Control Monitor (TCM) for Oracle EBS – Identify transactions with a potential risk or that exceed acceptable thresholds, allowing management to focus on the areas with the greatest monetary impact on the organization.

Universal Product Integration (UPI) – Fastpath has pre-built integrations to many ERP, CRM, and HCM applications. UPI allows users to extend Fastpath's cross-platform capacity and customize their own integrations to all in-scope applications, giving users the ability to see all their access risks from a single dashboard.

For a customized product demonstration based on your specific needs, please contact us here.

Back to top.

How-To Risk Assessment Guide

Step-by-Step Risk Assessment Guide

If you're looking for a step-by-step plan to help you get started on an overall risk assessment, and a plan for correction, this paper is for you. Inside you will learn how to begin, and then execute on, developing your own risk assessment plan.

Download the Guide

Designing Oracle ERP Cloud Security

How-To Guide for Designing Oracle ERP Cloud Security

Building A Strong Security Architecture for Oracle ERP Cloud - Protect your company with this Step-by-Step approach. For companies looking to move to Oracle ERP Cloud, it is critical to include a strong application security design aimed to deter fraud, and ensure that transactions performed in the cloud are appropriate and authorized. Whether you're implementing or redesigning your Oracle project, follow this guide to achieve a secure Oracle ERP Cloud system and avoid the common pitfalls in the process.

Get the report here!

Use this Dynamics 365FO Matrix to Design Your Security Roles

Use this Dynamics 365FO Matrix to Design Your Security Roles

Building roles and implementing strong security in D365FO can be a daunting task, so we created a tool to assist in designing security roles for Dynamics 365 for Finance and Operations.

Get the Matrix!

Access Controls In SAP - The What And How Of SAP Security

Access Controls In SAP - The What And How Of SAP Security

Whether you know the importance of access controls or not, implementing and maintaining them can still be a difficult part of your SAP security plan. This eBook reviews what access controls are, how SAP handles them, how you should implement and maintain them, and even suggests some tools to make the process easier on you.

Download the Paper


Fastpath Leads the Pack as #1 IT Risk Management Solution in G2 Fall 2022 Report

Fastpath ranked number one in the Fall 2022 Grid Report for IT Risk Management from G2.com. This marks the first time Fastpath has led the pack in this competitive subsection of IT Risk Management solutions. Fastpath was also awarded the Best Relationship badge in the same category marking the third time Fastpath has garnered this accolade for the quality of support ... Read More

Is Your Organization Secure?

Why privacy and security are so important right now and how you can help your executive leadership understand the risks. Understanding the risk of weak controls related to privacy and security – including the costs of doing nothing – will help motivate executive leadership to address the company's ... Read More

Fastpath Announces License Review Tool for Dynamics 365

Des Moines, IA – July 27, 2022 – Fastpath Solutions, the leading provider of security and compliance solutions for Microsoft Dynamics, is pleased to announce a new tool for Microsoft’s Dynamics 365 Finance & Operations (D365FO) cloud-based ERP system. The Fastpath License Review Tool is a comprehensive license reporting solution that provides ... Read More