SOX

SOX, or the Sarbanes-Oxley Act, is a U.S. federal law adopted to increase the transparency of financial reporting, strengthen corporate responsibility and protect investors from fraud. The law was introduced after major corporate scandals in the early 2000s and established stricter requirements for public companies, their management, auditors and internal controls.

In the context of IT, cybersecurity and corporate infrastructure, SOX is most often associated with the control of systems that affect financial reporting. These may include ERP systems, accounting systems, databases, document repositories, access management systems, event logs, integrations and applications where financially significant data is created, changed or stored.

The main idea of SOX is to make financial reporting more reliable and verifiable. Company management must not only publish financial statements, but also confirm responsibility for internal control. The SEC states that Section 404 requires the annual report to include management’s assessment of the effectiveness of internal control over financial reporting.

What SOX Regulates

SOX regulates corporate governance, financial reporting, auditor independence, executive responsibility and internal control rules. For public companies, this means that financial processes must be documented, controlled and available for review.

Section 404 is especially important. It requires management to assess the effectiveness of internal control over financial reporting, and in certain cases, an independent auditor must attest to this assessment. SEC research also states that Section 404(a) requires management to assess and disclose the effectiveness of ICFR, while Section 404(b) requires auditor attestation of this assessment.

In practice, SOX affects not only the finance department. If an IT system affects financial data, it becomes part of SOX control. Therefore, the requirements may apply to user access, application changes, backups, log storage, segregation of duties and control over administrator actions.

Managed IT Services

SOX and IT Controls

IT controls under SOX are needed to ensure that financial data remains accurate, protected and verifiable. A company must understand who has access to critical systems, who can change data, how changes are recorded and how unauthorized actions are prevented.

SOX IT controls usually include several areas:

access management for financial systems;
segregation of duties and prevention of conflicts of authority;
control of changes in applications and databases;
logging of user and administrator actions;
data backup and recovery;
regular review of accounts and access rights;
documentation of policies, procedures and audit results.

For example, if an employee can create a supplier, approve a payment and change bank details at the same time, this creates a risk of error or fraud. The SOX approach requires such conflicts to be identified and permissions to be restricted so that critical actions go through control.

Why Businesses Need SOX Compliance

SOX compliance helps a company confirm that its financial reporting is based on controlled and reliable processes. For public companies, this is a matter of regulatory compliance, investor trust and reduced risk of sanctions.

For IT teams, SOX is useful because it forces access rights, changes and documentation to be organized. In the infrastructure, it becomes clearer which systems are critical for reporting, who is responsible for them, what changes were made and where evidence of control is stored.

SOX also reduces the risk of unauthorized changes to financial data. If access rights are reviewed regularly, changes go through approval and actions are recorded in logs, it is easier for a company to detect an error, investigate an incident and prove that processes are correct.

SOX, Audit and Control Evidence

A SOX audit relies not only on the existence of policies, but also on evidence that they are being followed. It is not enough to write that access rights are reviewed once a quarter. The company must show when the review was performed, who carried it out, what deviations were found and how they were resolved.

The same applies to changes in IT systems. If a financial application is updated, an auditor may need change requests, approvals, test results, deployment confirmation and records of who performed the work. This approach helps link technical actions to a controlled process.

For companies, this means that SOX compliance requires ongoing discipline. Controls must work regularly, not only before an audit. The better access rights, logs, workflows and reports are automated, the easier it is to maintain compliance with the requirements.

FAQ

What is SOX in simple terms?

SOX is a U.S. law that requires public companies to maintain stricter control over financial reporting. It helps reduce the risk of errors, fraud and unreliable data in reports for investors.

Who does SOX apply to?

SOX primarily applies to public companies listed on U.S. stock exchanges, as well as their subsidiaries, auditors and providers if their systems or processes affect financial reporting.

What is SOX Section 404?

SOX Section 404 is the section of the law related to internal control over financial reporting. It requires management to assess the effectiveness of such controls, and in some cases, an independent auditor to attest to this assessment.

Why is SOX important for IT?

IT systems often store and process financial data. Therefore, SOX requires control over access rights, changes, event logs, backups and other processes that may affect the accuracy of reporting.

What does SOX compliance mean?

SOX compliance means that a company meets the requirements of the Sarbanes-Oxley Act: maintains internal controls, documents processes, reviews access rights, controls changes and provides evidence to auditors.

🠔 Back to glossary