Making sure your business is SOX Compliance
(Part 1 in our series on IT Compliance Concerns.)
What is the SarbanesOxley (SOX) Act?
The SarbanesOxley Act of 2002 is a federal law that set both new and expanded requirements
for public company boards, management, and public accounting firms in the U.S. It is more
commonly known as Sarbox, or SOX. This act also contains some provisions for private
companies, such as those concerning the willful destruction of evidence to impede a Federal
The SarbanesOxley Act was a reaction to corporate and accounting scandals including Enron,
Worldcom, and Tyco. Some of the factors that made these scandals possible, and that the act
attempts to prevent, include auditor conflicts of interest; boardroom failures such as failure to
establish effective oversight mechanisms for financial reporting; conflicts of interest among
securities analysts; and more.
Who is affected by SOX compliance?
Ultimately, responsibility for SOX compliance rests squarely on the shoulders of the leaders of an
organization rather than on the IT department. This means that although the IT department may
prepare SOX audit statements, it will be clevel executives of a company that face fines and
possible imprisonment if penalties are assessed. SOX audit statements must be certified by the
CEO of a corporate entity, reflecting this responsibility.
Section 802 of the SarbanesOxley Act describes penalties for infractions:
Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false
entry in any record, document, or tangible object with the intent to impede, obstruct, or influence
the investigation or proper administration of any matter within the jurisdiction of any department or
agency of the United States or any case filed under title 11, or in relation to or contemplation of
any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or
For example, in one of the first fines levied under the SarbanesOxley Act, CEO Calixto Chaves of
Rica Foods, Inc., agreed to pay $25,000 in regard to charges that company officials certified the
accuracy of the company’s annual financial statement, while knowing that these statements did
not include the required independent audit report.
Are there advantages to becoming SOX compliant for nonpublic companies?
According to TechTarget’s ehandbook, The Sox Effect, “Adopting SOXcompliance controls and
procedures can improve your organization’s overall IT security program, even if your company is
not a publicly traded one typically targeted by SOX regulations.” SOX compliance is not
particularly concerned with ensuring the security of data or systems. Rather, it focuses on best
practices for keeping track of who has access to financial data, where that data came from, and
keeping track of whether that data gets changed. For instance, organizations that follow SOX best
practices will perform more regular reviews of user accounts and privileges related to finance
systems and data. While this certainly can require additional IT resources, it can pay off in fewer
costly security incidents. Working toward SOX compliance can also help an organization make
headway in other areas such as PCI DSS compliance (which we will discuss later in our series on
IT compliance concerns).
Coming soon: Part 2 in our series on IT Compliance Concerns, “What Does My IT Team Need to
Know About SOX Compliance?”
To read more about SOX:
● For uptodate information on the SarbanesOxley Act, you can check the Securities and
Exchange Commission’s (SEC’s) website.
● You can also learn more about Information Technology concerns created by the
SarbanesOxley Act in TechTarget’s ehandbook, The SOX Effect.