15 Dec SOX Compliance Audits: Take the Steps to be Ready!
Sarbanes-Oxley Act of 2002, often simply called SOX or Sarbox, is a U.S. law aimed at protecting investors from fraudulent or erroneous accounting practices by corporations or other business entities. What does SOX entail? The law mandates strict reforms to improve financial disclosures from corporations and prevent accounting fraud. It also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure. The goal is that all US public company boards, management, and public accounting firms have greater transparency in their financial reports and to establish formalized systems for internal controls.
While the details of the Sarbanes-Oxley Act are complex, “SOX compliance” refers to the annual audit in which a public company is obligated to provide proof of accurate, data-secured financial reporting.
To improve the reliability and accuracy of corporate disclosure, as is a key goal of SOX, public company management is obligated to personally validate the veracity of its financial information. With the SOX legislation, the board of directors of an organization finds themselves with an expanded position of management of their company’s handling of finances in addition to external auditors having more independence as they review the accuracy of a business’s financial statements. For a business, adhering to SOX requirements is more than just a constitutional duty, but it is good corporate practice.
The law is named for the two congressmen who drafted it, Paul Sarbanes and Michael Oxley. The U.S. Securities and Exchange Commission (SEC) administers the act. Sarbanes-Oxley was enacted after various large-scale accounting scandals in the early 2000s committed by companies such as Enron, Tyco, and WorldCom. The impact of such scandals was that investors lost billions of dollars when the companies suddenly found their share prices collapsing, resulting in the general public losing confidence in U.S. securities markets. The SOX audit is an annual estimation of how well your organization is administrating its internal controls and the information that is taken from this audit is provided to shareholders. Some of the parameters and conditions that must be kept track of, documented, and audited are:
- Internal controls
- Network activity
- Database activity
- Login activity (success and failures)
- Account activity
- User activity
- Information Access
Be prepared for a SOX compliance audit
There are four key components of an annual audit – internal controls – that a SOX auditor will concentrate on. To make sure your organization is conforming to SOX requirements, you have to prove that your business has suitable controls for:
- Access control – Access control is a method of restricting access to sensitive data. Only those that have had their identity verified can access company data through an access control gateway. You also want to be able to validate that users only have access to their job-specific data.
- Security – You have to be able to prove to an auditor that your information has the right security protocols in place to prevent data breaches, data leaks, and be able to handle cyber threats.
- Data backup – SOX mandates that all financial records belonging to financial service companies have a SOX-compliant off-site backup location.
- Change management – An additional SOX requirement is that all company financial programs have a detailed procedure of how to add and manage its users, install new software, and make changes to the databases or applications.
When there is proper preparation, your business can prevent poor performance. FPV & Galíndez is an accomplished firm with expertise in the Sarbanes-Oxley Act of 2002 (SOX) compliance testing and has all the tools your organization needs to fully adhere to all financial requirements by law. Get in touch with one of our professionals that is ready to assist you and inform you further about SOX and other important auditing and financial services that can benefit your business.
About the author: Wilfredo Vera Pujols, CISA, CDPSE
A skilled consultant in the areas of Internal Audits and Compliance, Vera holds a BBA in Information Services from the University of Puerto Rico Mayaguez and a Master’s in Computer Sciences from the illustrious Polytechnic University of Puerto Rico. He has used his excellent preparation in the last 3 years of his specialty in Auditing and Consulting, Internal Controls, and SOX for our diverse clientele. Among some of his major clients are Evertec, Triple S of Puerto Rico, and Banco Popular, to name a few. We are sure that this ISACA member, along with the expertise of FPV & Galíndez’s skilled Consulting Department will provide strategic solutions for any IT and Cybersecurity needs your organization may have.