The Sarbanes-Oxley (SOX) Act and security observability

Serious financial fraud was never considered a real risk while investing in U.S.-listed stocks until 2001, when energy giant Enron Corporation, which held $63.4 billion in assets, collapsed. It was revealed that the company had been misleading investors for years and the company’s stock price quickly plummeted from $90 to less than $1 per share. It was the largest bankruptcy in US history, followed by a $40 billion lawsuit and imprisonment for the corporation’s executives.

In the aftermath, to enforce stronger regulations on corporate governance, a new US federal law - The Sarbanes-Oxley Act (SOX) - was enacted in 2002 to ensure financial transparency and reduce accounting fraud across publicly traded companies.

The Sarbanes-Oxley Act consists of 11 titles that cover many different governance areas from corporate responsibility, accountability, and internal controls, to penalties for fraud and non-compliance. The U.S. Securities and Exchange Commission (SEC) is in charge of its enforcement with oversight authority over the Public Company Accounting Oversight Board (PCAOB) - “a nonprofit corporation established by Congress to oversee the audits of public companies in order to protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports”.

SOX applies primarily to the following entities:

Also, private companies planning to go public should be prepared to comply with SOX prior to entering the U.S. stock market.

These companies are subject to an annual audit, during which they are obligated to submit financial reports and prove the accuracy and security of their financial data. It requires all financial reports to include an Internal Controls Report assessed by an independent auditor.

However, in 2019, the SEC proposed amendments to relax requirements for smaller reporting companies (SRC). Under the proposal, companies with less than $100 million in revenues are not required to obtain an audit of Internal Controls over Financial Reporting (ICFR) from an independent auditor.

Corporate management is personally accountable for non-compliance. For CEOs and CFOs, fines are defined as up to 5 million dollars and imprisonment for up to 20 years. Also, there is a risk of being de-listed from the stock exchange for companies that fail to comply with SOX.

As a high-level regulation, the Sarbanes-Oxley Act does not stipulate any IT requirements directly. But since financial data is stored and processed electronically, SOX has a huge effect on corporate IT infrastructures, systems, and processes.

Across many sections of SOX, these are considered to be the most important in terms of IT:

Section 404 is the most complicated and expensive one to be accomplished as it requires actual internal controls (ICFR) to be implemented to ensure financial data is protected. It may also require an external audit to attest controls are appropriate and correct.

Internal controls typically span all infrastructure, including workstations, servers, software, and other devices used to process and report financial data. So, ICFR assessment is often the largest and most complex part of SOX audit.

SOX auditors rely on IT frameworks (e.g. COBIT) to benchmark the level of IT governance and investigate four common elements:

While SOX compliance was initially aimed at financial transparency, it is increasingly about the controls, policies, and procedures enabled by a public company to ensure that data is correct and protected sufficiently. And the reason is fairly simple: financial controls themselves make sense only if you keep track of system access and who tampers with data.

SOX Sections 103 (a) and 801 (a) require public companies and registered public accounting businesses to maintain audit trails for at least seven years.

During the audit, it is not enough to submit a report stating appropriate internal controls are in place. Companies must be capable of promptly getting evidence the auditor needs and demonstrating compliance with the SOX regulations. Companies must not just log data securely, but also make this data available on demand.

Security observability and log management play crucial roles in SOX compliance, as it provides an audit trail of access to sensitive data and helps to detect breaches almost in real time.

According to Sections 302, 404, and 409, companies have to log and monitor many actions occurring across IT infrastructure, including:

A security observability system must provide an audit trail of all the actions sufficient for timely incident response.

The Sarbanes-Oxley Act affects all publicly traded companies in the U.S. with an aim to increase the accountability and integrity of financial reporting. System and application log files enclose crucial information that can be utilized to detect issues and breaches while providing an audit trail for incident response and forensic investigation. Logs are also a fundamental element of SOX Section 404 Internal Controls.

NXLog helps organizations to stay SOX-compliant by providing a centralized security observability solution. Collect and analyze audit logs across disparate systems to aid in real-time threat detection and response, and ensure you always stay compliant with SOX.