Sarbanes-Oxley Act

Bryan C.
Cybersecurity, Frameworks

This is a slimmed down version of an essay written in early 2017 by Bryan for his Master of Cybersecurity degree at Purdue University.

The stock market crash of 1929 that led to the Great Depression of the early 1930’s also led to the creation of the Securities Exchange Act of 1934 [4]. From the Securities Exchange Act came the Securities and Exchange Commission (SEC) tasked with not only restoring confidence in the financial markets, it defined and enforced laws regarding investments in publicly traded companies, specifically, the placement of investors first above the needs and owners of the business [4]. Every major Act passed by Congress in the United States in the modern era were derived from some action by an individual, corporation, or government entity that was, at some later point, judged as illegal.

The same is true for the Sarbanes-Oxley Act of 2002 (known as SOX), born from another example of corporate fraud under periods of deregulation, or no regulation at all. There were many corporations at fault prior to the enactment of the SOX act, but two stand out from the crowd – Enron and WorldCom. In 2001, Enron filed for bankruptcy protection, seeking to protect their nearly $63 billion in assets due to a collapse of their stock value [2]. The value of Enron’s stock dropped from $75 a share to just $0.72 cents in under a year due to the actions of an internal whistleblower who leaked information to the SEC and other authorities [2]. Enron had been keeping large debts off their balance sheets, cooking their books, so to speak, presenting a positive outlook for the company to investors. These investors and players in the stock market took this information positively and continued to invest in the company.

Enron went bankrupt and the CEO, and those responsible for falsifying accounting data and reports, were criminally charged and sent to prison. The Enron employees lost their retirement accounts, most employees lost their jobs, and investors lost every single penny they invested in the company. The Enron scandal gave birth to the Sarbanes-Oxley Act of 2002, named after its sponsors, Senator Paul Sarbanes and Congressman Michael Oxley [1].

SOX Goals and Objectives

The Sarbanes-Oxley Act was signed into law July 30, 2002, not long after the WorldCom scandal made headlines. WorldCom had defrauded its investors in much the same way as Enron, by underreporting expenses, filing them under capital, resulting in $3.8 billion in fraud [2]. SOX is an expansive law and is entirely directed at corporations that are publicly traded on the stock market. In short, SOX places the responsibility of accurate reporting on the shoulders of the CEO, requiring a corporation’s CEO to sign off on the accuracy of financial statements, personally [1]. Three of the most important areas of the Sarbanes-Oxley Act are discussed below.

Section 404 of SOX sets for the requirement for executives to personally certify the accuracy of all financial statements presented by a corporation [1]. Section 404 also establishes internal controls for corporations, specifically defining the documentation, testing, and maintenance of financial systems within an organization [6]. The internal controls not only affect corporate executives, but also managers of financial teams and even information technology teams who are responsible for managing electronic systems that store or transmit financial data [1]. Internal auditors are required to certify internal controls at the same time executives must certify financial statements.

SOX also created a new commission, the Public Company Accounting Oversight Board (PCAOB) whose sole responsibility is to set standards for audits [1]. Auditors must be publicly registered with the PCAOB because the PCAOB also inspects, investigates, and enforced SOX compliance. The PCAOB is a watchdog that ensures accounting firms that do business with publicly traded companies are also not performing the audits. The audits, as required under PCAOB, must be by a third-party independent organization with no affiliation to the corporation or any of its affiliates.

The third important area of SOX is the protection of employees that report fraudulent activity. These individuals, known as whistleblowers, often testify in open court against their employers, and under SOX, they are protected from any change to their employment agreement [1]. Employees who report fraudulent activity to the SEC cannot be reprimanded, fired, or otherwise have the terms and conditions of their employment changed for any reason, and this extends to contractors as well. Under SOX, the contractor designation refers to temporary employees, vendors, or any entity contracted with the corporation [1]. This means that accounting firms hired by corporations are protected under the whistleblower article in the SOX act should they find and report fraud.

Information Technology’s Role

The information technology teams of publicly traded corporations play a vital role in SOX compliance. Section 302 of the Sarbanes-Oxley Act requires a CEO and CFO to certify they have evaluated the Internal Controls of Financial Reporting (ICFR) within 90-days of certifying financial statements [6]. Throughout this essay, the term internal controls has been used several times and therefore warrants a definition from an IT perspective. Processing, storage, and reporting of financial data occurs via electronic systems, systems that fall within the realm of information technology. IT departments are responsible for security controls that safeguard these systems, such as firewalls to limit access, access control lists to control access to databases and data, robust databases and storage systems that utilize encryption for data at rest, and reporting systems that are protected against tampering.

Section 404 of SOX details controls that support financial reporting such that financial reporting is accurate and transparent [6]. IT departments must identify systems and processes that interact with financial data through security assessments and audits and application and system testing. It is not merely the systems that store, permit interaction with, and transmit financial data. Email systems are also a key control to be utilized as it serves as the basis for inter-office communication [5]. According to Section 404 of SOX, these controls ensure that all processes and procedures dealing with financial data are accurate, complete, and maintain their integrity.

Section 802 of SOX details the regulations for records retention and includes a plethora of material to be retained. Some examples of records to be retained include emails, instant messages, data on employee computers, recorded phone calls where applicable, and all financial transactions [6]. Per SOX, these records must be kept for a minimum of five years, preserved and made available for auditors at a future date [6]. Failure to maintain these digital and paper records will result in non-compliance with the SOX act which includes several severe punishments for a corporation, its executives, and its employees. Non-compliance consequences are discussed in another section below.

There are many sections of the Sarbanes-Oxley Act of 2002 that IT must become intimately familiar with to bring a publicly traded organization into compliance. There are two frameworks, or tools, that will aid an IT team in assessing the compliance of an organization. The first tool, known as COSO, which stands for Committee of Sponsoring Organizations of the Treadway Commission, includes five components that assist an IT team in creating an effective and efficient internal control system [6]. The COSO framework emphasizes a risk-based approach to identification and assessment of internal control areas and is designed to be useful for executives, managers, and IT departments.

The second tool is the COBIT framework, which stands for Control Objectives for Information and Related Technologies developed by ISACA, an international professional association focused on IT governance [6]. COBIT is a robust tool that combines compliance requirements (ex: SOX, PCI-DSS, and HIPAA) with technical issues, risk assessment and awareness, and information technology management [6]. One of the key areas of focus for information technology teams is documentation, especially when dealing with federal and state regulations and compliance issues. These documents should detail what systems and processes interact with financial data, the policies and procedures in place that handle security incidents, and the plans to recover from security incidents.

Information technology teams are a crucial part of SOX compliance in the twenty-first century. Through risk-based assessments, IT teams can identify security concerns that relate to financial transactions within an organization. Internal audits verify that mitigation techniques and security controls remain effective and should be conducted frequently to ensure ongoing compliance [5]. If IT teams are already performing risk-based assessments, internal audits, and stress testing recovery plans and procedures, compliance with federal regulations should be a relatively straightforward affair.

Non-compliance Consequences

When a CEO and CFO certify the accuracy of financial reports, they are held liable for any mistakes, whether accidental or fraudulent, with penalties can be leveraged against them in either case. Section 906 of the Sarbanes-Oxley Act of 2002 defines the corporate responsibility for financial reports, including the criminal penalties for non-compliance [7]. The legal language used in the law is difficult to parse, but the penalties are quite clear, and there are two. The first penalty is a $1 million dollar fine and/or up to 10 years in prison. The second penalty is a $5 million dollar fine and/or up to 20 years in prison. Depending on the actions, or inactions, taken by CEO’s and CFO’s, both penalties could be leveraged against these individuals [7].

Publicly traded corporations submit yearly and quarterly financial reports to the SEC, explicitly detailed and required by SOX [2]. Within 90-days of each report submission, the same individuals that certified the financial reports must also certify the effectiveness of internal controls. Failure to certify internal controls within the 90-day period will result in an audit wherein an independent third-party will be brought in, at the organization’s expense, to review and certify SOX compliance [2]. In addition to these requirements, failure to comply with record retention by shredding documents and deleting stored data will not only affect CEO’s and CFO’s, criminal penalties can be leveraged against the individuals that performed records destruction [2].

Summary

When the SOX act was put into effect, many corporations complained about the costs of implementing internal controls as mandated by the regulations. However, over the last decade, information technology systems and security costs have decreased while becoming more powerful and effective [3]. Although SOX only affects publicly traded corporations, the regulations are being adopted by private organizations too. For example, private companies that are PCI compliant have very little to no increased costs to become SOX compliant and are therefore pursuing compliance [3]. SOX was deemed effective until the housing market crash of 2008 that lead to the Great Recession [3]. The law remains in effect and just as effective today because the Great Recession was not a result of Sarbanes-Oxley. In fact, the financial crisis of 2008 was later determined to be caused by deregulation of banks and other financial institutions, effectively removing checks and balances to ensure effective and accurate financial reporting [3].

Many CEOs argued that SOX was not a necessity, that as a result of the public proceedings for Enron and WorldCom, the “system” would fix itself [3]. That is a common sentiment when government regulations are put into place, but time and time again, these regulations tend to shine and improve processes and protections for the public. According to John Iosub [5], quantifying the effects of the impact of Sarbanes-Oxley is difficult, but it will take several years to determine the true impact. A decade and a half later, the SOX act is still in effect and corporations and the stock market are still going strong, a clear indication that the Sarbanes-Oxley Act of 2002 is effective.

References

[1] Amadeo, K. (2018). Sarbanes-Oxley summary: How it stops fraud. Retrieved June 8, 2018 from https://www.thebalance.com/sarbanes-oxley-act-of-2002-3306254

[7] Compliance Guidelines. (2018). Sarbanes Oxley (SOX) compliance. Retrieved June 8, 2018 from https://complianceguidelines.com/sox-compliance.htm

[2] Fleming, M. (2004). The role of IT security in Sarbanes-Oxley compliance. Retrieved June 8, 2018 from https://www.sans.org/reading-room/whitepapers/legal/role-security-sarbanes-oxley-compliance-1376

[3] Forbes. (2014). The costs and benefits of Sarbanes-Oxley. Retrieved June 8, 2018 from https://www.forbes.com/sites/hbsworkingknowledge/2014/03/10/the-costs-and-benefits-of-sarbanes-oxley/#147ed033478c

[4] Fox Business. (2016). A brief history of the Securities and Exchange Commission. Retrieved June 8, 2018 from https://www.foxbusiness.com/markets/a-brief-history-of-the-securities-and-exchange-commission

[5] Iosub, J. (2003). What the Sarbanes-Oxley act means for IT managers. Retrieved June 8, 2018 from https://www.techrepublic.com/article/what-the-sarbanes-oxley-act-means-for-it-managers/

[6] Lee, J. (2018). SOX compliance: What is the IT team’s role? Retrieved June 8, 2018 from https://blog.ipswitch.com/sox-compliance-what-is-the-it-teams-role