What are internal SOX controls?
The Sarbanes Oxley (SOX) Act of 2002 is a federal law intended to increase the reliability of financial reporting and protect investors from corporate fraud. Includes publicly traded companies operating in the United States, as well as some private companies, as defined in SOX Sections 302 and 404.
Section 404 of the SOX regulation requires organizations to implement internal controls to ensure that their financial reports are accurate. SOX controls, also known as SOX 404 controls, are rules that can prevent and detect errors in a company's financial reporting process. Internal controls are used to prevent or detect problems in organizational processes and to ensure that the organization achieves its objectives.
Eliminate risk while reducing the cost of manual SOX audits
Learn how Pathlock automates cross-application SoD and transaction monitoring
Download the solution brief
SOX controls must be applied and verified in all cycles that lead to the financial reports or financial results of the company. Internal auditors are required to perform periodic compliance audits to verify that the appropriate controls are in place and working properly.
The SOX standard does not include a list of specific controls. Instead, organizations must define their own controls to meet the regulator's objectives. This could include, for example, access control, change management,segregation of duties, cybersecurity solutions and backup systems.
SOX compliance requirements
To better understand the context of internal controls within the SOX standard, here is a brief overview of SOX requirements:
Senior Management Responsibility
In public companies, the CEO and CFO are directly responsible for all financial reports filed with the Securities and Exchange Commission (SEC). Because the CEO and CFO are held accountable, they face severe penalties for violations, including jail terms and millions of dollars in fines.
Internal Control Report
SOX requires organizations to submit a report demonstrating that company management remains responsible for the internal control structure applied to financial records.
To ensure transparency, all significant weaknesses must be reported to management immediately. Sections 302 and 404 are of great importance to this aspect of the law:
- SOX section 302— Holds the CEO and CFO accountable for reporting and all related internal controls.
- SOX section 404— ensures that financials remain transparent by requiring quarterly updates and annual disclosures, which must be available to the SEC and relevant interested parties.
Data security policy
SOX requires companies to create and maintain a data security policy that protects the storage and use of all financial information. SOX requires organizations to implement this policy consistently and clearly communicate it to all employees.
SOX requires organizations to create and maintain compliance documentation, which must be available to auditors upon request. In addition, organizations must continually perform SOX control testing, as well as monitor and measure SOX compliance objectives.
SOX internal control audits: 4 focal points
The review of an organization's internal audits and controls is often the largest, most complex and time-consuming part of a SOX compliance audit. This is because internal controls encompass all of a company's IT assets, including computers, hardware, software, and any other electronic devices that have access to financial data.
A SOX IT Controls audit focuses on the following areas:
1. Access control
Evaluate how the organization restricts access and implements access control measures to ensure that only the right people have physical and electronic access to sensitive financial information. This includes physical access measures such as lockouts and video surveillance for server rooms, as well as digital measures such as authentication and permission management using an identity and access management (IAM) solution.
2. computer security
Evaluate how the organization identifies sensitive data, protects it from cyberattacks, monitors who accesses it and how, and detects security incidents. In the event of an accident, the company must be able to take corrective action in a timely and effective manner. This requires dedicated security personnel, effective security procedures, and security tools such as a SIEM (Security Information and Event Management) system.
Evaluate how the organization protects key data and systems to minimize business interruption and data loss in the event of a disaster. Both the original systems and the data center with backup or standby systems that store financial data must comply with SOX requirements.
4. Change management
Evaluate how the organization manages changes in the IT environment, such as B. new employees, new IT infrastructure, new software, updates to existing software, and configuration changes. Changes should be logged and all sensitive changes should be monitored, anomalies reported and action taken to prevent security breaches.
Best practices for SOX controls
The following best practices can help you implement and audit SOX controls more effectively.
Use a top-down risk assessment approach
According to the PCAOB, it is best to use a top-down approach to assess the risks associated with SOX controls. Begin with the financial statements, identify the entities related to each financial statement, and define the controls required for significant accounts and disclosures related to the financial statements.
The ultimate goal of a risk assessment is to identify potential risks and existing controls and determine if they are sufficient to meet SOX requirements. If not, the next step is to develop new procedures to implement the missing controls.
Related Content: Learn more in our guide to internal control weaknesses (coming soon)
Determination of SOX materiality
Determining materiality is critical to understanding the level of controls necessary for a title to be SOX compliant. The following guidelines can help you determine materiality:
- Identify what is essential to the income statement and balance sheet:Check whether a financial statement item can influence the company's economic decisions by analyzing its importance as a proportion of total economic activity.
- Identify business units or locations with significant account balances:Audit of the annual accounts of all units of the company. If any of them contain significant account balances, they will likely need to undergo SOX testing in the next fiscal year.
- Identify important transactions- When determining a significant account balance, identify the specific debits and credits that affect the balance. Find and document a process to monitor these key transactions.
- Identify risks in financial information- Search every physical account, which can lead to key transactions not being reported correctly. Clearly establish how risk events can affect the account balance and therefore overall financial statements.
Limit the number of SOX controls by identifying key controls
It can be tempting to apply a control every time a risk is identified in the risk assessment process. However, this leads to a large number of controls that are difficult to implement and enforce and can unnecessarily disrupt business operations.
It is recommended to limit the number of controls to the minimum necessary by identifying the key controls. A simple way to distinguish key and non-key controls is to ask the question: "What risk does this control mitigate? Is the risk low or high?" If the risk is low, monitoring may not be necessary. Use this approach to prioritize your efforts.
Identify manual vs automated controls
In a large organization, it is impossible to implement all controls manually. Distinguish between:
- manual controls
- Automated controls outside the scope of IT general controls (ITGC) testing
- Automated checks as part of the ITGC exam
The first two categories are the responsibility of the SOX audit team. However, the third category is covered by existing ITGC efforts. By identifying this third category and focusing your efforts on the first two, you can save a lot of time in your SOX surveillance audit.
Automate the review of SOX internal controls with Pathlock
preparing for oneSOX auditIt can be a stressful, expensive, and time-consuming process, but it doesn't have to be. Pathlock provides a real-time, automated solution to demonstrate compliance with your internal controls for SOX. Ongoing monitoring of controls can ensure you're always tracking your compliance so there are no big surprises come audit season.
In today's modern business, nearly 100% of financially relevant activities take place in modern applications like SAP, Oracle, Workday, and NetSuite. By connecting directly to your business applications, Pathlock can automatically monitor activity in those applications to discover control violations and to identify and quantify the financial impact of risk. Both internal and external auditors rely on Pathlock reports to demonstrate application and compliance with controls.
Prioritize financial impact
Pathlock automatically prioritizes your most critical breaches by quantifying access risk by linking breaches to actual dollar amounts of out-of-policy transactions
Complete set of rules
Pathlock's catalog of 500+ rules provides Pathlock with out-of-the-box coverage for controls related to SOX, GDPR, CCPA, HIPAA, NIST, and other leading compliance frameworks.
Real-time access mitigation
Pathlock allows users to quickly investigate and respond to potentially risky transactions by reviewing access, revoking users, enforcing 2FA, or even enabling Pathlock to intelligently respond in real time, terminating suspicious sessions and blocking transactions in real time.
Pathlock's out-of-the-box integrations extend workflows to the deployment and service desk tools you already use, such as: B. ServiceNow, SailPoint, Okta, Azure AD,SAP GRC, and more
Lateral SOD correlation
All permissions and features are correlated to a user's behavior, activities are consolidated, and cross-app SODs are displayed across financially relevant apps.
Continuous control monitoring
Pathlock identifies top risks by monitoring 100% of financial transactions from applications like SAP in real time, uncovering gaps for remediation and investigation.