What Does Your IT Team Need to Know About SOX Compliance?
(Part 2 in our series on IT Compliance Concerns.)
In Part 1 of our series, we discussed how the SarbanesOxley (Sarbox or SOX) Act was created
in response to financial and accounting fraud including the Enron, Worldcom, and Tyco scandals;
who SOX compliance affects; and the possible benefits to nonpublic companies working toward
becoming SOX compliant. In this part, our focus is on SOX compliance and the concerns it raises
for Information Technology managers and their departments.
What are the primary Information Technology concerns for SOX compliance?
SarbanesOxley compliance focuses on the retention of audit trails, generally in the form of logs
files and electronic records that contain, relate to, or comment on financial data. (These records
often relate to the generation of financial statements that will be submitted to shareholders and
the SEC.) According to SOX regulations, these audit trails may not be destroyed, altered, or
falsified, and must be retained and auditable for five years. SarbanesOxley regulations define
which records to store and how long to store them.
This means that almost every aspect of IT operations will be affected. Messaging, storage,
virtualization, networking, and more can all be involved as long as they relate to any financial data
or activity. Additionally, new platforms for communication such as blogs, wikis, social media, and
more, lead to new compliance concerns. If communication pertains to finance and accounting, IT
professionals must track and archive it in order to be prepared for compliance audits.
This is a sharp contrast to the past, where an IT department’s major focus was usually on being
able to restore failed systems. Now, with the additional regulatory requirements of the Sarbanes-
Oxley Act, IT’s focus must also include data retention and accessibility in the event of an
What kinds of information does IT need to store with regard to SOX compliance, and how?
In general, spreadsheets, documents, and emails used to arrive at final financial conclusions.
Electronic media, which can include CDROMs and cartridge tapes, are the preferred storage
methods. Just some of the additional data IT needs to store according to SOX data retention
● Three years Employment applications, general correspondence, credit card receipts, and
● Five years Customer invoices, vendor invoices, purchase orders, sales records, state
unemployment tax records, accident records and workers’ unemployment records, and
● Seven years Accounts payable ledger, accounts receivable ledger, time cards, product
inventory, payroll and payroll tax records, tax returns, sales tax information and returns,
business expense records, bank statements, earning records. Public companies and
registered public accounting firms must also maintain audit work papers for seven years,
and employee promotion, demotion, or discharge records must be retained for seven
years after employment is terminated.
● Permanent retention Bank statements, contracts and leases, employee payroll records,
legal correspondence, training manuals, union agreements, Articles of Incorporation,
executive/board policies and resolutions, bylaws, chapter charter, state sales returns,
financial statements, depreciation schedules, check registers, payroll registers,
employment and termination agreements, and insurance policies.
Do nonpublic companies also need to be concerned with SOX compliance?
While the SarbanesOxley Act applies primarily to publicly listed companies, Section 802 of the
act states that private companies can be faced with fines, and their executives with up to twenty
years of imprisonment for the knowing destruction, alteration, or falsification of records with the
intent to impede or influence a federal investigation.
Further, if you do business with a public company, you may have found that some of these
companies require their vendors to become SOX compliant.
Finally, there are advantages to private companies to become SOX compliant. Adopting SOX-
compliance controls and procedures can improve your organization’s overall IT security program.
And working toward SOX compliance can also help an organization make headway in other areas
such as PCI DSS compliance (which we will discuss later in our series on IT compliance
Coming soon: Part 3 in our series on IT Compliance Concerns, “Your Company and HIPAA
To read more about SOX:
● For uptodate information on the SarbanesOxley Act, you can check the Securities and
Exchange Commission’s (SEC’s) website.
● You can also learn more about Information Technology concerns created by the
SarbanesOxley Act in TechTarget’s ehandbook, The SOX Effect.