The Sarbanes-Oxley Act (SOX), also known as the U.S. Public Company Accounting Reform and Investor Protection of 2002, is an Act that is specially designed to rebuild the confidence of investors and stock owners in public corporations after a series of accounting scandals that transpired in the past. The law was passed by U.S. Representative Michael G. Oxley and U.S. Senator Paul Sarbanes in 2002 to promote financial transparencies and consistencies in public companies and corporations in order to protect the interest of every stakeholder of the organization, especially the investors.
Strict penalties are imposed on public corporations that do not comply with the requirements of this Federal Act. By virtue of the Sarbanes-Oxley Act, it is compulsory for every public corporation that is headquartered in the United States to provide accurate financial data to be evaluated by an external auditor. Strict penalties are imposed on CFO’s and CEO’s held liable for inaccuracies and inconsistencies in financial data and reports presented.
Proponents of the Sarbanes-Oxley Act believed that the Federal law is effective in increasing the confidence of investors and fund managers by promoting transparency in the production of corporate financial statements. Presently, the Sarbanes-Oxley Act is only applied to public companies and corporations that are headquartered in the United States. Private companies who wish to go public must also comply with Sarbanes-Oxley Act.
The Sarbanes-Oxley Act was actually formulated as a response to the financial scandals involving WorldCom and Enron. The Act is designed to eliminate fraudulent practices and minimize internal errors within organizations. Improved disclosure and transparency usually results in early detection of financial fraud, prevention of its adverse effects and determination of appropriate and cost-effective solutions to the different financial errors and difficulties. This ultimately leads to an enhanced operational and financial efficiency within the organization.
The Sarbanes-Oxley Act mandates that IT departments save electronic messages and records for no less than 5 years. Non-compliance to the new laws can subjects CEO’s and CFO’s to imprisonment, fines or both.
Many public companies do not find complying with the Sarbanes-Oxley Act appealing, but the Federal law is beneficial in promoting integrity and transparency within the organization. The accuracy and reliability of the internal financial data presented allows high level personnel to manage their resources efficiently. SOX has actually contributed to the success of a number of industries such telecommunications, financial services, retail, manufacturing and technology.
Initially, many companies found the Sarbanes-Oxley Act to be troublesome and costly but as time has gone by there has been unexpected benefits. SOX has been successful in benefitting and protecting the rights of management, investors, and the government. Though SOX compliance is costly, many public companies admit that complicated and complex IT processes were made simpler and easier to accomplish. With the aid of SOX, many corporations were able to standardized their key financial operations and eliminate any redundant information in the system. Furthermore, inaccuracies and inconsistencies in data are minimized while unnecessary controls are eliminated.
Implications of Sarbanes-Oxley Act for IT Managers
The Sarbanes-Oxley Act is considered both a blessing and a burden to public corporations in the United States. The Federal law was primarily proposed to protect the welfare of the investors and stockholders against financial inaccuracies and inconsistencies. Though Sarbanes-Oxley Act compliance is costly, many companies found this federal law to be cost-effective when the proper practices are in place because it promotes overall efficiency in the internal operations of the organization. One of the main goals of the act is to ensure that high level managers are aware of, and are held liable for, financial discrepancies in the organization for which they have responsibility.
Sarbanes-Oxley also obligates public companies to present accurate and reliable corporate financial information and promote transparencies and disclosure to this data. IT is essential in the successful implementation of the Sarbanes-Oxley Act. Failure to comply with the requirements of the law imposes penalties to the CEO’s and CFO’s who are held responsible for any fraudulent financial practice within the organization. The Act further requires the IT department to save pertinent financial information of the corporation for at least 5 years.
In compliance with the Federal Act, the IT departments plays a major role in securing the accuracy and reliability of the corporate data. With the implementation of the Sarbanes-Oxley Act, information technology controls have become more popular. More than anyone else in the company, IT personnel have direct influence over the company’s financial data. To protect the investor’s rights and welfare, the Sarbanes-Oxley act contains rules that limit the power of IT professionals in influencing the management and control of corporate data.
In fact, anyone who is judged guilty in falsifying, destroying, mutilating, altering or making false entries in the tangible documents of the company, whether intentional or unintentional, will be liable to penalties including fines and/or imprisonment up to 20 years.
Information technology controls (IT controls), a subset of the corporation’s internal control, are activities that need to be performed to ensure that the objectives of the organizations are achieved. IT objectives are normally related to integrity, confidentiality and availability of data whenever they are needed.
With regards data confidentiality and security, only authorized users are allowed access to the company’s fixed asset financial data. This is achieved by requiring user ID and password to anyone who desires access to the financial data of the organization. Furthermore, to secure accuracy and integrity of the data, FAS oblige companies to use appropriate depreciation methods, formulas and calculations. IT program controls are normally automated by systems to secure the accuracy and reliability of data processing from input to output.
The chief information officer is held responsible for the reliability, accuracy and security of the system that manage the corporation’s financial data. However, chief information officers are still required to attest to the precision and consistency of the corporation’s financial data. Compliance to the act may be time consuming and costly but in general, it cannot be denied that it is helpful in improving transparency and operational efficiency and in protecting the overall welfare of investors against data inconsistencies.
MetricStream provides Governance, Risk and Compliance (GRC) software solutions that allow companies across various industries to streamline and automate their enterprise-wide GRC programs.
- Setup of the SOX Compliance Framework
- Risk Assessments
- Control Testing and Documentation
- Remediation and Disclosures
- SOX Compliance Monitoring and Reporting
Workiva is a leading cloud platform for connected reporting across accounting, finance, audit, and internal controls.
- Robust data quality and collaboration
- World-class professional and peer support
Netwrix platform accurately identifies structured and unstructured sensitive data, enabling you to focus on the information that truly requires protection.
- APO07 Manage Contract Staff
- APO12 Manage Risk
- APO13 Manage Security
- APO14 Managed Data
- BAI08 Managed Knowledge
- BAI10 Manage Configuration
- DSS01 Manage Operations
- DSS02 Manage Service Requests and Incidents
- DSS05 Manage Security Services
- DSS06 Managed Business Process Controls
AuditBoard is the industry’s most complete & user-friendly SOX Compliance and Audit Management software.
- User-friendly Interface
- 20 Day Implementation
- Built by Auditors
- Experienced Team
SolarWinds IT monitoring and management tools are built for SysAdmins and network engineers who need powerful and affordable tools.
- Centralize and control log management
- Use real-time event correlation to detect and stop threats
- Generate internal and external regulatory compliance reports
- Schedule reports to run automatically or produce as needed
Nasdaq BWise is the global leader in Governance, Risk and Compliance (GRC) Management software.
- Based on COSO methodology and our experience in supporting listed companies
- Through an intuitive interface, role-based views and inline tutorials, eliminating the need for user training
- Using pre-defined cadences to significantly reduce manual steps
Ideagen Plc provides market-leading information management, safety, risk and compliance software solutions that allow organisations to achieve operational excellence, regulatory compliance and reduce risk.
- Enhance corporate transparency and safeguard “electronic paper trails”
- Strengthen business assurance and oversight
- Optimise internal controls and prioritise risk
- Unify your approach to risk and control management of financial processes
- Bolster trust with stakeholders through complete compliance assurance
Manage your Sarbanes-Oxley control framework and empower management with tools to easily perform control assessments and testing. You’ll be able to manage issues and remediations as well as leverage 3rd party frameworks, including COSO and CobIT.
- Document management
- Issue creation and resolution management
- Associated data management (i.e. information about items, such as control, owners – these can be names, text, numbers, scores, cash values, dates and more)
- Testing module
- Multiple assessment options, including survey style and spreadsheet style
- User configurable reports
- Data import and export tools
- Notifications of tasks to perform, or changes to items related to your responsibilities
- Risk scoping, rating and scoring
- Roll-up scoring and reporting
HelpSystems aligns IT & business goals to help organizations build a competitive edge.
- Centralized security administration across your cloud, on-premises, or hybrid environment
- Consolidated compliance monitoring and reporting software for IBM i
- System access monitoring, tracking, and control software for IBM i
- Security policy and compliance management software
- Virus protection software for Linux, AIX, and IBM i servers
ManageEngine offers enterprise IT management software for your service management, operations management, Active Directory and security needs.
- User Logon and Logoff
- Logon Failure
- Audit Log Access
- Object Access
- System Events
- Successful or Unsuccessful User Account Validation
- Terminal Service Sessions
- Audit Policy Changes
- User Access
- User and Computer Account Changes
- User Group Changes
- and More.
Stanislav Krotov is a technical writer with a passion for writing on emerging technologies in the areas of mobile application development and IoT technology. ( Moscow State University of M.V. Lomonosov )