SOX sets data protection standards for all US public company boards, management and accounting firms.
Does my organization need to be SOX compliant?
Since modern accounting systems are computer based, accurate financial reporting depends on reliable and secure computing environments. Since the implementation of the SOX Act of 2002, the responsibility for organization’s to accurately report and protect company data lands on the shoulders of senior management, including the potential for personal liability for CEOs and CFOs. The state goal of SOX: “To protect investors by improving the accuracy and reliability of corporate disclosures.”
What to know about the SOX Act:
For IT Managers and executives setting out high-level data security goals, compliance with SOX is an important ongoing concern. With this in mind, SOX regulations can be extremely beneficial in order to regulate and eliminate the threat of fines and other penalties. By becoming SOX compliant, smart companies use SOX as a framework
-streamlining the auditing processes to increase productivity at reduced costs
-and most effectively respond in the event of a breach
Third-party compliance experts like
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
- Organizational Requirements, Policies & Procedures
A SOX Compliant Audit of a company’s internal controls must take place by an independent auditory once per year.
What You Need to Do - and How MDS Can Help:
The first thing to do when preparing your organization for SOX compliance is to understand which sections of the act have clear implications for data management, reporting and security, and what MDS can do to make you compliant. The SOX audit is broken down into 11 sections, but six of those sections take precedence over the others. The critical six sections are 302, 401, 404, 409 and 802, and are broken down below.
Section 302 - Disclosure Controls
The report from this section must verify:
- The signing officers have reviewed the report.
- The report does not contain any material untrue statements or omissions.
- The financial statements accurately portray the company’s financial condition.
- The signing officers are responsible for internal controls and have assessed those controls within the past 90-days and have provided a report of their findings.
- There is a list of any and all deficiencies in the internal controls, as well as information regarding any fraud that concerns employees involved
with internal activities. - Significant changes related to internal controls that could have a negative impact.
Section 401 - Disclosures in Periodic Reports
This section requires that financial statements must be accurate and presented in a way that does not contain any incorrect statements. These financial statements in the periodic reports must also include all material off-balance sheet transactions, obligations and liabilities that may serve to make the company’s financial position appear more favorable to investors than is true.
Section 404 - Management Assessment of Internal Controls
Here, issuers must publish information in their annual reports regarding the scope and adequacy of the internal control structure and procedures for financial reporting. This statement must also contain the assessment of effectiveness of internal controls and procedures.
In the SOX report, the engaged and registered accounting firm shall attest to and report on the assessments about the effectiveness of the internal control structure and approach to financial reporting.
Section 409 - Real Time Issuer Disclosures
Issuers must disclose any information or material changes in their financial condition or operations to the public, on an urgent basis.
Section 802 - Criminal Penalties for Altering Documents
The fines and penalties are laid out in Section 802. Non-compliance, or inadequate compliance, can result in penalties and/or fines up to 20 years in prison for activities that include altering, destroying, mutilating, concealing, falsifying documents, records or objects with the intent to impede, obstruct or influence a legal investigation.
Section 802 also informs that penalties and fines can result in 10 years of imprisonment for any accountant who knowingly and willfully violates the requirements of audit and review papers over the course of five years their five years as lead auditor or reviewing auditor for a client.