Corporate compliance is a major undertaking for a few reasons–IT systems become complex, work forces grow to hundreds of individuals with different levels of access to information and public corporations must file difficult financial and security attestations annually to prevent fraud.
One of the essential forms of financial and IT compliance for publicly-traded companies in the U.S. is SOX 404 compliance, or compliance with Section 404 of the Sarbanes-Oxley Act.
Learn more about SOX 404 and how it might impact your company.
What Is the Sarbanes-Oxley Act?
The Sarbanes-Oxley Act, colloquially known as “SOX,” is a law passed by Congress in 2002 as a response to the various corporate fraud scandals over the previous years (including, notably, Enron and WorldCom).
The heart of the law relates to corporate transparency and responsibility. Before the enactment of the law, there were limited controls in place to protect investors and the public from corporate fraud, due in no small part to the reasoning that public corporations were not seen as a source of fraud due to their high visibility. With incidents like Enron, Tyco and WorldCom, however, the public learned that not only could corporate finances be obfuscated for purposes of fraud, but that these incidents had a significant impact on public trust in the U.S. economy.
The Sarbanes-Oxley Act was passed with overwhelming support in both chambers of Congress. The law implements additional requirements for publicly-traded corporate entities (and a limited set of private companies) to provide regular, transparent financial reporting. Some of these requirements include the following:
- Added Accountability: All Chief Executive Officers and Chief Financial Officers in public companies must sign off on compliant financial reporting and take responsibility for the accuracy and timely completion of reports on financial reports and internal control structures.
- Internal Control Reports: These reports state that corporate management is responsible for documenting the internal control of their financial records. There is a transparent chain of command through which faults in that system can percolate.
- Data Security: Corporations must implement formal data security policies related to the processing and storing financial data.
- SOX Documentation: Enterprises must maintain continuously updated documentation related to their ongoing compliance with SOX requirements.
Furthermore, all publicly-traded companies must undergo yearly compliance audits against these requirements.
What is SOX 404 Compliance?
The letter of the SOX law is broken down into sections that outline specific requirements for businesses. SOX Section 404 stipulates that these enterprises must establish internal controls for financial reporting. Furthermore, the organization must have processes to document, test and maintain internal controls continuously.
In many ways, complying with Section 404 can become a more costly and time-consuming part of adhering to regulations. This section calls for enterprises to provide annual reports and auditor attestation to the fitness of these internal controls.
Annual filings under SOX 404 include the following:
- A statement attesting to management responsibility for establishing internal controls about financial reporting.
- A report from the enterprise defining the control framework used to evaluate the performance of internal controls.
- A statement from the organization assessing the effectiveness of internal controls over the previous fiscal year.
- A statement from an external auditor attesting to the fitness of the enterprise’s report.
In the case of SOX 404, “internal controls” refer to any company asset that accesses financial information, particularly IT assets. As such, a SOX 404 audit will almost invariably focus on the following areas:
- Security: Covers how an organization protects systems and assets against attacks, including detection of security events, system protection via firewall or other perimeter protections, managing ongoing threat detection via Security Information and Event Management (SIEM) solutions.
- Identity and Access Management: Including any controls to manage user authentication, identity verification, authorization and physical location access (physical badges, keypads, etc.).
- Change Management: Including any change in the internal control environment, such as changes in workforce, changes or upgrades in IT infrastructure, changes in software or vendor relationships and so on.
- Backups: Covers the controls in place to handle data backups and disaster recovery.
As such, controls help organizations manage security risks for financial data. Businesses are required to report on any internal controls and their effectiveness annually using an internal review framework called the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a joint initiative from 5 private organizations supporting best practices in governance, ethics and security.
What Is SOX 404 Top-Down Risk Assessment?
SOX 404 Top-Down Risk Assessment (TDRA) is a risk assessment process tailored explicitly for SOX 404 compliance. This financial risk assessment isn’t a system test per se, but rather a risk assessment of that system to help determine the scope of a SOX 404 audit.
Some of the critical steps typically included in TDRA include the following:
- Identifying financial reporting elements such as disclosures, account reporting or other documentation.
- Identifying material financial statement risks, or the risk that financial statements contain misstatements of a material nature (that is, a misstatement that can cause economic harm or impact economic decisions of relevant stakeholders).
- Identifying the entity-level controls that can mitigate such risks. In this case, these controls apply to policies and procedures related to personnel, employees, management and board members.
- Identify the transactional controls that can mitigate such risks without entity-level controls. In this case, these controls apply to how data is transferred, stored or shared.
- Defining the scope of the assessment for all related controls, including the necessary tests, timelines and expansiveness of such an assessment.
Performing SOX 404 Assessments with Continuum GRC
There are specific assessments and approaches to SOX 404 compliance, and most of them are costly and time-consuming. Approaching such audits is necessary for doing business, even if one can become a major hassle in large or complex companies.
If you are a publicly-traded company, large or small, and you need to automate SOX 404 compliance, including COSO-informed assessments, enterprise risk management and internal control assessments, consider the comprehensive Continuum GRC cloud platform.
Are You Preparing for SOX 404 Compliance?
Call Continuum GRC at 1-888-896-6207 or complete the form below.