Three Marching Steps Towards Complete SOX Compliance
Photo on GettyImages
Compliance is without a shadow of a doubt a cornerstone of every modern business model. So many enterprises are falling short in their aspirations to “touch the sky” after failing to play by the government-established rules.
When your company grows, with it grows your responsibility for its fate. As an acting executive with high administrative rights, you need to ensure that everything is done by the book.
SOX compliance has been around for sixteen years now and has quite an impressive list of “victims.” It makes the most sense for all of us to become familiar with it!
Impromptu Introduction to The SOX Compliance Definition
Drafted by Paul Sarbanes and Michael Oxley, the Sarbanes–Oxley (SOX) Act was presented and approved by The United States House of Representatives in 2002.
SOX is designed to protect shareholders and public companies from accounting errors and fraudulent actions inside the enterprise – a truly noble initiative from the representatives of the United States Congress.
SOX is administered by the US Securities and Exchange Commission (SEC) and is fully dedicated to improving the accuracy of corporate financial disclosure and improvement of its governance and accountability levels.
Who Should Comply with SOX and Why?
According to the act, all public companies must comply with SOX on financial and IT levels. Even public companies outside of US, but with a presence in the country, have to be SOX compliant.
The introduction of this act revolutionized the way companies store electronic records and confidential data, especially emails. Even without a clear definition of how to protect the data from breach and falsification, SOX pointed out what exactly should be protected and for how long.
Information like health records, financial data, social security numbers, cardholder data, PHI, and other documents must be protected, as they all fall under the SOX revised data umbrella and travel through unprotected emails.
On top of all that, companies’ worker information, their wages, earned bonuses, paid time off, and training costs on their development should be accounted and protected from the threats of the public internet, too.
SOX wants you to maintain such corporate records for at least five years. And when the aforementioned data is transferred via email, the storing necessity becomes a huge issue. What could push the public to welcome such a strict policy of preserving sensitive information?
Attention: Fraud Detected!
The financial market experienced a paradigm shift after entering the new millennium, and that occurrence was followed by a series of massive fraud scandals, which effectively catalyzed the change in legislation and the inception of SOX.
Before the false financial reporting amassed a mass status and lead to the crisis, companies were kept off the radar due to strong market positions. Those positions were tested eventually, and companies were tested with them too.
For example, the audit of Enron’s legitimate financial state revealed a vast exaggeration of their net profit and discovered an amended balance sheet that led to the loss of $1.2 billion in the owner’s equity.
Natural Gas Smelled Rather Suspiciously
Basically, this energy company inflated itself so hard, that the “balloon” burst from a simple touch of the auditor’s hand. Enron got up too high and too quickly…
Markets responded by simply liquidating Enron’s stock after the news came out. What once was perceived as the 7th biggest company in the US filed for bankruptcy, the biggest in US history at that time, as this was only one of the cases that pushed for the emergence of SOX.
The CEO of Enron Jeffrey Skilling and Chairman of the Board Ken Lay both faced court charges, and eventually lost their cases. Now they are serving a 24-year prison term.
A Harsh but Fair Punishment
Although the lying executives got what was coming for them, your company can attract the attention of auditors and violate the SOX acts, and not because of your dirty deeds.
The main threat for you is the place where you work daily and the service you can’t imagine your office life without.
The Internet is inhabited with criminals of all sizes and colors who exploit email vulnerabilities and use spear phishing, man-in-the-middle attacks, domain spoofing and other forms of social engineering strategies to rob your enterprise and breach your confidential data.
If you let them, they will leave you with nothing but a pink slip and a black and white robe.
СEO Responsibilities And SOX Compliance Requirements
From that, it is logical to ask yourself: what’s the best way to become SOX compliant in 2018, and is your company ready for a SOX compliance audit in 2019?
Here’s a Sarbanes Oxley summary of Section 302 (Corporate Responsibility) and Section 404 (Management Assessment of Internal Controls), that reveals the technicalities CEO’s and CFO’s must keep in mind while engaging in financial reporting:
- CEO and CFO must review all financial and internal control reports
- The effectiveness of the existing control management system must be assessed
- Financial Report shouldn’t contain any data falsification
- Report Information should be presented fairly
- CEO and CFO are responsible for Internal Accounting Controls
- CEO and CFO must indicate material changes in Internal Accounting Controls
- Must report any deficit and report a possible fraud from the managers of the auditing company
The latter point involves a SOX compliance audit personnel that makes an annual checkup in your company to attest the accuracy of the CEO assertion. During the audit a special software that will scan your system for possible paper trails will be installed, possibly revealing the fraudulent operations or identifying a data breach initiated by the outsiders.
From January 1st of 2005 to April 18th of 2018 there have been 8,854 recorded breaches!
The reaction of Organizations and The Summary of Other SOX Sections
In hindsight, it is obvious that the act fulfilled the expectations of its creators and helped clean the financial picture up. Interestingly enough, more than a half of companies reported improvements in internal control over their financial reporting since the implementation of the act.
The fines for attempts to misinterpret the information in reports (Section 906) and attempts to hide the fraudulent offense and intimidate the whistleblowers (Section 902) are huge.
Not establishing real-time cooperation and issue disclosure with an auditor (Section 409) can make you non-compliant too!
The violation of the act will oblige your company with a $5 million fine and can put you behind bars for twenty years. You don’t want to end up like Enron’s bosses after losing a bunch of financial data emails, do you?
The prospects are especially grim when you find out that whistleblowers that report a violation from your own company are protected by the law, according to Section 806. Informants fall under the witness protection system, while the head of the company is thrown under the bus.
6 SOX Compliance Checklist Points To Hit
- Establish safeguard software to prevent data tampering
- Set up a remote location for secure data storing
- Enable advanced data breach detection
- Disclose all the safeguard qualities to SOX auditors
- Verify controls to track data access
- Notify SOX about possible failures of the safeguard software
By all accounts, SOX compliance can turn out to be expensive.
SEC survey showed us that an average company must pay $2.3 million annually to cover direct compliance costs. That sum comes out of the staff time, expenses on documentation and auditing processes and expenses on SOX compliance training.
For contrast, the expenses on legal compliance before SOX stood at $91,000. Times surely have changed!
What Exactly Would Define a Perfect SOX Compliance Solution?
The best option to becoming SOX compliant is having a high-tech security control in place that ensures that financial data is accurate and protected against the potential loss.
The best practice, in this case, is an appropriate tool, a software that will aid the enterprises in protecting their data.
How can that be achieved?
Although SOX doesn’t have a strict ruling on how to protect the information, encryption is considered to be one of the best practices.
What Else Do You Need Besides SOX Approved Encryption?
Encryption “censors” the content of your financial data-heavy emails and scrambles the numbers into an unreadable form that can be overturned to initial state after decryption. Encryption can be called “organized chaos”, as it is executed through a series of algorithms.
Therefore, the software must be able to:
- Encrypt the content
- Prevent unauthorized access
- Back up files and have them stored securely
Hitting all three objectives without a correct solution is virtually impossible. Besides, evidence of compliance must be featured in your annual Internal Controls Report, and solutions are often used as indicators to show that hack-preventive measures are in full effect.
With all that, CEOs should still look for a cost-effective and completely compliant solution for email protection. It would be fair to assume that one tool wouldn’t be able to hit all the check marks, but it is actually possible.
Seamless SOX Compliance with The Stealth Solution
The StealthMail solution is based on the end-to-end encryption of your emails through a patented Stealth Mashup feature and a never-practiced-before policy of storing encryption keys and encrypted data inside your own company’s Azure cloud.
That cloud backs up the data in six different locations to make the 5-year saving plan possible, which is exactly what you need in the face of a SOX compliance audit.
It is a well-known fact that emails are extremely vulnerable to online hacks, so StealthMail decided to extract their contents and only use SMTP powered emails for sending out a Stealth Link. Financial data stored in emails will never leave the perimeter of your company!
Friendly for Users, Combative Against Hackers
Prevention of unauthorized access is achieved by StealthMail’s policy of a two-way authentication and digital signatures. That keeps the hackers behind the door of your company and cuts out the possibility of identity theft.
A company that uses StealthMail can easily provide the auditors with everything they need to ensure that the solution is reliable and compliant with SOX security policy. You might want to find out that StealthMail provides compliance not only for SOX but also for GDPR and HIPAA.
To find out all the details, read a “How You Can Achieve HIPAA Compliant Emailing with a Military-Grade Email Security Solution” and a “GDPR Email Compliance: A Necessity of Modern Business Life.”
On top of all that, StealthMail doesn’t require a complicated integration and can be used as an Outlook add-in, a mobile and desktop app.
Achieve SOX compliance certification with StealthMail and forget about nail-biting audits once and for all.