In my previous blog, we began a discussion on technology-related compliance standards, why we have them, how they work and the specific ways in which they protect us. I introduced the Payment Card Industry Data Security Standard (PCI-DSS) as one of the most well-known and widely applied standards in the U.S. economy.
Another major standard that many larger companies must comply with is the Sarbanes–Oxley Act of 2002, more commonly known as “SOX” (pronounced “socks”). Let’s talk more about SOX, because it has made some pretty big news over the last decade.
The Sarbanes-Oxley Act: Fighting Fraud
Congress enacted Sarbanes-Oxley, or SOX, on July 29, 2002. SOX bears the names of its sponsors at the time: U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley. SOX was written in response to the ENRON financial scandal in which the ENRON stock price was artificially inflated based on fraudulent financial reports published by ENRON, then the 7th largest corporation in the country. ENRON reported increases in earnings quarter after quarter, yet by the end of 2001, it was declared bankrupt. There were other similar scandals around the same time, involving companies named Tyco International, Adelphia, Peregrine Systems and WorldCom.
In an interview with InsideCounsel, former Senator Paul Sarbanes said, “The U.S. capital markets are an important asset, but they rely very much on this worldwide reputation for fairness, honesty and integrity.”
Characterized by former President Bush as “the most far reaching reforms of American business practices since the time of Franklin Delano Roosevelt,” SOX introduced major changes to the financial practices and governance of organizations large and small. It also set deadlines for compliance. Of SOX’s 11 titles, the most important sections as far as compliance is concerned are often considered to be 302, 401, 404, 409, 802, and 906.
In order to restore some faith in the stock market, SOX was written to provide assurances that published financial reports would be accurate. The “assurance” came with two enforcement mechanisms:
1) Failure to obtain SOX certification by a 3rd party audit firm meant the company’s stock would be delisted from the stock exchanges.
- This would cause huge damage to the public reputation of the company and probably impede its business actions
- Companies often sell stock in order to raise money to expand their business, so being unable to sell stock may impede business actions
2) A fraudulent SOX certification can bring criminal penalties for the chief executive officer (“CEO”) and chief financial officer (“CFO”). The responsibility for these criminal penalties cannot be delegated or handed off to subordinates, particularly the jail time penalty. The CEO and CFO each can be
- personally fined up to one million dollars ($1,000,000) and/or
- personally imprisoned for up to ten (10) years
So we need SOX to protect the stock market and hopefully prevent ENRON-like scandals. Even if you personally do not buy or sell stock, your 401(k) retirement plan(s) most likely are involved in the stock market. If you have a pension plan, it is most likely involved in the stock market. For more information on the Sarbanes-Oxley Compliance, visit http://www.sec.gov/about/laws.shtml.
This is the second of a three-part series on compliance presented by John Kulas, a software security analyst for Bridge360. John is a Certified Information Systems Auditor with over a dozen years experience across at least a dozen companies. His technical background includes 23 years at IBM. Today, he assists Bridge360 client Xerox/ACS in meeting compliance standards, and enjoys helping non-technical business people understand compliance requirements.