SOX Compliance

Overview

  • Section 404 of SOX requires two things of public companies.
    • Section 404(a) requires that they assess and document, in an annual report, the effectiveness of their internal controls over financial reporting.
    • Section 404(b) requires that the report also includes attestation from an independent auditor that the controls are effective. Companies with a market capitalization of less than $75 million are exempt from this requirement.

Because Section 404 is short and broadly written, it has been criticized as being open to interpretation, thus resulting in onerous costs on companies, especially smaller businesses. In 2007, a series of reforms were enacted to respond to these complaints.

Most notably, the U.S. Securities and Exchange (SEC) issued voluntary guidance — aligned with the Public Company Accounting Oversight Board’s Auditing Standard No. 5 — to help companies conduct more streamlined assessments and customize audits based on the size of their organization. A 2009 study from the SEC determined that Section 404 compliance costs diminished after the reforms.

Studies have shown that compliance to Section 404 reduces the likelihood of financial misstatements. On a broader security level, it forces companies to develop better operational awareness and corporate governance habits and also helps prepare them for other, more prescriptive, regulations and requirements, such as the Payment Card Industry Data Security Standard (PCI DSS).

Consequences

  • Since SOX was enacted, enforcement is on the rise, although no chief officer has gone to prison. However, the SEC enforcement actions are continuing, with settlements continuing a steep increase, reaching 714 in fiscal year 2012, the highest number since 2007. Meanwhile, median settlement values for individuals have more than doubled since 2009, and reached a post-SOX high of $221,000 in fiscal year 2012.
  • Penalties for non-compliance with SOX can be harsh. CEOs or CFOs who submit inaccurate certifications face up to 10 years in prison and a $1 million fine, while corporate officers who purposefully submit wrong certifications face up to 20 years in prison and fines up to $5 million.

Meanwhile, the Public Company Accounting Oversight Board (PCAOB), which was created under SOX and controlled by the SEC, oversees the audits of public companies. The nonprofit is empowered to investigate and discipline public accounting firms. A failed inspection could lead to civil penalties and/or the revocation of an accounting firm’s registration.

Solutions

  • GTIS provides a comprehensive portfolio that can help organizations of any size respond to SOX regulations.
Plan and Prepare

Conducting a Risk Assessment is the first step to identifying and implementing safeguards necessary to meet compliance. GTIS helps you find gaps that may exist between your current security posture and SOX requirements. The customizable assessments, scaled individually for your organization, include identification of key assets and IT systems, assessment of controls and frameworks and a review of third-party providers and incident response programs.

Access Gaps and Vulnerabilities

SOX requires that publicly traded companies are able to attest to the effectiveness of their internal controls over financial reporting. Here are some of the ways we can help:

Data Loss Prevention

Allows you to discover and classify sensitive data and prevent it from leaving the network.

Intrusion Detection and Prevention

Strengthens your perimeter defenses to protect against attacks that threaten financial systems.

Network Access Control

Ensures managed and unmanaged devices connecting to the network comply with policies and do not introduce malware.

SIEM

Helps you gain broad visibility of threats to your network and improve your compliance process through logging, monitoring, and analysis of events.

Vulnerability Scanning

Identifies weaknesses in your financial controls before they are exploited by attackers..

SSL Certificates

Protects sensitive data being transmitted across web-enabled applications.