The SOX Act (Sarbanes-Oxley Act)
Following a series of high-profile financial scandals in the 1990s, the United States government decided to implement legislation aimed at holding companies more responsible for their financial reporting. The Sarbanes-Oxley Act, also known as the SOX Act, was enacted on July 30, 2002, and is managed by the Securities and Exchanges Commission. The Public Company Accounting Oversight Board was established to oversee and regulate auditors.
What does the SOX Act address?
At a basic level, the federal law aims to better regulate financial practices and improve corporate governance by holding higher-level management accountable for ensuring the accuracy of information about their organizations' profits and other financial data. Increasing penalties for fraud and requiring robust reporting processes, the SOX Act requires companies to present their operations more honestly and fully.
To make this possible, entities are required to comply with guidelines for establishing and documenting their processes for retaining information about financial processes. From a technical standpoint, companies need to implement tools that facilitate data storage, reporting, and security according to the protocols outlined in the law.
Complying with the SOX Act
Upholding the requirements of the SOX Act is mandatory for all publicly traded companies, with some exceptions for smaller businesses according to the reforms passed in 2007 and 2010. To meet the legislation's specifications for maintaining oversight and reporting on financial data, these entities need to ensure their technology and infrastructures support the law's guidelines.
In a technical context, three important areas to keep in mind are:
- Data storage, including email. Companies must archive all of their business documents, neither shredding physical files nor deleting electronic information, such as emails. Enterprises require the email storage and backup capacity to make this data retrievable for audits.
- Internal controls for financial reports. For example, entities should be able to prevent and detect misstatements and attest to the accuracy of the information they report. Public companies are required to obtain independent audits of these internal control processes.
- Security policies and measures. IT system security is interwoven with SOX Act requirements for data management and authorized access. To keep resources safe, companies need to implement backups and guard their resources from viruses and other malicious attacks. Strong password practices and other access controls also help stakeholders prevent unauthorized people from modifying documents, the SANS Institute explained.
To ease the burden of ensuring their tools are in line with the SOX Act, organizations can seek out vendors to help them implement solutions in a compliant manner. From there, it's the business leaders' responsibility to ensure their employees, top management, and other stakeholders record, manage, and report on financial data appropriately.
Although the legislation still has some critics in terms of the high-level impact it has had on the economy, most observers recognize the benefit of accountability in financial reporting both for the system as a whole and for individual companies. Reporting responsibly, including by complying with the SOX Act, can help organizations foster trust with investors, customers, and business partners.