Previous Page Next Page

SOX—Sarbanes-Oxley Act

The Sarbanes-Oxley Act, also known as the Public Company Accounting Reform and Investor Protection Act and commonly referred to as SOX or Sarbox, is a United States federal law enacted in July 2002.

Between the years 2000 and 2002, there were a series of large corporate frauds and accounting scandals, including those affecting Enron, Tyco International, Peregrine Systems, and WorldCom. These scandals and others resulted in more than $500 billion in market value declines and disbelief of public trust in accounting and reporting practices.

The SOX Act was passed in 2002 as a result of the analysis and the root causes identified that contributed to these scandals.

Note

The information in the SOX Act sections to follow is compiled from "Compliance and Risk Management: SOX" at http://www.cisco.com/en/US/netsol/ns625/net_value_proposition0900aecd80380886.html.


Who Is Affected

The SOX Act directly affects corporate executives of a publicly listed company who are held responsible for establishing, evaluating, and monitoring the effectiveness of internal controls over their financial reporting.

The SOX Act applies to any organization that is publicly traded in the United States and requires compliance with SOX Act mandates, including all their divisions and wholly owned subsidiaries.

The SOX Act also applies to any non-U.S. public multinational company doing business in the United States.

SOX Act Requirements

The major focus of the SOX Act is to ensure the accuracy of financial records and controls around these records related to income, expenses, accounting, and liabilities.

The SOX Act contains 11 titles, or sections, dictating specific mandates and requirements for financial reporting. Each title consists of several sections.

Table 25-3 provides a comprehensive summary of these 11 titles of the SOX Act.

Table 25-3. SOX Act—11 Titles
Title#Title NameDescription
Title IPublic Company Accounting Oversight Board (PCAOB)Requires establishing a Public Company Accounting Oversight Board (PCAOB) to provide independent oversight of public accounting firms providing audit services.
Title IIAuditors IndependenceConsists of nine sections that establish standards for external auditor independence and limit conflicts of interest.
Title IIICorporate ResponsibilityMandates that senior executives take individual responsibility for the accuracy and completeness of corporate financial reports.
Title IVEnhanced Financial DisclosuresConsists of nine sections. Describes enhanced reporting requirements for financial transactions, including off-balance sheet transactions, pro-forma figures, and stock transactions of corporate officers.
Title VAnalyst Conflicts of InterestConsists of only one section, which includes measures designed to help restore investor confidence in the reporting of securities analysts.
Title VICommission Resources and AuthorityConsists of four sections that define practices to restore investor confidence in securities analysts.
Title VIIStudies and ReportsConsists of five sections. These sections 701 to 705 are concerned with conducting research for enforcing actions against violations by the Securities and Exchange Commission (SEC) registrants (companies) and auditors.
Title VIIICorporate and Criminal Fraud AccountabilityConsists of seven sections and is referred to as the Corporate and Criminal Fraud Act of 2002. Describes specific criminal penalties for fraud by manipulation, destruction, or alteration of financial records or other interference with investigations, while providing certain protections for whistle blowers.
Title IXWhite Collar Crime Penalty EnhancementConsists of two sections and is called the White Collar Crime Penalty Enhancement Act of 2002. This section increases the criminal penalties associated with white-collar crimes and conspiracies.
Title XCorporate Tax ReturnsConsists of only one section. Section 1001 states that the Chief Executive Officer should sign the company tax return.
Title XICorporate Fraud AccountabilityConsists of seven sections. Section 1101 recommends a name for this title as Corporate Fraud Accountability Act of 2002. This also enables the Securities and Exchange Commission (SEC) to temporarily freeze large or unusual payments.


Tip

The complete and actual table of contents from the SOX Act report issued in the U.S. House of Representatives on July 24, 2002, can be found at http://www.sarbanes-oxley-101.com/sarbanes-oxley-TOC.htm.


The SOX Act does not specifically mandate information security requirements. However, security has emerged as a key component for SOX Act compliance.

For example, as part of Title 1 requirements listed in Table 25-3, a Public Company Accounting Oversight Board (PCAOB) is established for independent oversight of public accounting firms providing audit services, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. As a result of this Auditing Standard 2 of the PCAOB requirements, network security is a fundamental component of SOX compliance.

The Auditing Standard 2 states that senior management is responsible not only for financial information but also for the way that information is generated, accessed, collected, stored, processed, and transmitted, hence directly affecting network and network security domains.

Another example is SOX Section 404 in Title IV. Many organizations consider Section 404 to be the most critical part of SOX, whereby organizations must receive an annual certification of internal controls and have an independent accountant attest to the report and quarterly reviews for updates and changes required. This requires producing a new report that validates the internal controls over the financial reporting process. Because of SOX Section 404, many organizations invest heavily in networking and security systems infrastructures that ensure the confidentiality, integrity, and availability of information systems.

In addition, the SOX Act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.

To ensure compliance, the following sections are important:

An internationally recognized controls-based framework, such as ISO/IEC 27002 (ISO/IEC 17799), coupled with a process-based framework, such as COBIT, can provide an organization with a comprehensive best-practices approach that underpins SOX compliance.

Many other countries have replicated the SOX Act to their localized act. They reflect similar requirements and mandates from the original SOX Act. Examples include the following:

Penalties for Violations

To ensure compliance, the SOX Act has provisions that include both criminal and civil penalties for any violations.

Penalties for noncompliance are significant. Fines for SOX violations can go up to $500,000 and include up to 10 years in prison.

False reporting carries a huge penalty under the SOX Act. Knowingly signing false reports carries a prison sentence of up to 20 years.

These penalties ensure that businesses and government agencies treat regulatory compliance as a top priority.

The Securities and Exchange Commission (SEC) and the Federal Reserve Board are charged to execute and enforce the SOX Act.

Cisco Solutions Addressing SOX

Table 25-4 lists the Cisco products and solutions that help address the SOX requirements.

Table 25-4. Cisco Solutions Addressing SOX Requirements
RequirementCisco Solutions
Intrusion Detection and Prevention
  • Cisco IPS 4200 Series Sensors

  • Cisco Integrated Services Routers (ISR) with Security Bundle

  • Cisco ASA 5500 Series Adaptive Security Appliances

  • Cisco Catalyst Security Services Modules

Logging, Authentication, Access Control
  • Cisco Secure Access Control Server (ACS)

  • Cisco Security Agent (CSA)

  • Cisco Security Mitigation, Analysis and Response System (CS-MARS)

Antivirus Policy
  • Cisco ASA 5500 Series

  • Cisco Firewall Services Module (FWSM)

  • Cisco Integrated Services Routers (ISR)

  • Cisco IPS 4200 Series

  • Cisco Security Agent(CSA)

Remote-Access Policy
  • Cisco ASA 5500 Series

  • Cisco Integrated Services Routers (ISR)

Configuration Policy
  • Cisco Security Device Manager (Security Bundles)

  • Cisco Security Agent (CSA)

  • Cisco Security MARS

  • Cisco Security Manager

  • Cisco Network Admission Control (NAC)

Vulnerability Assessment
  • Regular Vulnerability Assessment


SOX Summary

In summary, publicly listed companies need a system-based approach that is collaborative and adaptive, offering an effective security governance framework to manage information security as well as provide guidelines to meet SOX compliance requirements.

For more details about SOX, refer to the following documentation URLs:

http://www.sarbanes-oxley-forum.com/

http://www.wikipedia.org/wiki/SOX

http://www.whitehouse.gov/news/releases/2002/07/20020730.html

Tip

The actual text of the law can be downloaded in PDF format from the following URL: http://www.sec.gov/about/laws/soa2002.pdf.


Previous Page Next Page