SOX (Sarbanes-Oxley) Complaince Requirements

SOX sets data protection standards for all US public company boards, management and accounting firms.

Does my organization need to be SOX compliant?

Since modern accounting systems are computer based, accurate financial reporting depends on reliable and secure computing environments. Since the implementation of the SOX Act of 2002, the responsibility for organization’s to accurately report and protect company data lands on the shoulders of senior management, including the potential for personal liability for CEOs and CFOs. The state goal of SOX: “To protect investors by improving the accuracy and reliability of corporate disclosures.”

What to know about the SOX Act:
For IT Managers and executives setting out high-level data security goals, compliance with SOX is an important ongoing concern. With this in mind, SOX regulations can be extremely beneficial in order to regulate and eliminate the threat of fines and other penalties. By becoming SOX compliant, smart companies use SOX as a framework for: auditing existing IT inefficiencies
-streamlining the auditing processes to increase productivity at reduced costs
-and most effectively respond in the event of a breach

Third-party compliance experts like MDS, or internal IT professionals need to understand and comply with SOX often within a short time frame with limited budgets. With MDS, we can assist in the creation of realistic compliance strategies that address the specific, necessary guidelines for SOX security protection requirements.

  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Organizational Requirements, Policies & Procedures

A SOX Compliant Audit of a company’s internal controls must take place by an independent auditory once per year. 

What You Need to Do - and How MDS Can Help:

The first thing to do when preparing your organization for SOX compliance is to understand which sections of the act have clear implications for data management, reporting and security, and what MDS can do to make you compliant. The SOX audit is broken down into 11 sections, but six of those sections take precedence over the others. The critical six sections are 302, 401, 404, 409 and 802, and are broken down below.

Section 302 - Disclosure Controls

The report from this section must verify:

  • The signing officers have reviewed the report.
  • The report does not contain any material untrue statements or omissions.
  • The financial statements accurately portray the company’s financial condition.
  • The signing officers are responsible for internal controls and have assessed those controls within the past 90-days and have provided a report of their findings.
  • There is a list of any and all deficiencies in the internal controls, as well as information regarding any fraud that concerns employees involved with internal activities.
  • Significant changes related to internal controls that could have a negative impact.
Section 401 - Disclosures in Periodic Reports

This section requires that financial statements must be accurate and presented in a way that does not contain any incorrect statements. These financial statements in the periodic reports must also include all material off-balance sheet transactions, obligations and liabilities that may serve to make the company’s financial position appear more favorable to investors than is true.

Section 404 - Management Assessment of Internal Controls

Here, issuers must publish information in their annual reports regarding the scope and adequacy of the internal control structure and procedures for financial reporting. This statement must also contain the assessment of effectiveness of internal controls and procedures.

In the SOX report, the engaged and registered accounting firm shall attest to and report on the assessments about the effectiveness of the internal control structure and approach to financial reporting.

Section 409 - Real Time Issuer Disclosures

Issuers must disclose any information or material changes in their financial condition or operations to the public, on an urgent basis.

Section 802 - Criminal Penalties for Altering Documents

The fines and penalties are laid out in Section 802. Non-compliance, or inadequate compliance, can result in penalties and/or fines up to 20 years in prison for activities that include altering, destroying, mutilating, concealing, falsifying documents, records or objects with the intent to impede, obstruct or influence a legal investigation.

Section 802 also informs that penalties and fines can result in 10 years of imprisonment for any accountant who knowingly and willfully violates the requirements of audit and review papers over the course of five years their five years as lead auditor or reviewing auditor for a client.

Which Regulations Matter to You?

The certified professionals at MDS will help you determine which regulations your organization needs to meet.