Understanding the Sarbanes-Oxley Act
For accountants that deal with publicly owned companies, ensuring your IT infrastructure is SOX-complaint is a must.
The Sarbanes-Oxley Act was adopted as law to ensure that investors have reliable data in which to make their financial decisions. The law was, in large part, a result of the accounting scandals that took place around the turn of the century including within publicly-traded organizations such as Enron, Tyco International, Adelphia, and WorldCom. These scandals costs investors billions of dollars and resulted in a widespread loss in confidence in American securities. To remedy this loss-of-confidence, the United States congress took swift measures in a bipartisan co-sponsored bill that amended the necessary processes that publicly traded companies reported revenue. The bill is named after its co-sponsors, Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH)\ and was signed into law by President George W. Bush on July 30, 2002.
By upgrading fiscal reporting laws, many of which were over 60 years old, the Sarbanes-Oxley Act (as it was known upon ratification) changed the way that accountants were required to go about presenting information to the boards of publicly traded companies, and thus places an emphasis on IT to assist in accomplishing this task. Since the law calls for dynamic reporting requirements to be put in place, including pro-forma figures, stock transactions of corporate officers, and off-balance-sheet transactions, computing was to play a larger role than ever in the execution of proper oversite under the Sarbanes-Oxley Act.
What is SOX Compliance?
SOX Compliance is the observation of the protocols mandated by the Sarbanes-Oxley Act.
The sprawling reform, made it necessary to report all numbers to the Securities Exchange Commission (SEC) in an effort to cut back on corporate scandals that had been defrauding investors. IT was a enacted as a few well known publicly-owned corporations were "cooking their books" in order to retain unjustifiably high stock prices, inflating the worth of their companies. When the fraud was realized, it was too late and billions of investment dollars were lost.
In regards to technology, a SOX-compliant infrastructure is the creation and maintenance of a secure computing system that allows for privacy for secure transfer of financial information directly to accountable parties (i.e. Company officers). The creation of this infrastructure must meet the requirements of a SOX third-party auditor. These auditors are hired at the expense of the organization that requires the audit.
SOX Compliance Questions
Some of the variables that SOX auditors look for in a compliant IT infrastructure:
- Is there an identity-based security system in place on the applicable framework?
- Do the right people have access to the right data?
- Are services isolated to ensure that a compromised service can't compromise an otherwise compliant infrastructure?
- Does the IT framework or database provide the confidentiality required by Article 404 of Sarbanes-Oxley?
- Is there physical security in place for applicable servers?
- Is there a firewall protecting that server from the internet, with applicable alterations that are to be made specifically for SOX compliance?
- Are you connections to your server encrypted?
Conclusion
It's true that the protection against the misrepresentation of revenue often lays on the shoulder of a company's technology.
The IT professionals at ISC can clarify network security and the role it plays in regulatory compliance. Our certified technicians can help you prepare for your SOX, HIPAA, or PCI DSS audit.
For more information on Sarbanes-Oxley compliance for accounting firms, call us today at 502.292.5097.
What Our Clients Say
ISC’s Security Risk Assessment helped our Practice meet our HIPPA Compliance and Meaningful Use requirements and the Advanced Security Assessment and Network Security solutions provide ongoing protection for our Network and Patient Data.
ISC’s IT Consulting, Sourcing and Managed Support Services provides a Total Solution for all our IT needs. They met with us to understand our business, budget and IT requirements. They implemented the solution and their Managed IT Services provide ongoing protection for our supply chain. This allows us to focus on growing our business and serving our customers’ needs. We have peace of mind that our IT is supported and our customer data is protected.
It wasn't until someone called to see if we had an IT service provider that I realized I have used the services of ISC for over 20 years and have relied on their expertise. In a previous job, ISC managed our SQL server and POS system for 30+ stores in 5 states plus our office network. In my present job, they have been there when we expanded from a 3-person office to over a dozen employees across 4 states. We are able to collaborate using Microsoft Office 365 and a virtual private network. The staff is experienced, knowledgeable and extremely helpful. I wouldn't trust anyone else.
As a mid-size manufacturer of custom woodwork our operations are large enough to be complex but too small to justify an internal IT staff. ISC has been an ideal fit for us. Capable, responsive, cost-efficient, and they share our customer-centric values. ISC allows us to focus on what we do best with the peace of mind knowing our IT infrastructure is in good hands.
I am pleased to strongly recommend the team at ISC Kentucky. For years we attempted to support our IT hardware and software installation/upgrade needs internally with limited success. The ISC team effectively assessed our current state, established and executed an improvement plan that covered immediate needs AND projected risks, and have consistently supported our ongoing needs…largely via remote access…in a timely and efficient manner. Partnering with ISC has been clearly one of the best decisions we’ve made for our business…so we can focus on the business.
I could not be more satisfied with ISC Kentucky. They were vital in advising, implementing, and supporting my family medicine practice network. Every time I have needed network support their service was prompt and courteous. I feel that I am a valued customer and they have my best interests in mind.
We have been using ISC Kentucky for almost 2 years. We were in the market looking for an IT company to take care of our needs as a skilled nursing home. One of our board members uses ISC and gave us James Naive as a contact for them. We have been more than satisfied with their work and their knowledge of what we needed and when we needed it. They came in and looked around our building assessed what we had and developed a plan for us to follow to get where we needed to be. I rest much more comfortably knowing that our IT solutions are in their hands. I would highly recommend ISC Kentucky to anyone looking to solve their IT problems. ISC have professional and knowledgeable staff that have handled any situation that we have had in the last 2 years.
As a company we brought in ISC to handle the equipment at our office and 16 locations. They have provided excellent customer service on all levels. They are quick to respond and to resolve any issues. Their office and service staff is efficient, knowledgeable and professional. ISC staff will be instrumental in our planning for the next year. They have been a real asset to our company. We appreciate the relationship and service they have provided.