SOX—Sarbanes-Oxley Act

The Sarbanes-Oxley Act, also known as the Public Company Accounting Reform and Investor Protection Act and commonly referred to as SOX or Sarbox, is a United States federal law enacted in July 2002.

Between the years 2000 and 2002, there were a series of large corporate frauds and accounting scandals, including those affecting Enron, Tyco International, Peregrine Systems, and WorldCom. These scandals and others resulted in more than $500 billion in market value declines and disbelief of public trust in accounting and reporting practices.

The SOX Act was passed in 2002 as a result of the analysis and the root causes identified that contributed to these scandals.

Who Is Affected

The SOX Act directly affects corporate executives of a publicly listed company who are held responsible for establishing, evaluating, and monitoring the effectiveness of internal controls over their financial reporting.

The SOX Act applies to any organization that is publicly traded in the United States and requires compliance with SOX Act mandates, including all their divisions and wholly owned subsidiaries.

The SOX Act also applies to any non-U.S. public multinational company doing business in the United States.

SOX Act Requirements

The major focus of the SOX Act is to ensure the accuracy of financial records and controls around these records related to income, expenses, accounting, and liabilities.

The SOX Act contains 11 titles, or sections, dictating specific mandates and requirements for financial reporting. Each title consists of several sections.

Table 25-3 provides a comprehensive summary of these 11 titles of the SOX Act.

Table 25-3. SOX Act—11 Titles

Title#	Title Name	Description
Title I	Public Company Accounting Oversight Board (PCAOB)	Requires establishing a Public Company Accounting Oversight Board (PCAOB) to provide independent oversight of public accounting firms providing audit services.
Title II	Auditors Independence	Consists of nine sections that establish standards for external auditor independence and limit conflicts of interest.
Title III	Corporate Responsibility	Mandates that senior executives take individual responsibility for the accuracy and completeness of corporate financial reports.
Title IV	Enhanced Financial Disclosures	Consists of nine sections. Describes enhanced reporting requirements for financial transactions, including off-balance sheet transactions, pro-forma figures, and stock transactions of corporate officers.
Title V	Analyst Conflicts of Interest	Consists of only one section, which includes measures designed to help restore investor confidence in the reporting of securities analysts.
Title VI	Commission Resources and Authority	Consists of four sections that define practices to restore investor confidence in securities analysts.
Title VII	Studies and Reports	Consists of five sections. These sections 701 to 705 are concerned with conducting research for enforcing actions against violations by the Securities and Exchange Commission (SEC) registrants (companies) and auditors.
Title VIII	Corporate and Criminal Fraud Accountability	Consists of seven sections and is referred to as the Corporate and Criminal Fraud Act of 2002. Describes specific criminal penalties for fraud by manipulation, destruction, or alteration of financial records or other interference with investigations, while providing certain protections for whistle blowers.
Title IX	White Collar Crime Penalty Enhancement	Consists of two sections and is called the White Collar Crime Penalty Enhancement Act of 2002. This section increases the criminal penalties associated with white-collar crimes and conspiracies.
Title X	Corporate Tax Returns	Consists of only one section. Section 1001 states that the Chief Executive Officer should sign the company tax return.
Title XI	Corporate Fraud Accountability	Consists of seven sections. Section 1101 recommends a name for this title as Corporate Fraud Accountability Act of 2002. This also enables the Securities and Exchange Commission (SEC) to temporarily freeze large or unusual payments.

The SOX Act does not specifically mandate information security requirements. However, security has emerged as a key component for SOX Act compliance.

For example, as part of Title 1 requirements listed in Table 25-3, a Public Company Accounting Oversight Board (PCAOB) is established for independent oversight of public accounting firms providing audit services, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. As a result of this Auditing Standard 2 of the PCAOB requirements, network security is a fundamental component of SOX compliance.

The Auditing Standard 2 states that senior management is responsible not only for financial information but also for the way that information is generated, accessed, collected, stored, processed, and transmitted, hence directly affecting network and network security domains.

Another example is SOX Section 404 in Title IV. Many organizations consider Section 404 to be the most critical part of SOX, whereby organizations must receive an annual certification of internal controls and have an independent accountant attest to the report and quarterly reviews for updates and changes required. This requires producing a new report that validates the internal controls over the financial reporting process. Because of SOX Section 404, many organizations invest heavily in networking and security systems infrastructures that ensure the confidentiality, integrity, and availability of information systems.

In addition, the SOX Act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.

To ensure compliance, the following sections are important:

• Section 302 requires the CEO and CFO to certify that the financial reports are true and accurate and that adequate controls exist over financial reporting and disclosure.

• Section 404 describes these controls, requires that certification be reasonable, and requires that outside auditors certify the existence of adequate controls over financial reporting.

• Section 409 requires prompt reporting of any changes in financial condition that might be material to investors.

• Section 802 mandates that companies and their auditors retain accounting documents and work papers for a minimum of seven years.

An internationally recognized controls-based framework, such as ISO/IEC 27002 (ISO/IEC 17799), coupled with a process-based framework, such as COBIT, can provide an organization with a comprehensive best-practices approach that underpins SOX compliance.

Many other countries have replicated the SOX Act to their localized act. They reflect similar requirements and mandates from the original SOX Act. Examples include the following:

• Bill 198: Ontario, Canada, version of the SOX Act

• J-SOX: Japanese version of the SOX Act

• CLERP9: Australian Corporate reporting and disclosure law

• LSF ("Loi sur la Sécurité Financière"): French version of the SOX Act

• L262/2005 ("Disposizioni per la tutela del risparmio e la disciplina dei mercati finanziari"): Italian version of the SOX Act

Penalties for Violations

To ensure compliance, the SOX Act has provisions that include both criminal and civil penalties for any violations.

Penalties for noncompliance are significant. Fines for SOX violations can go up to $500,000 and include up to 10 years in prison.

False reporting carries a huge penalty under the SOX Act. Knowingly signing false reports carries a prison sentence of up to 20 years.

These penalties ensure that businesses and government agencies treat regulatory compliance as a top priority.

The Securities and Exchange Commission (SEC) and the Federal Reserve Board are charged to execute and enforce the SOX Act.

Cisco Solutions Addressing SOX

Table 25-4 lists the Cisco products and solutions that help address the SOX requirements.

Table 25-4. Cisco Solutions Addressing SOX Requirements

Requirement	Cisco Solutions
Intrusion Detection and Prevention	Cisco IPS 4200 Series Sensors Cisco Integrated Services Routers (ISR) with Security Bundle Cisco ASA 5500 Series Adaptive Security Appliances Cisco Catalyst Security Services Modules
Logging, Authentication, Access Control	Cisco Secure Access Control Server (ACS) Cisco Security Agent (CSA) Cisco Security Mitigation, Analysis and Response System (CS-MARS)
Antivirus Policy	Cisco ASA 5500 Series Cisco Firewall Services Module (FWSM) Cisco Integrated Services Routers (ISR) Cisco IPS 4200 Series Cisco Security Agent(CSA)
Remote-Access Policy	Cisco ASA 5500 Series Cisco Integrated Services Routers (ISR)
Configuration Policy	Cisco Security Device Manager (Security Bundles) Cisco Security Agent (CSA) Cisco Security MARS Cisco Security Manager Cisco Network Admission Control (NAC)
Vulnerability Assessment	Regular Vulnerability Assessment

SOX Summary

In summary, publicly listed companies need a system-based approach that is collaborative and adaptive, offering an effective security governance framework to manage information security as well as provide guidelines to meet SOX compliance requirements.

For more details about SOX, refer to the following documentation URLs:

http://www.sarbanes-oxley-forum.com/

http://www.wikipedia.org/wiki/SOX

http://www.whitehouse.gov/news/releases/2002/07/20020730.html