The Sarbanes-Oxley Act (SOX) is a Federal law that is meant for all publicly-held companies in the USA. Non-compliance to this law usually attracts civil and criminal penalties. One of the major aims of the Sarbanes-Oxley Act is to lay a firm foundation for establishing security controls that are verifiable, to prevent disclosure of data that is confidential and sensitive in nature. It also enables tracking of staff and personnel to discover instances of data tampering, which may be related to any kind of fraud. The most critical objective of this act is to prevent instances of fraud and elevate the confidence and trust of the public in a business.
With respect to the questions that an organization should ask a vendor providing SOX compliance and consulting services, the questions should be based on the following sections and subsections mentioned below. Read the SOX compliance checklist below.
The SOX Act comprises of several sections which a company needs to comply with. The two main sections of the Act include -
Based on the above sections, there are several SOX subsections which businesses need to comply with. We have tried to align the questions you can ask your vendor, while also detailing our own unique ability to handle the same.
The officer who signs the final SOX compliance report must attest to the validity and authenticity of the information that has been reported. Measures must be taken to ensure data tampering is not done and that the report can be verified by external auditors.
Since data is so critical while making such reports, you should ask your vendor to provide written and documented evidence of all secure environments that they maintain on their premises which are used to process your internal data.
At Outsource2india, we closely monitor all the computers that are used to process the sensitive financial data of your company. Besides, we also track the entry of removable storage media to the computers like USB pen drives, CDs, etc. to make sure that no sensitive data is carried out from the computers.
Fair representation of financial information, as per the accurate time, is crucial when reporting for SOX compliance. This section asks for the signing officer to confirm that the reported information relates to a verifiable period.
Your selected vendor must be held answerable and provide accurate timestamps to all the data that is generated as per your project requirements.
At Outsource2india, we store the reported financial data in a remote location, as soon as it is generated, in real-time. We ensure that we prevent any kind of loss of data or alteration of data, by providing a secure audit trail.
Having control on all the data is very important. This section of SOX compliance emphasizes the importance of having essential internal controls for data security, while making sure that all the relevant data is stored in an internally controlled and secure environment.
As a company that is seeking SOX compliance services from an external vendor, you should ask the vendor clearly whether they have access to a secure and verifiable internal framework where your data would remain safe for extended periods of time, and provide evidence for the same.
Outsource2india can process more than two thousand messages per second. Our robust software can manage a surge of over ten thousand messages per second, which are received from different sources. All this data exchange takes places over secure servers, and is constantly guarded against network security breaches.
This section requires reporting officers to evaluate the efficacy of internal controls on a date that is 90 days prior to the report. It is essential that such a framework of checking internal controls is reviewed and verified periodically.
A valid question that you can ask a provider of SOX compliance management services is, "Do you have the required framework in place for periodic review and evaluation of internal controls?"
At Outsource2india, we have a host of facilities that can provide reports daily to the important people in your organization on the status of the continuous performance of our internal systems. In addition, we have a web-based program that can be accessed from your network with a remote login, using which you can check the status of our internal systems at any time.
This section calls for a report on the efficacy of the security system that safeguards all sensitive data. This report should be submitted to the officers and auditors of the enterprise on a regular basis.
You should ask your vendor about having such a capability to provide reports on security effectiveness at regular intervals.
At Outsource2india, we generate many types of reports, such as, a report on self-generated alerts, a report on all critical messages, etc. They are available in MS Excel format as well as other formats desired by our clients, to make it easy for auditors to go through them. Our reports give you an overview on all the activities that we have undertaken for effectively managing security, within a defined time.
This sub-section is like Section 404 about which you read earlier. It calls for detecting and identifying security breaches (if any) in the system, which may arise due to loopholes in the control system.
As a customer, you can ask your vendor to detail out the exact measures they are taking to address security breaches in the system as well as preventing them from happening.
Outsource2india is very particular about security breaches and we pay a lot of emphasis to this. Using a correlation engine, we perform real-time semantic analysis of all messages in the system. This refines and reduces incoming messages to alerts, which then open tickets directed to the IT team to document any breach in security.
This sub-section calls for the management of auditors who are appointed to review the operations. They are also required to review the existing security framework and control mechanisms in place for financial reporting. The parties responsible for security operations must be made clear and disclosed to the relevant appointer auditors.
You must ask your vendor for such a facility that enables auditors to understand and review the security framework, even from a remote location, without making too many changes to the security system.
We, at Outsource2india, use role-based permissions to provide access to auditors to review our security situation. Our secure, web-based system enables auditors to review our security framework from a remote location, while allowing them to physically check the premises if so necessary.
As per this sub-section, auditors are required to evaluate the efficacy of an organization's internal control structure. It is imperative to disclose to the auditor the efficacy of the entire security framework.
Please make sure that you ask your vendor about this provision, and whether they will be able to disclose the exact parameters of their security setup to the audit team.
At Outsource2india, we provide a security logging solution that can identify security breaches (if any) and inform our security staff in real-time. All activities to resolve security breaches are recorded for future purposes. Our integrated security system quickly informs security personnel about any cases of suspected data tampering, or the presence of any compromised files.
This sub-section of the SOX Act asks all auditors to be aware of, and report about any changes that they notice to the existing internal security controls, and failures (if any) that could adversely affect internal controls. There must be a verification process that certifies the existence of a security framework, which is both operational and efficient.
Your vendor must ensure that they have a process in place to disclose all their failures while trying to implement security safeguard measures to independent auditors.
At Outsource2india, we conduct regular tests of the existing networks to confirm that the data is being logged, and regular reporting is taking place as per the norms of the SOX Act. Our proactive security monitoring system can trigger an alert or alarm to the auditors in real-time.
As per this section, the SOX Act requires companies to establish necessary rules by which it is controlled and audited. This type of "internal control" or governance can be established by using many available techniques. One of the most popular techniques is the COBIT Framework, which has been developed by the ISACA. It is a set of guidelines that describe the relevant processes and organizational-level requirements which are necessary to promote security and good governance, that comply with the requirements of the SOX Act.
The ISO/IEC 27000 standard relates to all aspects of information security, which is very critical when it comes to reporting financial data. At Outsource2india, we have implemented security controls (that can be verified) and safeguard measures to adhere to the ISO/IEC 27000 standard.
We closely monitor and track the file structures on all our information systems, including security, software, hardware and network architectures.
At Outsource2india, we have a robust system in place to make sure that all the sections of the Sarbanes-Oxley Act are complied with, while ensuring due diligence by providing a verifiable audit trail, well-documented reports, and in-depth reports of all anomalies recorded (if any). Leverage our expertise in understanding SOX compliance requirements and streamline all compliance aspects of your business.