SOX compliance can encompass many of the same practices as any data security initiative. Oxley R-OH-4 wrote this bill in response to several high profile corporate scandals — Enron, Worldcom, and Tyco in particular. The bill passed by overwhelming majorities in both the House and Senate — only three members voted to oppose.
SOX applies to all publicly traded companies in the United States as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States.
Private companies, charities, and non-profits are generally not required to comply with all of SOX. SOX mandates companies complete yearly audits and make those results easily available to any stakeholders. Companies hire independent auditors to complete the SOX audits, which must be separate from any other audits to prevent a conflict of interest. Auditors compare past statements to the current year and determine if everything is copasetic. Auditors can also interview personnel and verify that compliance controls are sufficient to maintain SOX compliance standards.
Make sure to update your reporting and internal auditing systems so you can pull any report the auditor requests quickly. Verify that your SOX compliance software systems are currently working as intended so there will be no surprises with those systems.
Your SOX auditor will investigate four internal controls as part of the yearly audit. To be SOX compliant, it is crucial to demonstrate your capability in the following controls:. Now in its fifteenth year, many organizations believe the compliance work has improved their internal control financial reporting ICFR , though the cost of being SOX compliant continues to rise.
For those who will need to go through a SOX compliance audit, here is an idea of what can be expected to take place.
This ensures the audit will be impartial. You can expect to do some research into accounting firms to find which one works best for you. If you are wondering if a SOX audit is necessary for your company, the audit is applicable to the following, according to Sarbanes-Oxley :.
As you can see, a SOX compliance audit is applicable to both public and private companies despite the rumors of it only being for public regardless of size. Once an organization has hired an independent auditor, the next step usually involves a meeting between management and the auditing firm. The specifics of the audit should be discussed, such as when the audit will take place, what results management expects to see, and what will be looked into, etc.
Auditors may also interview staff to verify job functions match job descriptions, as well as ensuring those employees within job functions have received proper training necessary for keeping financial assets secure. The Assessment of Internal Controls, covers four major categories encompassing all of a company's IT assets:.
Access: This is in reference to the physical and electronic controls that prevent users without the proper credentials to have access to sensitive information. Servers and data centers being kept in secure locations, strong passwords, and lock out screens also fall into this category. Security: Security means that proper controls such as computers, network hardware, and other devices that financial data goes through are in place to prevent breaches as well as, have the ability to fixes issues should they occur.
Data centers containing backed-up data, including those stored off-site or by a third-party are also subject to the same SOX compliance requirements as those hosted on-site. Change management : This involves the IT department process for adding new users and computers, updating and installing new software, and making any changes to databases or other data infrastructure components.
Keep records of what was changed, in addition to when it was changed and who changed it. All Rights Reserved. Privacy Terms About Contact. Specifically, SOX sections , and require the following parameters and conditions must be monitored, logged and audited: Internal controls Network activity Database activity Login activity success and failures Account activity User activity Information Access SOX auditing requires that "internal controls and procedures" can be audited using a control framework like COBIT.
0コメント