A Guide to Completing Your Next SOX Compliance Audit

Kezia Farnham
Tags:

Though it’s been over 20 years since the United States Congress passed the Sarbanes-Oxley Act, corporations need to complete regular SOX compliance audits to ensure they follow all of the legislation’s requirements

The intention of SOX was — and has remained — to minimize the adverse impact of corporate financial scandals on investors. It accomplishes this by rigorously mandating the keeping of financial records and their security and placing all covered companies under a single rule for compliance.

While effective, the rise in emphasis on the SOX act has also created a significant demand on time. Since 53% of CFOs reported increased hours spent on SOX compliance in 2022, establishing practical audit tools and processes is more critical than ever.

Below, we help you understand:

  • The meaning of a SOX compliance audit
  • Nine items necessary for your SOX compliance audit checklist
  • Critical steps to completing your SOX audit

What Is a SOX Compliance Audit?

A SOX compliance audit is an annual appraisal of an organization’s internal controls and financial reporting. The goal is to verify that a company’s financial statements are accurate and complete. 

To do this, an auditor will access security controls, review documentation of any changes and comb through all financial statements to verify that there is no financial misconduct. Companies that don’t comply with SOX — intentionally or otherwise — may have to pay a penalty.

SOX Compliance Checklist

All companies must consider their compliance footprint, regardless of size. Here are nine items to include within the scope of a SOX compliance audit checklist:

  1. Safeguards To Prevent Data Tampering (Section 302.2): An ERP system or GRC software’s implementation to track user login access to all computers containing sensitive data and detect break-in attempts to databases, storage, computers and websites.
  2. Safeguards To Establish Timelines (Section 302.3): All data should be timestamped via implementing an ERP system or GRC software. Data should be instantly stored at a remote location to prevent loss or alteration. Log information should also be moved to a secure site, with an encrypted MD5 checksum created to avoid tampering.
  3. Verifiable Controls To Track Data Access (Section 302.4.B): An ERP system or GRC software to be implemented that can receive data messages from a virtually unlimited number of sources. Collection of data should be supported from file queues, FTP transfers, and databases, independent of the actual framework used, such as COBIT and ISO/IEC 27000.
  4. Ensure That Safeguards Are Operational (Section 302.4.C): The implementation of an ERP system or GRC software that can distribute reports via RSS and issue daily reports to email addresses to verify that the system is up and running from any location.
  5. Report the Effectiveness of Safeguards Periodically (Section 302.4.D): An ERP system or GRC software to be implemented that generates multiple types of reports, including a report on all messages, critical messages, alerts and uses a ticketing system that archives what security problems and activities have occurred.
  6. Detect Security Breaches (Section 302.5.A/B): ERP system or GRC software to perform semantic analysis of messages in real-time and use correlation threads, counters, alerts, and triggers that refine and reduce incoming messages into high-level alerts. These alerts generate tickets to then to list the security breach, send out email or update an incident management system.
  7. Disclose Security Safeguards to SOX Auditors (Section 404.A.1.1): Access to be provided to auditors using role-based permissions via the implementation of an ERP system or GRC software. Auditors may be permitted complete access to specific reports and facilities without the ability to make changes to these components, or reconfigure the system.
  8. Disclose Security Breaches to SOX Auditors (Section 404.A.2): Implement an ERP system or GRC software capable of detecting and logging security breaches, notifying security personnel in real-time, and permitting resolution to security incidents to be entered and stored. All input messages are continuously correlated to create tickets that record security breaches and other events.
  9. Disclose Failures of Security Safeguards to SOX Auditors (Section 404.B): Implementing an ERP system or GRC software that periodically tests network and file integrity and verifies that messages are logged. The system should ideally interface with standard security test software and port scanners to confirm that IT security is monitored successfully.

Key Steps In a SOX Compliance Audit

Conducting a SOX audit is similar to any other internal audit. Take any steps to ensure that the auditor can quickly access and review all controls and related documentation. This typically involves: 

  • Ensuring your program is sufficiently configured: You should make sure you align with the COSO internal controls framework, have an internal controls library and use SOX templates to more consistently achieve compliance across your organization. 
  • Capturing and remediating any issues: Your auditor shouldn’t be the person who discovers any issues. Test your system ahead of your audit, solve any problems and report on the remediation. 
  • Testing your controls: You should have an ongoing approach to testing controls, but audit preparation is also a great time to confirm that your controls are in place and functioning as expected. 
  • Centralizing your risk and control library: Ensuring all of your controls and associated documentation are in one place. This not only makes it easier to achieve consistency across your organization, but it also helps the auditor quickly access the information they need. 
  • Creating SOX reporting dashboards: Transparency is vital to achieving and maintaining compliance. Create dashboards so your security teams and your auditor can quickly monitor performance. 

With your controls and documentation in place, the auditor can get to work to assess whether or not your organization is SOX complaint. To do so, they’ll review four primary security controls. These are: 

  1. Access: Access controls can be both physical and digital. Doors and badges are examples of access controls, as are zero trust access frameworks. The auditor will want to see that users have the exact access level they need to do their job — no more and no less. This is one of the best ways to prevent a breach due to unauthorized network or building access. 
  2. Security: You should have controls that prevent breaches and leaks and reduce the risk of cyberattacks. These controls should extend to any vendors or third parties and cover your entire network, also called your attack surface. 
  3. Data backup: SOX requires that organizations back up all of their financial data in another network or location. A SOX compliance audit will review both your main storage system and your backup storage system for compliance.
  4. Change management: You should have controls defining what to do when you need to introduce a change to your system. This includes adding and managing users, implementing new software, or changing applications that pertain to your organization’s finances. 

Leverage Technology for SOX Compliance Audits

SOX compliance can be complex. It requires deep visibility into both physical and digital controls, which can be hard to compile manually. Compliance audit software creates more transparency for you, your board and your auditor, making the SOX compliance audit process more accessible than ever.

Related Insights
Kezia Farnham Diligent
Kezia Farnham
Kezia Farnham, a Senior Manager at Diligent, has spent several years working in the B2B SaaS sector. Her expertise in equipping governance, risk, audit, compliance and ESG professionals with key insights into sustainability, cybersecurity and the regulatory landscape helps them stay ahead of an increasingly challenging business environment.