SOX Compliance And Audit

1. SOX- At Glance (History and Background)

2. SOX Applicability & Penalties for Non-compliances
3. SOX Compliances and Internal Control Audit
4. SOX Compliance Checklist

Prepared By
Anup Ghosh
C.A. , B Com.
 1. SOX- At Glance (History and Background)

 SOX is refers as Sarbanes –Oxley Act, 2002.

 Signed in to law in July 30, 2002 in the wake of high profile corporate
scandals in Enron, World com, Tyco international.
 Sponsors: Sen. Paul Sarbanes and Rep. Michael G. Oxley
 Goals of SOX:
“To protect investors by improving the accuracy and reliability of corporate
disclosures” by :
 Increase transparency in corporate governance and financial reporting
 Formalize a system of internal checks and balances
2. SOX Applicability:
SOX is applicable to:
 All publically held American companies
 Any international companies that have registered equity or debt securities
with the U.S. Securities and Exchange Commission (SEC)
 Any accounting firm or other third party that provides financial services to
either of the above
Penalties for Non-compliances:
 penalties for non-compliance with SOX can include fines, removal from listings
on public stock exchanges and invalidation of D&O insurance policies
 CEOs and CFOs who will fully submit an incorrect certification to a SOX
compliance audit can face fines of $5 million and up to 20 years in jail.
3. SOX Compliance :
Many organizations are using SOX as a framework for:
 Auditing existing IT infrastructure, identifying inefficiencies, redundancies and
superfluous controls.
 Streamlining reporting and auditing processes, increasing productivity and
reducing costs.
 Managing security risks more effectively and responding quicker in the event of
a breach.

SOX Compliances is for Data management, reporting and security

Section 302: It relates to company’s financial reporting. It requires a company’s CEO
and CFO to personally certify that all records are complete and accurate.
They must confirm that they accept personal responsibility for all
internal controls and have reviewed these controls in the past 90 days.
 Section 404: 
It stipulates further requirements for the monitoring and maintenance of internal
controls related to the company’s accounting and financials. It requires
businesses to have an annual audit of these controls performed by an outside
firm. This audit assesses the effectiveness of all internal controls and reports its
findings back directly to the SEC.
 A SOX compliance audit of a company’s internal controls takes place once a
year
 SOX audits must be separate from other internal audits undertaken by the
company.
 Auditors will inspect previous financial statements to confirm their accuracy and if any
variance in the numbers more than 5% either way is likely to set off red flags.
SOX Audit of Internal Control
Internal controls include any computers, network hardware and other electronic
infrastructure that financial data passes through.
1. Access:
Access refers to both the physical and electronic controls that prevent unauthorized users
from viewing sensitive information. Implementing the principle of least privilege (POLP) is
generally considered one of the best methods of organization-wide access control.
2. Security:
It means making sure appropriate controls are in place to prevent breaches and having
tools to remediate incidents as they occur. Investing smartly in services or appliances that
will monitor and protect financial database is the best way to avoid compliance and security
issues altogether.
3. Change management:
It involves IT department’s processes for adding new users or workstations, updating
and installing new software, and making any changes to Active Directory databases or
other information architecture components.
4. Backup procedures:
Backup systems should be in place to protect sensitive data
4. SOX Compliance Checklist:
As per Sections 302 and 404 following are general SOX compliance checklist:
 Safeguards to prevent data tampering:
Detects break-in attempts to computers, databases, fixed and removable storage, and
websites.
 Safeguards to establish timelines:
Timestamps all data as it is received in real-time and preventing data alteration or
loss.
 Verifiable controls to track data access:
Collection of data should be supported from file queues, FTP transfers, and
databases, independent of the actual framework used, such as COBIT and ISO/IEC
27000.
 Detect Security Breaches:
 Disclose failures of security safeguards to SOX auditors
Thank You