The Sarbanes-Oxley Act of 2002, sponsored by Paul Sarbanes and Michael Oxley, represents a huge change to federal securities law. It came as a result of the corporate financial scandals involving Enron, WorldCom and Global Crossing. Effective in 2006, all publicly-traded companies are required to implement and report internal accounting controls to the SEC for compliance. In addition, certain provisions of Sarbanes-Oxley also apply to privately-held companies.

Executives who approve shoddy or inaccurate documentation face fines of up to $5 million and jail time of up to 20 years.

SOX auditing requires that “internal controls and procedures” can be audited using a control framework like COBIT. Log collection and monitoring systems must provide an audit trail of all access and activity to sensitive business information. 

A review of a company’s internal controls is often the largest components of a SOX compliance audit. Internal controls include all IT assets, including any computers, network hardware, and other electronic equipment that financial data passes through. A SOX IT audit will look at the following internal control items:

 IT security: Ensure that proper controls are in place to prevent data breaches and have tools ready to remediate incidents should they occur. Invest in services and equipment that will monitor and protect your financial database.

 Access controls: This refers to both the physical and electronic controls that prevent unauthorized users from viewing sensitive financial information. This includes keeping servers and data centers in secure locations, implementing effective password controls, and other measures.

 Data backup: Maintain backup systems to protect sensitive data. Data centers containing backed-up data, including those stored off-site or by a third-party are also subject to the same SOX compliance requirements as those hosted on-site.

 Change management: This involves the IT department process for adding new users and computers, updating and installing new software, and making any changes to databases or other data infrastructure components. Keep records of what was changed, in addition to when it was changed and who changed it.