SOX Compliance in Recent News

Although the Sarbanes-Oxley Act has been around since 2002, compliance remains a challenge. In a recent example, a Forbes article from this month explores reasons for Plantronics’ under-performance in the stock market and brings up concerns that Plantronics may be facing a Sarbanes-Oxley violation. The article mentions that the senior vice president of sales at Plantronics, “…was instructing employees who worked under him to delete e-mails that were clearly relevant and responsive to pending discovery having to do with the distributors that are at issue in this case.”

In our last several posts we’ve focused on HIPAA compliance. But of course HIPAA is only one of several areas companies need to keep in mind when it comes to compliance issues. Here’s a quick refresher on the Sarbanes-Oxley Act.

Intent of the Sarbanes-Oxley Act

The intent of the Sarbanes-Oxley Act (also known as Sarbox or SOX) was to protect investors by improving the reliability and accuracy of corporate disclosures. It was enacted in 2002 and while it applies primarily to public companies, the act also contains provisions for private companies. The provisions have to do with the willful destruction of evidence to impede a Federal investigation.

A major feature of the SOX Act is that it is designed to specify financial reporting responsibilities. This means that it should no longer be possible for CEOs and CFOs to claim that ignorance of financial issues means that they should not be held accountable for the accuracy of financial statements.

As a result of the SOX Act, leaders of an organization are held legally responsible for SOX compliance, facing possible monetary fines and imprisonment (up to twenty years) for failure to comply. Thus, even if a company’s IT department prepares SOX audit statements, those statements will need to be certified by the CEO.

What are some of the ways SOX Compliance has affected companies since SOX was enacted?

• Stronger audit committees and public companies, due to the act’s requirement that the audit committee members must be independent of top management.
• Increased costs, especially due to Section 404 of the act. This section requires extensive internal control tests and reporting. As a result of these costs, many companies have seen a need to focus on making their financial reporting more efficient.
• Strengthened public disclosure requirements.
• Stricter penalties for obstructing justice and for securities fraud.

What are the main IT concerns regarding SOX Compliance?

Most aspects of IT are affected by SOX compliance. SOX regulations mean that audit trails must be retained and auditable for five years. Any IT operation that involves financial data or activity may be affected. All forms of communication regarding finance and accounting must be tracked and archived in case of compliance audits.

What kinds of information does IT need to store with regard to SOX compliance, and how?

Generally speaking, all emails, spreadsheets, and documents used to arrive at final financial conclusions. For a more complete breakdown, see our post “What Does Your IT Team Need to Know about SOX Compliance.”

Learn more about the SOX Act:

• Basics of the SOX Act – SOX–Online
• Information on the Sarbanes–Oxley Act at the Securities and Exchange Commission’s (SEC’s) website.

Our previous posts regarding SOX Compliance:

• Making Sure Your Company Is SOX Compliant
• What Does Your IT Team Need to Know about SOX Compliance

(Part 2 in our series on IT Compliance Concerns.)

In Part 1 of our series, we discussed how the Sarbanes­Oxley (Sarbox or SOX) Act was created

in response to financial and accounting fraud including the Enron, Worldcom, and Tyco scandals;

who SOX compliance affects; and the possible benefits to non­public companies working toward

becoming SOX compliant. In this part, our focus is on SOX compliance and the concerns it raises

for Information Technology managers and their departments.

What are the primary Information Technology concerns for SOX compliance?

Sarbanes­Oxley compliance focuses on the retention of audit trails, generally in the form of logs

files and electronic records that contain, relate to, or comment on financial data. (These records

often relate to the generation of financial statements that will be submitted to shareholders and

the SEC.) According to SOX regulations, these audit trails may not be destroyed, altered, or

falsified, and must be retained and auditable for five years. Sarbanes­Oxley regulations define

which records to store and how long to store them.

This means that almost every aspect of IT operations will be affected. Messaging, storage,

virtualization, networking, and more can all be involved as long as they relate to any financial data

or activity. Additionally, new platforms for communication such as blogs, wikis, social media, and

more, lead to new compliance concerns. If communication pertains to finance and accounting, IT

professionals must track and archive it in order to be prepared for compliance audits.

This is a sharp contrast to the past, where an IT department’s major focus was usually on being

able to restore failed systems. Now, with the additional regulatory requirements of the Sarbanes-
Oxley Act, IT’s focus must also include data retention and accessibility in the event of an

investigation.

What kinds of information does IT need to store with regard to SOX compliance, and how?

In general, spreadsheets, documents, and emails used to arrive at final financial conclusions.

Electronic media, which can include CD­ROMs and cartridge tapes, are the preferred storage

methods. Just some of the additional data IT needs to store according to SOX data retention

regulations includes:

● Three years ­ Employment applications, general correspondence, credit card receipts, and

employment records.

● Five years ­ Customer invoices, vendor invoices, purchase orders, sales records, state

unemployment tax records, accident records and workers’ unemployment records, and

salary records.

● Seven years ­ Accounts payable ledger, accounts receivable ledger, time cards, product

inventory, payroll and payroll tax records, tax returns, sales tax information and returns,

business expense records, bank statements, earning records. Public companies and

registered public accounting firms must also maintain audit work papers for seven years,

and employee promotion, demotion, or discharge records must be retained for seven

years after employment is terminated.

● Permanent retention ­ Bank statements, contracts and leases, employee payroll records,

legal correspondence, training manuals, union agreements, Articles of Incorporation,

executive/board policies and resolutions, bylaws, chapter charter, state sales returns,

financial statements, depreciation schedules, check registers, payroll registers,

employment and termination agreements, and insurance policies.

Do non­public companies also need to be concerned with SOX compliance?

While the Sarbanes­Oxley Act applies primarily to publicly listed companies, Section 802 of the

act states that private companies can be faced with fines, and their executives with up to twenty

years of imprisonment for the knowing destruction, alteration, or falsification of records with the

intent to impede or influence a federal investigation.

Further, if you do business with a public company, you may have found that some of these

companies require their vendors to become SOX compliant.

Finally, there are advantages to private companies to become SOX compliant. Adopting SOX-
compliance controls and procedures can improve your organization’s overall IT security program.

And working toward SOX compliance can also help an organization make headway in other areas

such as PCI DSS compliance (which we will discuss later in our series on IT compliance

concerns).

Coming soon: Part 3 in our series on IT Compliance Concerns, “Your Company and HIPAA

Compliance.”

To read more about SOX:

● For up­to­date information on the Sarbanes­Oxley Act, you can check the Securities and

Exchange Commission’s (SEC’s) website.

● You can also learn more about Information Technology concerns created by the

Sarbanes­Oxley Act in TechTarget’s e­handbook, The SOX Effect.

(Part 1 in our series on IT Compliance Concerns.)

What is the Sarbanes­Oxley (SOX) Act?

The Sarbanes­Oxley Act of 2002 is a federal law that set both new and expanded requirements

for public company boards, management, and public accounting firms in the U.S. It is more

commonly known as Sarbox, or SOX. This act also contains some provisions for private

companies, such as those concerning the willful destruction of evidence to impede a Federal

investigation.

The Sarbanes­Oxley Act was a reaction to corporate and accounting scandals including Enron,

Worldcom, and Tyco. Some of the factors that made these scandals possible, and that the act

attempts to prevent, include auditor conflicts of interest; boardroom failures such as failure to

establish effective oversight mechanisms for financial reporting; conflicts of interest among

securities analysts; and more.

Who is affected by SOX compliance?

Ultimately, responsibility for SOX compliance rests squarely on the shoulders of the leaders of an

organization rather than on the IT department. This means that although the IT department may

prepare SOX audit statements, it will be c­level executives of a company that face fines and

possible imprisonment if penalties are assessed. SOX audit statements must be certified by the

CEO of a corporate entity, reflecting this responsibility.

Section 802 of the Sarbanes­Oxley Act describes penalties for infractions:

Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false

entry in any record, document, or tangible object with the intent to impede, obstruct, or influence

the investigation or proper administration of any matter within the jurisdiction of any department or

agency of the United States or any case filed under title 11, or in relation to or contemplation of

any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or

both.

For example, in one of the first fines levied under the Sarbanes­Oxley Act, CEO Calixto Chaves of

Rica Foods, Inc., agreed to pay $25,000 in regard to charges that company officials certified the

accuracy of the company’s annual financial statement, while knowing that these statements did

not include the required independent audit report.

Are there advantages to becoming SOX compliant for non­public companies?

According to TechTarget’s e­handbook, The Sox Effect, “Adopting SOX­compliance controls and

procedures can improve your organization’s overall IT security program, even if your company is

not a publicly traded one typically targeted by SOX regulations.” SOX compliance is not

particularly concerned with ensuring the security of data or systems. Rather, it focuses on best

practices for keeping track of who has access to financial data, where that data came from, and

keeping track of whether that data gets changed. For instance, organizations that follow SOX best

practices will perform more regular reviews of user accounts and privileges related to finance

systems and data. While this certainly can require additional IT resources, it can pay off in fewer

costly security incidents. Working toward SOX compliance can also help an organization make

headway in other areas such as PCI DSS compliance (which we will discuss later in our series on

IT compliance concerns).

Coming soon: Part 2 in our series on IT Compliance Concerns, “What Does My IT Team Need to

Know About SOX Compliance?”

To read more about SOX:

● For up­to­date information on the Sarbanes­Oxley Act, you can check the Securities and

Exchange Commission’s (SEC’s) website.

● You can also learn more about Information Technology concerns created by the

Sarbanes­Oxley Act in TechTarget’s e­handbook, The SOX Effect.