Why SIEM is a surefire way to help IT teams achieve SOX compliance

Accounting firms, auditors, and all publicly listed companies experienced a pivotal moment on July 30, 2002 with the passing of the Sarbanes-Oxley (SOX) Act. It's been 20 years, and SOX continues to be one of the most impactful financial accounting policies in the US.

If you're an organization in the US with plans to go public, you've probably heard of SOX. For most companies, it is a tedious and lengthy requirement that needs the involvement of several departments. Since SOX deals with preventing fraudulent accounting practices and securing financial data, the IT department plays a crucial role in ensuring that the organization is compliant.

Here, we'll discuss:

1. What SOX is

2. Important terminologies

3. Role of IT teams in SOX compliance

4. How SIEM can help IT teams achieve SOX compliance

What is SOX?

Enforced by the Securities Exchange Commission (SEC), SOX is a law that helps protect shareholders from fraudulent accounting or financial practices, by clearly outlining the roles and responsibilities of the various stakeholders involved and imposing hefty penalties on those who don't comply. The regulation consists of 11 titles and 66 provisions. SOX also established the Public Company Accounting Oversight Board (PCAOB), a non-profit entity that oversees the audit of public companies. All organizations that are publicly listed in the US need to comply with SOX, especially those that are going to launch an IPO. The PCAOB conducts audits either annually or triennially, depending on the number of issuers being handled. If the number exceeds 100, the audit happens annually.

There are four important sections all organizations must keep in mind:

• Section 302: Improper influence of conduct of audits
• Section 404: Management assessment of internal controls
• Section 409: Real time issuer disclosures
• Section 802: Criminal penalties for altering documents

Before examining these sections in detail and understanding how the IT team could help comply with them, let us review a few key terms outlined in the first title of the law.

Important terminologies

• Issuer: Any company that has registered its securities under the Securities Exchange Act 1934 (SEA) or has to file its reports under Section 12 of the SEA.
• Audit: When an independent accounting firm examines the financial statements of an issuer according to the processes outlined by the PCAOB or the SEC.
• Audit committee: An issuer's board of directors usually put together an audit committee to oversee the company's accounting and financial practices as well as their audit policies.
• Audit report: A report prepared during an audit where an independent accounting firm puts forth its opinion of the company's financial statements.
• Professional standards: Accounting principles determined by the issuer or the independent accounting firm handling the audit, and auditing standards set by the PCAOB or SEC.
• Security: Equivalent of the word stock, share, or a similar term as defined in Section 3 of the SEA.
• Regulatory action and enforcement: SEC will propagate the rules and regulations under the Act that are to be followed by public companies, and any violation of these will be considered equivalent to violating the SEA.

Apart from these definitions, it is also important to note that any violation of the SOX act could result in a million dollar fine and up to ten years of imprisonment for the executives of the company—the CEO in particular.

How IT teams can help comply with SOX

IT teams play an important role in SOX compliance because they oversee the access to enterprise systems and devices where confidential financial information of the organization is stored.

Let's take a closer look at the provisions mentioned previously and how IT teams can help comply with these.

1. Section 302: Corporate responsibility for financial reports

According to SOX, CEOs and CFOs are required to sign all financial statements, including annual or quarterly reports, advocating their accuracy, the presence of internal security controls and their efficiency. These statements also include conclusions the executives are required to write based on their assessment of the existing controls.

2. Section 404: Management assessment of internal controls

Section 404 is one of the most expensive requirements companies have to comply with. This is because the issuer must implement a system of internal security controls and best practices for financial reporting. Organizations must submit an internal controls report with their annual report, which also contains an assessment of the internal controls they have in place at the end of their financial year.

3. Section 409: Real-time issuer disclosures

The issuer must disclose in real time any material changes made to the company's financials or related operations. It must be done in a rapid and timely manner, in plain English, and can be accompanied by any other qualitative information or graphs to help investors or the general public understand the changes better.

4. Section 802: Criminal penalties for altering documents

Section 802 talks about two requirements:

• Any accountant who has conducted the audit of an issuer should maintain a record of the documents for five years.
• Any person or entity found tampering or altering financial documents will be liable to either a fine or up to 20 years in prison.

The IT team helps comply with these requirements by:

• Overseeing implementation of internal security controls and their efficiency.
• Consistently keeping an eye on who has access to the financial reports and data.
• Enabling real-time alerting whenever important files are modified.
• Ensuring secure, tamper-free archival of important financial data.
• Putting a speedy incident response mechanism in place, in case of any. tampering or a breach that may ultimately affect data security and accuracy.

How SIEM helps IT teams achieve SOX compliance

Here's how a SIEM solution can help you easily comply with some of the most important, yet taxing, requirements of SOX compliance.

With a SIEM solution like Log360 in place you can:

• Regularly log and track user activity.
• Identify security breaches and suspicious attempts to access financial data.
• Monitor privileged user activity and get notified of any unusual modifications made to confidential files or folders.
• Keep an eye on data entering and leaving enterprise systems through an integrated data loss prevention module.

Get started with a cost-effective and time-efficient solution for SOX compliance. Book an extensive customized demo with one of our product experts to learn more.