The Sarbanes–Oxley Act of 2002, more commonly called SOX, is a federal law that the American Congress passed with the intention of bringing in greater probity and accountability into US public accounting and management firms and public company boards. It came into existence in the light of major accounting scandals that rocked the US economy at that time, such as WorldCom and Enron, and its chief purpose was to put regulations in place that assigned responsibilities of a company at the board level. It created a new set of laws on how public corporate entities are to be governed, and are to be in compliance with. It also prescribes penalties and punishments for a company’s board of directors.
SOX compliance requirements for IT
IT is one of the major disciplines the SOX legislation has amended. First and foremost, SOX compliance for IT starts off from a new plane. It approaches compliance requirements for IT from the standpoint of the need for welding the company’s financial audits with its technological audit. This presents a big shift, because in most instances, financial audits used to focus on the financial aspects of the company, while IT audits used to be concerned with only the technological aspect, with there being almost no conjunction between the two.
Moreover, SOX compliance for IT makes it mandatory for people at the highest levels of the companies’ management boards, such as Board of Directors, CEO’s, CFO’s and Audit Committee to vet and produce the relevant documentation of their companies’ financial records as well as to ensure that there is totally verifiable reliability and security in the IT systems that contain the financial details. This marks a very major shift from the previous legislation in this matter, as SOX compliance for IT brings into its fold senior management into the financial and IT audits of a company, and more importantly, makes them work in tandem.
Other important features of SOX compliance for IT systems
The crux of the prime Information Technology section of SOX is related in Section 404, commonly referred to as “SOX-404”.
Salient features of SOX compliance for IT systems
- Section 404 requires controls to be in place. SOX compliance for IT systems seeks to ensure that there are ample controls for preventing fraud, loss or misuse of data relating to the company’s transactions;
- SOX compliance for IT systems seeks to also ensure that these controls are effective. To ensure this, SOX compliance for IT systems requires companies to put the kinds of controls in place that ensure that irregularities are quickly detected and facilitate speedy correction;
- It allows companies to clearly state exceptions, which must be part of audit trails, so that the right action can be taken to tackle these exceptions;
- SOX compliance for IT systems makes IT systems a part of the larger corporate financial and governance controls audit, which companies have to comply with.