The Sarbanes-Oxley Act (SOX) was passed by the United States government to protect shareholders and the general public from incidents such as accounting errors or malpractice in enterprises and to improve the accuracy of corporate disclosures. The act sets pre-defined deadlines for compliance and publishes rules on requirements.
The act requires all financial reports to include an Internal Controls Report. This shows that a company’s financial data are accurate (within 5% variance) and adequate controls are in place to safeguard financial data. Year-end financial disclosure reports are also a requirement. An independent external SOX auditor is required to review controls, policies, and procedures during the Section 404 audit.
An audit will also look at people working at the firm and may interview staff to confirm that their duties correspond to their job description and that they have the required training to safely access financial information.
All public companies are now legally required to comply with SOX, both on the financial side and on the IT side. The way in which IT departments store corporate electronic records had to be modified as a result of SOX. While the act does not specify how a business should store records or establish a set of business practices, it does define which records should be stored and the length of time for the storage.
SOX sections 302, 404 and 409 require the following parameters and conditions must be monitored, logged and audited:
- Internal controls
- Network activity
- Database activity
- Login activity (success and failures)
- Account activity
- User activity
- Information Access
Sarbanes-Oxley (SOX) made it mandatory for auditors to have greater independence, a rise corporate governance, proper systematic documentation of corporate internal controls and enhanced financial disclosures.