The Sarbanes-Oxley Act (sometimes referred to as the SOA, Sarbox, or SOX) is a U.S. law to protect investors by preventing fraudulent accounting and financial practices at publicly traded companies. Passed in 2002 in the wake of a series of corporate scandals and the bursting of the dot-com bubble, Sarbanes-Oxley imposed a number of reporting, accounting, and data retention mandates to ensure that business practices at big companies remain above board.
While many Sarbanes-Oxley provisions center on financial and accounting matters, proper treatment of corporate data is the cornerstone to many aspects of how the law works—and that has a huge impact on IT, which we’ll focus on in this article.
The Sarbanes-Oxley Act is a product of a series of scandals that took place around the turn of the millennium. Several publicly traded companies—Enron and WorldCom were two of the most prominent—used accounting trickery, shell corporations, and other fraudulent techniques to hide business losses from the public and keep stock prices artificially high. Executives and board members used this deception to enrich themselves, cashing out and leaving investors (and, in Enron’s case, employees who had been urged put their retirement into company stock) holding the bag when the deception could no longer be maintained and the stock price collapsed.
These scandals unwound around the same time dot-com stock prices collapsed, and while none of those early-stage internet companies perpetrated fraud on quite such a scale as Enron, many people believed that they had inflated reports of their earning potential in advance of initially lucrative IPOs, essentially enriching company founders at the expense of investors.
The Sarbanes-Oxley Act imposed a heavy regulatory burden in an attempt to prevent these kinds of abuses from happening again. The law aims to improve corporate behavior by making sure companies produce and retain accurate data about their own finances, and that they be able to make that data available to investors and regulators in near-real time. For IT, that means huge amounts of corporate data has to be kept meticulously accurate and absolutely safe—from both internal and external threats—and has to be available to auditors and investors on short notice.
A few provisions of Sarbanes-Oxley apply to privately held companies—the law forbids such companies from destroying records to impede a federal agency’s investigation, for instance, or from retaliating against whistleblowers. However, by and large the provisions of the law we’ll be discussing here apply to companies whose shares are traded on public stock exchanges, or that are putting together an IPO to go public. The data transparency that the law mandates is meant to protect investors or potential investors from misjudging a company’s finances due to manipulation by insiders.
The provisions of the Sarbanes-Oxley Act are broken down into numbered sections. Let’s take a look at the sections of most interest in terms of IT and data security:
Of these sections, 404 is considered the most complex and most onerous. Not only must elaborate technical systems be set up to maintain data integrity and protection, but company management and outside auditors must regularly assess and document the effectiveness of those systems.
Those are a lot of provisions to digest, and you’ll need to dig deep into the specific mandates they impose. But here is a high-level summary of what the law requires that’s worth keeping in mind as a 10,000-foot view:
All applicable companies must establish a financial accounting framework that can generate financial reports that are readily verifiable with traceable source data. This source data must remain intact and cannot undergo undocumented revisions. In addition, any revisions to financial or accounting software must be fully documented as to what was changed, why, by whom and when. [Source: Sarbanes Oxley 101]
You’ll recognize elements here of the CIA triad and its variants. In particular, data integrity must be protected, data must be available to those who need it, and non-repudiation must be enforced to ensure that it’s possible to know who created or altered data.
The means by which Sarbanes-Oxley requirements are implemented within an organization are referred to as controls. A control in this context is an internal rule intended to prevent or detect errors or malfeasance within a cycle of financial reporting.
Sarbanes-Oxley mandates that controls be implemented across a company. The Varonis blog gives some specific examples of the kinds of rules that would be investigated as part of a Sarbanes-Oxley audit procedure:
You’ll notice that these controls are described in abstract ways. In general, controls are spelled out in terms of what they do (or prevent), and it’s up to IT to figure out how to implement them. For instance, the rules on electronic access may identify the job titles whose holders are allowed to modify a company’s internal financial data, but it will be up to the company’s IT department to make sure the correct individuals have the proper permissions on the relevant systems to do so (or be prevented from doing so).
This obviously makes for a lot of work, and has perhaps unsurprisingly created a cottage industry of software packages prewritten to help implement standardized Sarbanes-Oxley controls.
Sarbanes-Oxley compliance, then, consists of conforming your company’s procedures to all these mandates by taking the following steps, as summed up in the Varonis blog:
All of this takes a lot of work on the part of companies, and many look for help doing it. One organization that offers resources is the Committee of Sponsoring Organizations of the Treadway Commission, or COSO. Formed in 1985 to help fight corporate fraud, COSO has for years maintained a framework for internal controls that companies can follow in order to implement best anti-fraud practices. The most recent revision, which dates from 2013, specifically outlines how it can help you achieve Sarbanes-Oxley compliance.
Exabeam has a great seven-point high-level Sarbanes-Oxley compliance checklist that gives you a quick sense of everything you’ll need to cover:
RSI security has a more in-depth look at what you need to do when facing a Sarbanes-Oxley compliance audit that has lots of great details.
Sarbanes-Oxley penalties can be quite serious—and, importantly, they apply to individuals in positions of power at companies directly, not just the companies as institutions. While corporate officers mistakenly signing off on erroneous reports can be punished for it, the worst treatment is reserved for deliberate fraud. For instance, a CEO or CFO who knowingly certifies a report that violates the Act can be fined up to $5 million dollars or sent to prison for up to 20 years.
There are definitely occasions when the U.S. federal government uses the weapons that Sarbanes-Oxley provides. For instance, in 2003, not long after the law was passed, employees from Ernst & Young were arrested for destroying documents pertaining to one of their clients. in 2014 the FEC brought charges against the CEO and CFO of a Florida computer company for misleading auditors on the state of their internal controls.
But in practice, some view Sarbanes-Oxley as a missed opportunity when it comes to prosecuting corporate fraud. Even when financial reports can be shown to be fraudulent, it can be difficult to prove that CEOs and CFOs knew about the fraud when they signed off on the reports—and if prosecutors do have strong evidence of this, they almost always can use the evidence to file even tougher fraud charges that aren’t part of the Sarbanes-Oxley suite of options. Still, law professor Peter Henning says that the law has had a positive effect as a deterrent: it’s established that “accounting shenanigans aren’t going to be tolerated anymore.” Hopefully that makes you feel like the struggle for certification is worth it.