Sarbanes Oxley Access Management Requirements

The Sarbanes-Oxley (SOX) Act of 2002 is just one of the many regulations you need to consider when addressing compliance. Also called the Corporate Responsibility Act, SOX may necessitate changes in identity and access management (IAM) policies to ensure your company is meeting the requirements related to financial records integrity and reporting.


What is Sarbanes-Oxley (SOX)?

SOX was passed in July of 2002 in response to a rash of incidents resulting from malpractice in accounting. The regulation added to existing guidelines and included “reforms to improve financial disclosures from corporations and prevent accounting fraud” with the aim of protecting investors from “fraudulent accounting activities.”

All publicly traded companies located or doing business in the U.S. are subject to SOX regulations. The act:

• Increases corporate responsibility for financial reporting
• Establishes new accounting guidelines
• Mandates protections against accounting fraud
• Imposes more serious punishments for noncompliance

Records collected and stored by companies affected by SOX are subject to a number of protocols intended to increase accuracy in reporting and discourage unlawful falsification and destruction of records. With strict rules governing financial reporting and how long records are stored, SOX changes the way many businesses approach accounting.

SOX Compliance Requirements

The first step in SOX compliance is to establish an “accounting framework” to create verifiable paper and data trails for all financial activities. Every action with the potential to affect financial reporting must be traced and documented as proof of compliance, including changes made to financial and accounting software.

In addition, companies must establish internal controls designed to prevent fraudulent activities and reporting. CEOs and CFOs are required to personally certify all records as “complete and accurate” in accordance with section 302 of SOX, affirming they’ve reviewed the controls at least once in the past 90 days.

Section 404 outlines the requirements for monitoring and maintaining controls. Using a framework like COBIT, companies must conduct an annual audit to determine how well the controls are working. and report the results directly to the Security Exchange Commission (SEC). All audit records, whether physical or digital, must be kept on file for no less than five years.

Should a security breach compromise finances or records, SOX regulations require affected companies to report the incident as soon as possible.

Risk of Noncompliance

Failure to comply with SOX can incur serious penalties. Company executives who certify false reports can be fined up to $1 million for each instance, sentenced to up to 10 years in jail or both. Willful certification of false reports carries a fine of up to $5 million, a jail term of up to 20 years or both. The severe nature of these penalties drives home the importance of having strong security measures, especially since a single accounting error can compound and create several inaccurate reports if it isn’t caught in time.

How Does IAM Relate to SOX?

Because both physical and digital records are affected by SOX, access management is an integral part of compliance. When the act was first passed, many businesses weren’t yet dealing with the complexities of connectivity seen in modern enterprises. However, the requirement to put “adequate internal controls” in place for “financial reporting and governance” extends to IT, especially in environments where multiple device types connect to the corporate network from a variety of locations and a great deal of information is handled in the cloud.

Strategic IAM practices control several factors with the potential to affect financial reports:

• Insider threats
• Data breaches
• Human error

By automating activities such as user provisioning and deprovisioning and implementing granular conditional access controls, companies minimize the risk of unauthorized access and reduce instances of privilege creep. Assigning identities to devices makes it easier to control how and where employees access corporate networks, helping prevent some of the problems associated with establishing and enforcing BYOD policies.

Business IAM solutions also include automatic logging and reporting tools so that clear reports can be generated for every audit. Since corporations tend to have large numbers of employees with various levels of network access, automated logging and report generation are essential for SOX compliance. Without these tools, it would be nearly impossible to track the actions of every user and every device, and suspicious behavior could escape notice long enough to cause serious problems.

All digital security policies, including IAM, should be evaluated for efficacy as part of the annual SOX compliance audit.

Access Management Controls

For SOX compliance, organizations should keep the following access management areas in mind:

  • Manage access rights during on-boarding, role changes, off-boarding
  • Ensure Segregation of Duties (SoD)
  • Maintain access control matrix
  • Perform periodic access audits
  • Automate reporting

Staying in compliance with regulations like SOX is important for the safety of your company and the data you handle. If you haven’t yet put measures in place to ensure compliance in regards to financial records and reporting, work with your IT department to develop an IAM strategy designed to minimize errors, prevent unauthorized access and secure all records during transmission and storage.

Read additional articles in our IAM blog.