SOX

Congress passed the 2002 Public Company Accounting Reform and Investor Protection Act (a.k.a. Sarbanes-Oxley Act (SOX)), after a series of financial and accounting scandals in the 1990’s that brought down large organizations such as Enron and Tyco. 

This act establishes auditing and financial accounting standards for publicly traded companies. The goal of SOX is to make corporate disclosures both more reliable and transparent to prevent future market manipulation and fraud. By providing more rigorous controls to force corporate accountability and responsibility, and implementing severe criminal penalties for misconduct, the SEC regulates the operations of commercial banks, accountants / auditors, securities dealers, and other financial services industry organizations.

As with other lawful regulations, SOX is underpinned with specific accounting requirements—both technical and procedural—that are documented in controls that support the design, implementation, and management of secure information technology systems that handle financial data. Each control can be traced back to language in the legislation which dictates minimum standards for controls such as logging, reporting, and records management (retention and destruction) that are set in security policies and enforced by data storage, network, and SaaS transaction processing platforms. These configurations should be programmatic and auditable by external agencies to prove continuous compliance and annually report status to authorities.

There is no formal certification, but other standard audits such as SOC 1 Type 2 can be used to attest that internal controls are both defined and followed. For example, enacting strong access controls on databases, securing application traffic with encryption, monitoring endpoints for malware and intrusions are all ways to protect financial records, prevent alteration or misuse.

Perhaps more important than regulatory governance and information security is complying with the spirit of the law and taking responsibility for the organization’s actions. Using policies and processes to protect the integrity and confidentiality of data helps ensure that systems are well architected and maintained, and that requirements are met with a minimal amount of risk.