This post-Enron law that aimed to protect investors by preventing fraudulent accounting and financial practices has major implications for data retention and security. Credit: Cnythzl / Monsitj / Getty Images Sarbanes-Oxley Act: Summary and definitionThe Sarbanes-Oxley Act (sometimes referred to as the SOA, Sarbox, or SOX) is a U.S. law to protect investors by preventing fraudulent accounting and financial practices at publicly traded companies. Passed in 2002 in the wake of a series of corporate scandals and the bursting of the dot-com bubble, Sarbanes-Oxley imposed a number of reporting, accounting, and data retention mandates to ensure that business practices at big companies remain above board.While many Sarbanes-Oxley provisions center on financial and accounting matters, proper treatment of corporate data is the cornerstone to many aspects of how the law works—and that has a huge impact on IT, which we’ll focus on in this article.What is the purpose of the Sarbanes-Oxley Act?The Sarbanes-Oxley Act is a product of a series of scandals that took place around the turn of the millennium. Several publicly traded companies—Enron and WorldCom were two of the most prominent—used accounting trickery, shell corporations, and other fraudulent techniques to hide business losses from the public and keep stock prices artificially high. Executives and board members used this deception to enrich themselves, cashing out and leaving investors (and, in Enron’s case, employees who had been urged put their retirement into company stock) holding the bag when the deception could no longer be maintained and the stock price collapsed.These scandals unwound around the same time dot-com stock prices collapsed, and while none of those early-stage internet companies perpetrated fraud on quite such a scale as Enron, many people believed that they had inflated reports of their earning potential in advance of initially lucrative IPOs, essentially enriching company founders at the expense of investors. The Sarbanes-Oxley Act imposed a heavy regulatory burden in an attempt to prevent these kinds of abuses from happening again. The law aims to improve corporate behavior by making sure companies produce and retain accurate data about their own finances, and that they be able to make that data available to investors and regulators in near-real time. For IT, that means huge amounts of corporate data has to be kept meticulously accurate and absolutely safe—from both internal and external threats—and has to be available to auditors and investors on short notice.Who does Sarbanes-Oxley apply to?A few provisions of Sarbanes-Oxley apply to privately held companies—the law forbids such companies from destroying records to impede a federal agency’s investigation, for instance, or from retaliating against whistleblowers. However, by and large the provisions of the law we’ll be discussing here apply to companies whose shares are traded on public stock exchanges, or that are putting together an IPO to go public. The data transparency that the law mandates is meant to protect investors or potential investors from misjudging a company’s finances due to manipulation by insiders. Sarbanes-Oxley provisionsThe provisions of the Sarbanes-Oxley Act are broken down into numbered sections. Let’s take a look at the sections of most interest in terms of IT and data security:Section 302: Public companies need to file regular reports with the Security and Exchange Commission. Top executives must personally vouch for the information contained in these reports and are responsible for establishing internal controls of data.Section 404: Annual financial reports must include a section on those internal controls assessing their effectiveness; any shortcomings discovered in those controls must be disclosed. Registered external auditors must vouch for management’s assessment of the internal controls.Section 409: Any material changes in the financial conditions or operations of the company must be disclosed to the public in a timely manner.Sections 802 and 906: These are the sections that deal with penalties. We’ll get into the details later in the article, but they forbid altering documents in a bid to impede an investigation and also make it illegal for anyone to certify a misleading or fraudulent financial report.Of these sections, 404 is considered the most complex and most onerous. Not only must elaborate technical systems be set up to maintain data integrity and protection, but company management and outside auditors must regularly assess and document the effectiveness of those systems.Sarbanes-Oxley requirementsThose are a lot of provisions to digest, and you’ll need to dig deep into the specific mandates they impose. But here is a high-level summary of what the law requires that’s worth keeping in mind as a 10,000-foot view:All applicable companies must establish a financial accounting framework that can generate financial reports that are readily verifiable with traceable source data. This source data must remain intact and cannot undergo undocumented revisions. In addition, any revisions to financial or accounting software must be fully documented as to what was changed, why, by whom and when. [Source: Sarbanes Oxley 101]You’ll recognize elements here of the CIA triad and its variants. In particular, data integrity must be protected, data must be available to those who need it, and non-repudiation must be enforced to ensure that it’s possible to know who created or altered data.Sarbanes-Oxley controlsThe means by which Sarbanes-Oxley requirements are implemented within an organization are referred to as controls. A control in this context is an internal rule intended to prevent or detect errors or malfeasance within a cycle of financial reporting.Sarbanes-Oxley mandates that controls be implemented across a company. The Varonis blog gives some specific examples of the kinds of rules that would be investigated as part of a Sarbanes-Oxley audit procedure: Access: You’ll need to have rules that cover both physical access to your offices and paper files and electronic access to your data. The law mandates a least permissive access model, under which employees only have access that’s as extensive as needed to do their jobs but no more extensive than that.Data backup: Financial records must be backed up offsite in ways spelled out by the law.Security: You’ll need a set of rules that demonstrate that you have protected your data against breaches, though the implementation is left up to your discretion within reasonable bounds.Change management: You’ll need to have defined procedures for adding or changing the databases and software that manage your corporate finances, as well as adding new users to your systems.You’ll notice that these controls are described in abstract ways. In general, controls are spelled out in terms of what they do (or prevent), and it’s up to IT to figure out how to implement them. For instance, the rules on electronic access may identify the job titles whose holders are allowed to modify a company’s internal financial data, but it will be up to the company’s IT department to make sure the correct individuals have the proper permissions on the relevant systems to do so (or be prevented from doing so).This obviously makes for a lot of work, and has perhaps unsurprisingly created a cottage industry of software packages prewritten to help implement standardized Sarbanes-Oxley controls.Sarbanes-Oxley complianceSarbanes-Oxley compliance, then, consists of conforming your company’s procedures to all these mandates by taking the following steps, as summed up in the Varonis blog:CEOs and CFOs must take responsibility for financial reporting and internal controlsAn internal control report must be drafted that takes an honest look at the company’s controlsFormal data security policies must be drafted and consistently enforced, and a data security strategy must be developedAll compliance steps must be recorded and continually documentedAll of this takes a lot of work on the part of companies, and many look for help doing it. One organization that offers resources is the Committee of Sponsoring Organizations of the Treadway Commission, or COSO. Formed in 1985 to help fight corporate fraud, COSO has for years maintained a framework for internal controls that companies can follow in order to implement best anti-fraud practices. The most recent revision, which dates from 2013, specifically outlines how it can help you achieve Sarbanes-Oxley compliance. Exabeam has a great seven-point high-level Sarbanes-Oxley compliance checklist that gives you a quick sense of everything you’ll need to cover:Prevent data tamperingRecord timelines for key activitiesBuild verifiable controls to track accessTest, verify, and disclose safeguards to auditorsReport on the effectiveness of safeguardsDetect security breachesDisclose security breaches and failure of security controls to auditorsRSI security has a more in-depth look at what you need to do when facing a Sarbanes-Oxley compliance audit that has lots of great details.Sarbanes-Oxley penaltiesSarbanes-Oxley penalties can be quite serious—and, importantly, they apply to individuals in positions of power at companies directly, not just the companies as institutions. While corporate officers mistakenly signing off on erroneous reports can be punished for it, the worst treatment is reserved for deliberate fraud. For instance, a CEO or CFO who knowingly certifies a report that violates the Act can be fined up to $5 million dollars or sent to prison for up to 20 years.Sarbanes-Oxley Act: Cases and examplesThere are definitely occasions when the U.S. federal government uses the weapons that Sarbanes-Oxley provides. For instance, in 2003, not long after the law was passed, employees from Ernst & Young were arrested for destroying documents pertaining to one of their clients. in 2014 the FEC brought charges against the CEO and CFO of a Florida computer company for misleading auditors on the state of their internal controls.But in practice, some view Sarbanes-Oxley as a missed opportunity when it comes to prosecuting corporate fraud. Even when financial reports can be shown to be fraudulent, it can be difficult to prove that CEOs and CFOs knew about the fraud when they signed off on the reports—and if prosecutors do have strong evidence of this, they almost always can use the evidence to file even tougher fraud charges that aren’t part of the Sarbanes-Oxley suite of options. Still, law professor Peter Henning says that the law has had a positive effect as a deterrent: it’s established that “accounting shenanigans aren’t going to be tolerated anymore.” Hopefully that makes you feel like the struggle for certification is worth it. Related content news Top cybersecurity product news of the week New product and service announcements from Coro, Descope, Genetec, Varonis, Cloudbrink, Databarracks, and Security Journey By CSO staff Dec 07, 2023 22 mins Generative AI Generative AI Machine Learning news analysis Attackers breach US government agencies through ColdFusion flaw Both incidents targeted outdated and unpatched ColdFusion servers and exploited a known vulnerability. By Lucian Constantin Dec 06, 2023 5 mins Advanced Persistent Threats Cyberattacks Vulnerabilities news BSIMM 14 finds rapid growth in automated security technology Embrace of a "shift everywhere" philosophy is driving a demand for automated, event-driven software security testing. By John P. Mello Jr. Dec 06, 2023 4 mins Application Security Network Security news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe