The Sarbanes-Oxley Act, also known as the Public Company Accounting Reform and Investor Protection Act and commonly referred to as SOX or Sarbox, is a United States federal law enacted in July 2002.
Between the years 2000 and 2002, there were a series of large corporate frauds and accounting scandals, including those affecting Enron, Tyco International, Peregrine Systems, and WorldCom. These scandals and others resulted in more than $500 billion in market value declines and disbelief of public trust in accounting and reporting practices.
The SOX Act was passed in 2002 as a result of the analysis and the root causes identified that contributed to these scandals.
Note
The information in the SOX Act sections to follow is compiled from "Compliance and Risk Management: SOX" at http://www.cisco.com/en/US/netsol/ns625/net_value_proposition0900aecd80380886.html.
The SOX Act directly affects corporate executives of a publicly listed company who are held responsible for establishing, evaluating, and monitoring the effectiveness of internal controls over their financial reporting.
The SOX Act applies to any organization that is publicly traded in the United States and requires compliance with SOX Act mandates, including all their divisions and wholly owned subsidiaries.
The SOX Act also applies to any non-U.S. public multinational company doing business in the United States.
The major focus of the SOX Act is to ensure the accuracy of financial records and controls around these records related to income, expenses, accounting, and liabilities.
The SOX Act contains 11 titles, or sections, dictating specific mandates and requirements for financial reporting. Each title consists of several sections.
Table 25-3 provides a comprehensive summary of these 11 titles of the SOX Act.
Tip
The complete and actual table of contents from the SOX Act report issued in the U.S. House of Representatives on July 24, 2002, can be found at http://www.sarbanes-oxley-101.com/sarbanes-oxley-TOC.htm.
The SOX Act does not specifically mandate information security requirements. However, security has emerged as a key component for SOX Act compliance.
For example, as part of Title 1 requirements listed in Table 25-3, a Public Company Accounting Oversight Board (PCAOB) is established for independent oversight of public accounting firms providing audit services, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. As a result of this Auditing Standard 2 of the PCAOB requirements, network security is a fundamental component of SOX compliance.
The Auditing Standard 2 states that senior management is responsible not only for financial information but also for the way that information is generated, accessed, collected, stored, processed, and transmitted, hence directly affecting network and network security domains.
Another example is SOX Section 404 in Title IV. Many organizations consider Section 404 to be the most critical part of SOX, whereby organizations must receive an annual certification of internal controls and have an independent accountant attest to the report and quarterly reviews for updates and changes required. This requires producing a new report that validates the internal controls over the financial reporting process. Because of SOX Section 404, many organizations invest heavily in networking and security systems infrastructures that ensure the confidentiality, integrity, and availability of information systems.
In addition, the SOX Act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.
To ensure compliance, the following sections are important:
Section 302 requires the CEO and CFO to certify that the financial reports are true and accurate and that adequate controls exist over financial reporting and disclosure.
Section 404 describes these controls, requires that certification be reasonable, and requires that outside auditors certify the existence of adequate controls over financial reporting.
Section 409 requires prompt reporting of any changes in financial condition that might be material to investors.
Section 802 mandates that companies and their auditors retain accounting documents and work papers for a minimum of seven years.
An internationally recognized controls-based framework, such as ISO/IEC 27002 (ISO/IEC 17799), coupled with a process-based framework, such as COBIT, can provide an organization with a comprehensive best-practices approach that underpins SOX compliance.
Many other countries have replicated the SOX Act to their localized act. They reflect similar requirements and mandates from the original SOX Act. Examples include the following:
J-SOX: Japanese version of the SOX Act
CLERP9: Australian Corporate reporting and disclosure law
LSF ("Loi sur la Sécurité Financière"): French version of the SOX Act
L262/2005 ("Disposizioni per la tutela del risparmio e la disciplina dei mercati finanziari"): Italian version of the SOX Act
To ensure compliance, the SOX Act has provisions that include both criminal and civil penalties for any violations.
Penalties for noncompliance are significant. Fines for SOX violations can go up to $500,000 and include up to 10 years in prison.
False reporting carries a huge penalty under the SOX Act. Knowingly signing false reports carries a prison sentence of up to 20 years.
These penalties ensure that businesses and government agencies treat regulatory compliance as a top priority.
The Securities and Exchange Commission (SEC) and the Federal Reserve Board are charged to execute and enforce the SOX Act.
Table 25-4 lists the Cisco products and solutions that help address the SOX requirements.
Requirement | Cisco Solutions |
---|---|
Intrusion Detection and Prevention |
|
Logging, Authentication, Access Control |
|
Antivirus Policy |
|
Remote-Access Policy |
|
Configuration Policy |
|
Vulnerability Assessment |
|
In summary, publicly listed companies need a system-based approach that is collaborative and adaptive, offering an effective security governance framework to manage information security as well as provide guidelines to meet SOX compliance requirements.
For more details about SOX, refer to the following documentation URLs:
http://www.sarbanes-oxley-forum.com/
http://www.wikipedia.org/wiki/SOX
http://www.whitehouse.gov/news/releases/2002/07/20020730.html
Tip
The actual text of the law can be downloaded in PDF format from the following URL: http://www.sec.gov/about/laws/soa2002.pdf.