What is SOX conformity

What is SOX?

(05.10.06) - The Sarbanes-Oxley Act (SOX) was enacted by the US Congress in July 2002 to restore public confidence in securities, improve corporate governance practices, promote ethical business practices, and increase the transparency and completeness of financial statements.

SOX at a glance
Although the SOX does not explicitly address information security requirements, this security is a crucial prerequisite for compliance with the SOX guidelines.

The following important provisions are of particular importance to corporate security:
>> Section 302: The correctness of the balance sheets must be certified by the managing director and head of the finance department. The financial data must be accurate and complete.
>> Section 404: The managing director, chief financial officer and auditor must confirm the effectiveness of internal controls. Organizations need to maintain, monitor and report on the effectiveness of controls.
>> Section 409: Companies need to disclose a significant change in their financial situation in real time. Violations or deviations that indicate possible significant changes must be recognized at an early stage.
>> Section 802: Companies must retain and protect the audit records. In accordance with company guidelines, it must be ensured that the documents are available and not changed.
Organizations must take adequate security measures to ensure compliance with these regulations.

Fulfillment of the control requirements of the SOX
In May 2003, the Securities and Exchange Commission (SEC) issued guidelines for Section 404, stating that the definition of internal control for financial reporting systems can be based on the framework conditions of the COSO (Committee of Sponsoring Organizations Internal Control - Integrated Framework) Other approaches are possible but have not been specifically mentioned.
The COSO framework highlights five aspects of effective internal controls:
Control environment: The awareness of control within a company, especially in the company management. Risk assessment: The evaluation of internal and external factors that influence the performance of a company. Control measures: The policies and procedures that ensure that risk management tasks are identified, performed, and timed.
Information and communication: The process that is used to identify relevant information and pass it on within an appropriate timeframe.
Monitoring: The process of verifying that internal controls are appropriately designed, effective, applicable and carried out appropriately. (Source: COSO and Deloitte & Touche)

Internal and external auditors generally rely on the COSO framework for reporting for internal controls. In the USA, some accounting firms have recommended the use of other internationally recognized standards to supplement and expand the COSO framework. These standards include COBIT (Control Objectives for Information and Related Technology), which are the general framework for IT control, and ISO 17799, the international standard for information security management systems.

Complying with SOX regulations and establishing appropriate security measures is a challenge for companies. The first step to success is to become familiar with SOX so that you better understand what is expected of your business. A compilation of links to the Sarbanes-Oxley Act can be found in the information library for this purpose. (Source: Symantec: ra)

Also read:
Corporate compliance magazine, magazine for avoiding liability in the company

Click here for the trial subscription
Click here for the regular subscription

Click here for the pdf order form (normal subscription) [19 KB]
Click here for the pdf order form (trial subscription) [20 KB]

Click here for the Word order form (normal subscription) [41 KB]
Click here for the Word order form (trial subscription) [42 KB]

Messages: USA

  • German insurers threatened with lawsuits in the USA

    The German federal government fears a considerable deterioration in the legislative legal peace through the bill introduced in the US Congress "Holocaust Insurance Accountability Act of 2007". The aim of the draft is to open up legal action against German insurers again and to oblige the insurance companies operating in the USA to publish the data of all policyholders from the Nazi era. This emerges from a briefing (16/9047).