FAQ: What is the impact of Sarbanes-Oxley on IT operations?

This FAQ provides guidance to IT professionals on how Sarbanes-Oxley (SOX) affects IT operations, including who it affects, what is required and what penalties are applied.

With the great impact Sarbanes-Oxley (SOX) has on IT operations, you need to stay informed on who it affects, what...

is required and what penalties are applied. Get key insights into how your organization should approach SOX mandates from these FAQs.

What is the Sarbanes-Oxley Act?

When former President George W. Bush signed the Sarbanes-Oxley Act into law July 30, 2002, he called its provisions "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt." SOX was enacted in response to high-profile financial scandals in which accounting errors and fraudulent practices resulted in the collapse of Enron and WorldCom. Sarbanes-Oxley was designed to protect shareholders and the general public from similar scandals, particularly with regards to criminal accounting in public companies. Compliance with SOX is administered by the Securities and Exchange Commission (SEC), which publishes requirements and sets deadlines for organizations to comply with them. The SEC provides up-to-date information about the Sarbanes-Oxley Act on its website.

More compliance FAQs?

Get caught up on regulations and more with our IT compliance FAQs.

When it comes to IT operations, the impact of Sarbanes-Oxley has been clear and far-reaching. In fact, the costs of complying with SOX have resulted in many companies choosing to go public outside the U.S. capital markets. As noted in "Sarbanes-Oxley Revisited" in Reason Magazine, however, "the SEC has continued to exempt nearly 5,000 smaller companies, with market capitalizations of less than $75 million, from SarbOx's orders to audit their financial control systems. That exemption is currently set to end in December 2009." When it does, SOX requirements will extend to the IT departments of many more public companies.

What is the role of IT in SOX compliance?

Compliance is now a deeply embedded aspect of corporate IT culture. Why? Sarbanes-Oxley regulations require that an audit trail of log files and all pertinent documentation must be retained for five years. SOX defines which records are to be stored and for how long, focusing specifically on retention of audit and accounting records that relate to the generation of financial statement that will be submitted to shareholders and the SEC. Both paper and electronic versions of this documentation must be retained. SOX does not, however, specify how they are to be stored -- best practices for data protection, disaster recovery and storage management pertain. That means the impact of Sarbanes-Oxley can be felt by nearly every component of IT operations, including messaging, storage, virtualization and even networking, so long as financial data or activity occurs on them. In turn, IT must be able to produce electronic records of these audit trails for compliance audits.

Many enterprise IT shops use Control Objectives for Information and Related Technology (COBIT) as a reference framework for this work. COBIT is an open standard that defines requirements for the control and security of sensitive data. According to WhatIs.com's definition for COBIT, the standard "consists of an executive summary, management guidelines, framework, control objectives, implementation tool set and audit guidelines. Extensive support is provided, including a list of critical success factors for measuring security program effectiveness and benchmarks for auditing purposes."

The IT departments of all public companies must be aware of the key requirements of SOX, including log management, backups and all relevant electronic communications. New platforms for communication enabled by Web 2.0 technologies like blogs, wikis and social networking are introducing all-new compliance headaches, as gigabytes of data are generated through messaging and sharing. If it pertains to finance and accounting, enterprise IT professionals must track and archive it for the inevitable visit by a compliance auditor looking for log files. Increasingly, compliance officers are using event log management software to track key moments where data enters or exits an enterprise, like email systems or the addition or departure of employees with access to sensitive financial data.

Who is affected by SOX compliance?

Anyone who administers systems that are relevant to financial or accounting data is affected by SOX. Many large enterprises have chosen to appoint chief compliance officers to coordinate the work of network administrators, database administrators and remote IT departments. SOX complianc has also forced substantial investment in human resources to maintain, organize and retain audit trails. These respsonsibilities are often passed on to the IT department.

SOX affects only publicly traded companies, unlike compliance regulations like the Payment Card Industry Data Security Standard or Health Insurance Portability and Accountability Act. As a result of the financial and legal penalties that noncompliance imposes, corporate executives have been active in pushing financial and IT departments towards compliance validation. Accounting departments have been able to use sophisticated financial software developed in the years since SOX passed to meet financial requirements. CIOs and chief technology officers are now using event log managers and governance, risk management and compliance software to ease the burden of compliance. As SearchCompliance.com Senior News Writer Linda Tucci reported, however, for compliance management, GRC software may not be the answer.

Sarbanes-Oxley advice for smaller public companies
Smaller public companies have had more challenges when it comes to preparing for Sarbanes-Oxley. James Champy offers some tips for those trying to do more with less in achieving compliance.

What is generally required by SOX?

SOX regulations were written in the wake of massive accounting scandals at Enron, Worldcom and Tyco in the early years of the new millennium. As a result, SOX compliance focuses squarely on the retention of audit trails, in the form of log files and work-papers, for any electronic records that contain, relate to or comment upon financial data. These work-papers and electronic audit trails may not be destroyed, altered or falsified. Revant audit trails must be retained and auditable for five years.

SOX compliance basics: Taking action
Learn how to keep an organization compliant in this webcast, with information about defined SOX goals, COSO and COBIT, audits, provisioning strategies and vulnerability management.

What are the penalties for noncompliance?

The consequences for noncompliance with SOX regulations are fines, imprisonment or both. The severity of the penalty varies with the infraction. Failure to maintain documents and documentation can result in up to 10 years in prison and/or fines. Destruction, alteration or falsification of records can result in up to 20 years in prison and/or fines. Defrauding shareholders of publicly held companies can result in up to 25 years in prison and/or fines.

Section 802 of the Sarbanes-Oxley Act describes these penalties in detail. Specifically:

"Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both." (Section 1519)

These penalties also pertain to destruction, alteration or falsification of records in federal investigations and bankruptcy (Section 1519) and destruction of corporate audit records (Section 1520).

SOX audit statements must be certified by the chief executive officer of the corporate entity. In situations where penalties are assessed, the leaders of the organization are typically held to account, not the IT managers who prepare the report. Ultimate repsonsibility for the accuracy of SOX compliance reports generally rests in the executive suite, not the server room.

Expert advice: A closer look at Sarbanes-Oxley violations
SearchSecurity.com expert Ben Wright clarifies the information security aspect of the Sarbanes-Oxley legislation by providing examples of violations and consequences.

Let us know what you think about the FAQ; email [email protected].

Dig Deeper on SOX and other public company compliance requirements