• United States



Josh Fruhlinger
Contributing writer

The Sarbanes-Oxley Act explained: Definition, purpose, and provisions

Nov 30, 20209 mins
Data and Information SecurityRegulationSecurity

This post-Enron law that aimed to protect investors by preventing fraudulent accounting and financial practices has major implications for data retention and security.

compliance / regulations / rules / law / standards / policies
Credit: Cnythzl / Monsitj / Getty Images

Sarbanes-Oxley Act: Summary and definition

The Sarbanes-Oxley Act (sometimes referred to as the SOA, Sarbox, or SOX) is a U.S. law to protect investors by preventing fraudulent accounting and financial practices at publicly traded companies. Passed in 2002 in the wake of a series of corporate scandals and the bursting of the dot-com bubble, Sarbanes-Oxley imposed a number of reporting, accounting, and data retention mandates to ensure that business practices at big companies remain above board.

While many Sarbanes-Oxley provisions center on financial and accounting matters, proper treatment of corporate data is the cornerstone to many aspects of how the law works—and that has a huge impact on IT, which we’ll focus on in this article.

What is the purpose of the Sarbanes-Oxley Act?

The Sarbanes-Oxley Act is a product of a series of scandals that took place around the turn of the millennium. Several publicly traded companies—Enron and WorldCom were two of the most prominent—used accounting trickery, shell corporations, and other fraudulent techniques to hide business losses from the public and keep stock prices artificially high. Executives and board members used this deception to enrich themselves, cashing out and leaving investors (and, in Enron’s case, employees who had been urged put their retirement into company stock) holding the bag when the deception could no longer be maintained and the stock price collapsed.

These scandals unwound around the same time dot-com stock prices collapsed, and while none of those early-stage internet companies perpetrated fraud on quite such a scale as Enron, many people believed that they had inflated reports of their earning potential in advance of initially lucrative IPOs, essentially enriching company founders at the expense of investors.

The Sarbanes-Oxley Act imposed a heavy regulatory burden in an attempt to prevent these kinds of abuses from happening again. The law aims to improve corporate behavior by making sure companies produce and retain accurate data about their own finances, and that they be able to make that data available to investors and regulators in near-real time. For IT, that means huge amounts of corporate data has to be kept meticulously accurate and absolutely safe—from both internal and external threats—and has to be available to auditors and investors on short notice.

Who does Sarbanes-Oxley apply to?

A few provisions of Sarbanes-Oxley apply to privately held companies—the law forbids such companies from destroying records to impede a federal agency’s investigation, for instance, or from retaliating against whistleblowers. However, by and large the provisions of the law we’ll be discussing here apply to companies whose shares are traded on public stock exchanges, or that are putting together an IPO to go public. The data transparency that the law mandates is meant to protect investors or potential investors from misjudging a company’s finances due to manipulation by insiders.

Sarbanes-Oxley provisions

The provisions of the Sarbanes-Oxley Act are broken down into numbered sections. Let’s take a look at the sections of most interest in terms of IT and data security:

  • Section 302: Public companies need to file regular reports with the Security and Exchange Commission. Top executives must personally vouch for the information contained in these reports and are responsible for establishing internal controls of data.
  • Section 404: Annual financial reports must include a section on those internal controls assessing their effectiveness; any shortcomings discovered in those controls must be disclosed. Registered external auditors must vouch for management’s assessment of the internal controls.
  • Section 409: Any material changes in the financial conditions or operations of the company must be disclosed to the public in a timely manner.
  • Sections 802 and 906: These are the sections that deal with penalties. We’ll get into the details later in the article, but they forbid altering documents in a bid to impede an investigation and also make it illegal for anyone to certify a misleading or fraudulent financial report.

Of these sections, 404 is considered the most complex and most onerous. Not only must elaborate technical systems be set up to maintain data integrity and protection, but company management and outside auditors must regularly assess and document the effectiveness of those systems.

Sarbanes-Oxley requirements

Those are a lot of provisions to digest, and you’ll need to dig deep into the specific mandates they impose. But here is a high-level summary of what the law requires that’s worth keeping in mind as a 10,000-foot view:

All applicable companies must establish a financial accounting framework that can generate financial reports that are readily verifiable with traceable source data. This source data must remain intact and cannot undergo undocumented revisions. In addition, any revisions to financial or accounting software must be fully documented as to what was changed, why, by whom and when. [Source: Sarbanes Oxley 101]

You’ll recognize elements here of the CIA triad and its variants. In particular, data integrity must be protected, data must be available to those who need it, and non-repudiation must be enforced to ensure that it’s possible to know who created or altered data.

Sarbanes-Oxley controls

The means by which Sarbanes-Oxley requirements are implemented within an organization are referred to as controls. A control in this context is an internal rule intended to prevent or detect errors or malfeasance within a cycle of financial reporting.

Sarbanes-Oxley mandates that controls be implemented across a company. The Varonis blog gives some specific examples of the kinds of rules that would be investigated as part of a Sarbanes-Oxley audit procedure:

  • Access: You’ll need to have rules that cover both physical access to your offices and paper files and electronic access to your data. The law mandates a least permissive access model, under which employees only have access that’s as extensive as needed to do their jobs but no more extensive than that.
  • Data backup: Financial records must be backed up offsite in ways spelled out by the law.
  • Security: You’ll need a set of rules that demonstrate that you have protected your data against breaches, though the implementation is left up to your discretion within reasonable bounds.
  • Change management: You’ll need to have defined procedures for adding or changing the databases and software that manage your corporate finances, as well as adding new users to your systems.

You’ll notice that these controls are described in abstract ways. In general, controls are spelled out in terms of what they do (or prevent), and it’s up to IT to figure out how to implement them. For instance, the rules on electronic access may identify the job titles whose holders are allowed to modify a company’s internal financial data, but it will be up to the company’s IT department to make sure the correct individuals have the proper permissions on the relevant systems to do so (or be prevented from doing so).

This obviously makes for a lot of work, and has perhaps unsurprisingly created a cottage industry of software packages prewritten to help implement standardized Sarbanes-Oxley controls.

Sarbanes-Oxley compliance

Sarbanes-Oxley compliance, then, consists of conforming your company’s procedures to all these mandates by taking the following steps, as summed up in the Varonis blog:

  1. CEOs and CFOs must take responsibility for financial reporting and internal controls
  2. An internal control report must be drafted that takes an honest look at the company’s controls
  3. Formal data security policies must be drafted and consistently enforced, and a data security strategy must be developed
  4. All compliance steps must be recorded and continually documented

All of this takes a lot of work on the part of companies, and many look for help doing it. One organization that offers resources is the Committee of Sponsoring Organizations of the Treadway Commission, or COSO. Formed in 1985 to help fight corporate fraud, COSO has for years maintained a framework for internal controls that companies can follow in order to implement best anti-fraud practices. The most recent revision, which dates from 2013, specifically outlines how it can help you achieve Sarbanes-Oxley compliance.

Exabeam has a great seven-point high-level Sarbanes-Oxley compliance checklist that gives you a quick sense of everything you’ll need to cover:

  1. Prevent data tampering
  2. Record timelines for key activities
  3. Build verifiable controls to track access
  4. Test, verify, and disclose safeguards to auditors
  5. Report on the effectiveness of safeguards
  6. Detect security breaches
  7. Disclose security breaches and failure of security controls to auditors

RSI security has a more in-depth look at what you need to do when facing a Sarbanes-Oxley compliance audit that has lots of great details.

Sarbanes-Oxley penalties

Sarbanes-Oxley penalties can be quite serious—and, importantly, they apply to individuals in positions of power at companies directly, not just the companies as institutions. While corporate officers mistakenly signing off on erroneous reports can be punished for it, the worst treatment is reserved for deliberate fraud. For instance, a CEO or CFO who knowingly certifies a report that violates the Act can be fined up to $5 million dollars or sent to prison for up to 20 years.

Sarbanes-Oxley Act: Cases and examples

There are definitely occasions when the U.S. federal government uses the weapons that Sarbanes-Oxley provides. For instance, in 2003, not long after the law was passed, employees from Ernst & Young were arrested for destroying documents pertaining to one of their clients. in 2014 the FEC brought charges against the CEO and CFO of a Florida computer company for misleading auditors on the state of their internal controls.

But in practice, some view Sarbanes-Oxley as a missed opportunity when it comes to prosecuting corporate fraud. Even when financial reports can be shown to be fraudulent, it can be difficult to prove that CEOs and CFOs knew about the fraud when they signed off on the reports—and if prosecutors do have strong evidence of this, they almost always can use the evidence to file even tougher fraud charges that aren’t part of the Sarbanes-Oxley suite of options. Still, law professor Peter Henning says that the law has had a positive effect as a deterrent: it’s established that “accounting shenanigans aren’t going to be tolerated anymore.” Hopefully that makes you feel like the struggle for certification is worth it.