Created in the wake of the financial scandals of the early 2000s, the Sarbanes-Oxley Act of 2002 (SOX) was the federal government’s attempt to keep public companies honest about their financial status — to investors, employees, and the public. But while Enron and Tyco grabbed the headlines, mega-corporations aren’t the only companies that must comply with SOX.
Any public company — or, crucially — any company intending to go public, must comply.
In the race to generate value, many startups set their sights on an initial public offering (IPO). Others hope to be acquired by a larger company. In the first case, SOX compliance will be mandatory. In the second, it can increase your company’s value in the eyes of potential buyers.
Even if your company plans to remain private, you may find that SOX’s transparency requirements are just a good idea. By operating with openness and accuracy about your company’s financial health, you’ll gain the confidence of customers and make it easier for others to do business with you.
SOX Compliance for Newbies
A couple of years ago, a life sciences company based in Massachusetts asked us for help. The company was planning an IPO, but it was small and lacked an IT department. They told us:
“We’re all finance guys, so we understand the finance side of SOX compliance, but we didn’t know where to start when it came to the IT side.”
This is the predicament in which countless startups find themselves as they contemplate going public. What does SOX compliance mean for IT and how do you go about achieving it?
Here, we’ll answer some of your questions.
What Does SOX Require?
The complete Sarbanes-Oxley Act is over 30,000 words long. Included in its 11 sections are protections for whistleblowers, requirements for CFOs, CEOs, and corporate boards, and audit procedures. Most relevant for IT departments, however, are the regulations about generating and archiving accurate business records.
The federal government wants public companies to be auditable on a moment’s notice. That means that all your company’s financial records — including electronic records and communications, on- and off-premises — need to be retained securely in unaltered form for at least five years, providing an audit trail for your financial statements. Furthermore, the records should be accessible by auditors on demand.
According to SOX, your company’s CEO and CFO are on the hook for compliance. They must certify that your company has the appropriate internal controls in place and has documented any relevant changes or deficiencies.
What Is the Penalty for Noncompliance?
If your company fails to comply with SOX, it could face stiff fines. Executives could go to prison. Deliberate noncompliance, in particular, is no laughing matter:
“Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.”
What Does SOX Say Specifically About IT?
One of the most challenging aspects of SOX for IT departments is that, although compliance requires a massive effort to secure and control access to records, SOX doesn’t actually say anything about how to do that.
In other words, you need internal controls. Which controls? That’s open to interpretation.
Lacking specifics, many IT departments turn to established frameworks such as Control Objectives for Information and Related Technology (COBIT). However, making your way through the steps of an existing framework like COBIT can be overwhelming, especially if your company has a small (or no) IT department.
Who Can Help With SOX Compliance?
From an IT perspective, SOX compliance requires:
- Data security. To ensure your financial records are reliable, you need to keep them out of the hands of anyone who may alter them. That means strict access control and tracking of all modifications. As companies move more and more data to the cloud and more work to collaboration platforms, this level of security becomes more complicated. In case cloud services are compromised, you need local backups or copies of the data files.
- The right compliance software. Since SOX became law 15 years ago, an entire industry of automated compliance software has sprung up. These tools help companies organize their compliance efforts, track changes, and generate reports. But which software is best for your company and how will you configure it?
- IT policies. Hardware and software controls can only do so much to keep your records safe. Employee misuse of data and sloppy security habits have contributed to some of the biggest data breaches in history. A comprehensive set of IT policies will control the human factor in data security.
As your company grows, regardless of your compliance obligations, you’ll want to adopt more stringent security practices to protect your data. But not every company will have the people and expertise on hand to design and implement complex, SOX-compliant internal controls.
That’s why many seek help from outsourced IT experts.
In the case of the life sciences company we mentioned earlier, we started by asking questions:
- Where is your financial information located? Is it hosted or on-premises?
- How do users log in?
- Is it federated and tied into the directory structure?
- Who has access and what is the approval chain for granting access?
- What if an employee leaves? Do you have a plan for terminating access?
- What do you do if an employee’s laptop is lost or stolen?
From there, we were able to build an IT system equipped with the access controls, logging, policies, and other security features our client needed to go public with confidence.
Is your outsourced IT provider asking the right questions to ensure your SOX compliance? If your company is planning an IPO, start the compliance conversation by contacting an IT expert like Data Evolution.