The Sarbanes-Oxley Act (SOX) was signed into law on July 30, 2002. Implemented as a result of corporate financial scandals, the act made sweeping changes to federal securities law and corporate accountability.
The Act specifies financial reporting responsibilities, as well as required internal controls and procedures designed to ensure the validity of financial records and protect against disclosure of confidential information. The Sarbanes-Oxley act also created new standards for corporate accountability, new penalties for acts of wrongdoing, and protection of “whistleblowers” against unlawful retaliation.
All publicly-traded companies in the U.S. (including wholly owned subsidiaries), all publicly-traded companies doing business in the U.S., as well as accounting firms providing auditing services to them must maintain Sarbanes-Oxley compliance
All publicly-traded companies in the U.S. (including wholly owned subsidiaries), all publicly-traded companies doing business in the U.S., as well as accounting firms providing auditing services to them must maintain Sarbanes-Oxley compliance. However, many private and nonprofit companies are facing market pressures to confirm to SOX standards. Privately held companies that fail to adopt SOX-type standards to protect information may face higher insurance premiums, have difficulty raising capital, and lose customers to other companies that adhere to the compliance standards. 1
The Sarbanes-Oxley Act is arranged into 11 “Titles”. With regards to compliance, the most important sections within the 11 titles are:
Section 302 – Corporate responsibility for financial reports. Intended to safeguard against faulty financial reporting. As part of this section, companies must safeguard their data to ensure financial reports are not based upon faulty data or data that has been tampered with.
Important subsections include:
Section 302.2 – Establish safeguards to prevent data tampering.Requires the signing officer to attest to the validity of reported information. Data must be verifiably true, requiring safeguards to prevent data tampering.
Section 302.3 – Establish safeguards to establish timelines.Requires the signing officer to attest reported information is fairly presented, including accurate reporting for the time periods. Safeguards must ensure data relates to a verifiable time period.
Section 302.4.B – Establish verifiable controls to track data access.Requires internal controls over data, so that officers are aware of all relevant data for reporting purposes. Data must exist in a verifiably secure framework which is internally controlled.
Section 302.4.D – Periodically report the effectiveness of safeguards.Requires a report on the effectiveness of the security system. The security framework should report its effectiveness to officers and auditors.
Section 302.5.A&B – Detect Security Breaches Requires detection of security breaches due to flaws within the security system, control system or fraud.
Section 404 – Management assessment of internal controls – Requires that safeguards stated within Section 302, as well as other sections of the act, be externally verifiable by independent auditors. Specifically, this section guarantees that the security of data cannot be hidden from auditors, as auditors disclose to shareholders and the public any security breaches that affect company finances.
Important subsections include:
Section 404.A.1.1 – Disclose security safeguards to independent auditors.Relates to management of appointed auditors, requiring them to review control structures and procedures used for reporting financial information. Security framework, and those responsible for the operation of the security framework, must be disclosed to auditors.
Section 404.A.2 – Disclose security breaches to independent auditors.Requires auditors to assess the effectiveness of the internal control structure. The general effectiveness of the security framework must be measured and disclosed.
Section 404.B – Disclose failures of security safeguards to independent auditors.Requires auditors to be aware of (and report on), changes to internal controls, and possible failures that could affect internal controls. Verification must exist showing security framework is operational and effective.
As you can see, compliance with the Sarbanes-Oxley Act differs from both HIPAA and GLBA, as it does not contain requirements for retention of specific record types, media or recovery time objectives. Simply put, HIPAA and GLBA were designed to protect patient and customer confidentiality. SOX was designed to protect the shareholder’s “transparent” view of a company.
Many of the same strategies for HIPAA and GLBA compliance can aid in compliance with the Sarbanes-Oxley Act. Strong data security, employee education, access controls, secure data storage and an intelligent business continuity plan are not just smart business, they also provide the most solid foundation for compliance requirements.
For the final blog post in this series, we will look at Payment Card Industry Data Security Standard, PCI DSS.