Sarbanes-Oxley Print


In response to unreliable accounting practices and recent losses in the U.S. stock markets, the Sarbanes–Oxley Act of 2002 was enacted. All publicly traded companies are required to comply with Sarbanes-Oxley (SOX) by implementing an internal controls framework to support accountability and integrity or financial reporting process. Sarbanes-Oxley is required for any publicly traded company in the U.S. including any and all divisions and wholly owned subsidiaries, and to any non-U.S. public multinational company doing business in the U.S.

All financial reporting processes, and executive management including IT environment are subject to Sarbanes-Oxley requirements, and non-compliance may result in financial penalties, and potential jail. Furthermore non-compliance has a direct impact on brand reputation and exposes company to negative publicity that weakens consumer confidence.

Sarbanes-Oxley requires that companies select and implement an internal control framework. As an integrated control COSO (Committee of Sponsoring Organizations of the Treadway Commission) is the internal control framework recommended for SOX compliance, as well as COBIT to design and implement specific IT controls for their environment.

The Sarbanes-Oxley key sections are:

  • Section 201: Prohibited auditor activities
  • Section 302: CEO's and CFO's new responsibilities regarding corporate reports
  • Section 404: Management assessment of internal controls
  • Section 409: Real time disclosure
  • Section 802: Criminal penalties for altering documents
  • Section 806: Whistleblower protection
  • Section 807: Criminal penalties for fraud
  • Section 1102: Tampering with a record or otherwise impeding an official proceeding

Sarbanes-Oxley Compliance Program

The Sarbanes-Oxley Compliance Program is designed to answer questions raised by any company that requires Sarbanes-Oxley compliance while evaluating and selecting products to support COBIT IT control objectives for Sarbanes-Oxley requirements. This Compliance Program provides validated evidence about a product’s features and capabilities to support the Sarbanes-Oxley requirements.

The Sarbanes-Oxley Compliance Testing and analysis cover several aspects of the product including:

  • Compliance Effectiveness
  • Product Capabilities Support
  • Scope Impact Analysis and Coverage
  • Management and Usability
  • Suitable for Use in and Recommended Configuration
  • Product Roadmap

Sarbanes-Oxley Compliance Testing criteria

Sarbanes-Oxley Compliance Testing is conducted by trained analysts against the Sarbanes-Oxley Compliance Program criteria, as well as Compliance Labs functional and quality assurance requirements. Sarbanes-Oxley Compliance Program criteria rely on Sarbanes-Oxley requirements intent from auditor’s perspective, companies’ needs, and from queries numerous specialists, including affected products vendors, developers, users and industry groups. The compliance analyst will report the results of each phase of testing in the Reports of Compliance, and will also document the product components submitted by the vendor and the configuration of the product evaluated.

Continuous evaluation process

Compliance Labs developed the continuous evaluation process as a fundamental aspect of the Compliance Labs Sarbanes-Oxley Compliance Program. The continuous evaluation process will monitor new compliance requirements and best practices and update testing criteria to drive product compliance effectiveness and quality over the long period.