search

What types of information must be protected by internal controls according to Sarbanes-Oxley?

1 years ago
Comments: 0
Views: 93

The Sarbanes-Oxley Act of 2002 is a law the U.S. Congress passed on July 30 of that year to help protect investors from fraudulent financial reporting by corporations. Also known as the SOX Act of 2002, it mandated strict reforms to existing securities regulations and imposed tough new penalties on lawbreakers.

Show

The Sarbanes-Oxley Act of 2002 came in response to financial scandals in the early 2000s involving publicly traded companies such as Enron Corporation, Tyco International plc, and WorldCom. The high-profile frauds shook investor confidence in the trustworthiness of corporate financial statements and led many to demand an overhaul of decades-old regulatory standards.

  • The Sarbanes-Oxley (SOX) Act of 2002 came in response to highly publicized corporate financial scandals earlier that decade.
  • The act created strict new rules for accountants, auditors, and corporate officers and imposed more stringent recordkeeping requirements.
  • The act also added new criminal penalties for violating securities laws.

The act took its name from its two sponsors—Sen. Paul S. Sarbanes (D-Md.) and Rep. Michael G. Oxley (R-Ohio).

The rules and enforcement policies outlined in the Sarbanes-Oxley Act of 2002 amended or supplemented existing laws dealing with security regulation, including the Securities Exchange Act of 1934 and other laws enforced by the Securities and Exchange Commission (SEC). The new law set out reforms and additions in four principal areas:

  1. Corporate responsibility
  2. Increased criminal punishment
  3. Accounting regulation
  4. New protections

The Sarbanes-Oxley Act of 2002 is a complex and lengthy piece of legislation. Three of its key provisions are commonly referred to by their section numbers: Section 302, Section 404, and Section 802.

Because of the Sarbanes-Oxley Act of 2002, corporate officers who knowingly certify false financial statements can go to prison.

Section 302 of the SOX Act of 2002 mandates that senior corporate officers personally certify in writing that the company's financial statements comply with SEC disclosure requirements and "fairly present in all material respects the financial condition and results of operations of the issuer" at the time of the financial report. Officers who sign off on financial statements that they know to be inaccurate are subject to criminal penalties, including prison terms.

Section 404 of the SOX Act of 2002 requires that management and auditors establish internal controls and reporting methods to ensure the adequacy of those controls. Some critics of the law have complained that the requirements in Section 404 can have a negative impact on publicly traded companies because it's often expensive to establish and maintain the necessary internal controls.

Section 802 of the SOX Act of 2002 contains the three rules that affect recordkeeping. The first deals with destruction and falsification of records. The second strictly defines the retention period for storing records. The third rule outlines the specific business records that companies need to store, which includes electronic communications.

Besides the financial side of a business, such as audits, accuracy, and controls, the SOX Act of 2002 also outlines requirements for information technology (IT) departments regarding electronic records. The act does not specify a set of business practices in this regard but instead defines which company records need to be kept on file and for how long. The standards outlined in the SOX Act of 2002 do not specify how a business should store its records, just that it's the company IT department's responsibility to store them.

  • Article
  • 09/20/2022
  • 6 minutes to read

The Sarbanes-Oxley Act of 2002 (SOX) is a US federal law administered by the Securities and Exchange Commission (SEC). Among other things, SOX requires publicly traded companies to have proper internal control structures in place to validate that their financial statements reflect their financial results accurately. SOX is heavily influenced by customer’s internal processes especially when it comes to controls for financial reporting. For example, SOX requirements involve internal customer controls for the preparation and review of financial statements, and especially controls that affect accuracy, completeness, effectiveness, and public disclosure of material changes related to financial reporting.

The SEC doesn't define or impose a SOX certification process. Instead, it provides broad guidelines for publicly traded companies to determine how to comply with SOX reporting requirements.

Microsoft and SOX

Microsoft cloud services customers subject to compliance with the Sarbanes-Oxley Act (SOX) can use the SOC 1 Type 2 attestation that Microsoft received from an independent auditing firm when addressing their own SOX compliance obligations. This attestation is appropriate for reporting on internal controls over financial reporting.

Even though there's no SOX certification or validation for cloud service providers, Microsoft can help customers meet their SOX obligations. For example, SOX requires internal controls for the preparation and review of financial statements, especially controls that affect the accuracy, completeness, effectiveness, and public disclosure of material changes related to financial reporting. To help companies, Microsoft maintains a SOC 1 Type 2 attestation appropriate for reporting on such controls across a broad portfolio of services that can be used to build a wide range of applications. It's based on the American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements 18 (SSAE 18) and the International Standard on Assurance Engagements No. 3402 (ISAE 3402). (This attestation replaced SAS 70.)

The audit report, produced by a third-party auditing firm, attests that Microsoft controls were designed appropriately, in operation on a specified date, and operating effectively over a specified time period. Customers can review the reports to learn about Microsoft control objectives and the effectiveness of its controls, and get access to complementary controls.

At Microsoft, we share the responsibility of compliance with our customers. We supply the specifics about our compliance programs, which you can verify by requesting detailed audit results from the certifying third parties. Ultimately, however, it's up to you to determine whether our services comply with the specific laws and regulations applicable to your business. For example, there are SOX-related security controls, such as user access to cloud resources, that are your responsibility: your organization must develop appropriate auditing of these controls as part of your SOX compliance.

Microsoft in-scope cloud platforms & services

  • Azure
  • Dynamics 365
  • Intune
  • Office 365
  • Power BI cloud service (either as a standalone service or as included in an Office 365 branded plan or suite)

Azure, Dynamics 365, and SOX

As cloud adoption gains momentum, more and more customers are exploring how to migrate applications and workloads subject to SOX compliance obligations to the cloud. Even though there's no SOX certification or validation for cloud service providers, Azure can help you meet your SOX obligations.

If you're subject to SOX compliance obligations, you should review the Azure SOC 1 Type 2 attestation, which is performed according to:

  • SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (AICPA, Professional Standards).
  • SOC 1 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (AICPA Guide).

The AICPA SSAE 18 standard replaced SAS 70, and it's appropriate for reporting on controls at a service organization relevant to user entities internal controls over financial reporting. This is the formal audit that you can rely on for third-party reviews of technology service providers when pursuing your own industry specific compliance obligations for assets deployed on Azure. It includes auditor's opinion on control effectiveness to achieve the related control objectives during the specified monitoring period.

Moreover, Azure has produced guidance documentation to help you use Azure's existing compliance reports when addressing your own SOX compliance obligations. It draws on internal Microsoft experience with migrating SOX relevant applications to Azure. Moreover, this guidance provides migration best practices, including SOX compliance implications, reviews of two publicly available case studies, and lessons learned from Microsoft's internal migration projects.

Office 365 and SOX

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
Commercial Augmentation Loop, Auto Alt Text, Azure Information Protection, Binary Conversion Services, Bookings, Delve, Document Item, Editor, Exchange Online, Forms, Insert Online Media, Insights, Kaizala, Microsoft Analytics, Microsoft Booking, Microsoft Graph, Microsoft Teams, MyAnalytics, Office 365 Cloud App Security, Office 365 Groups, OneDrive for Business, Planner, Power Apps, PowerApps, Power Automate, Power BI, PowerPoint Designer, PowerPoint Online Document Service, SharePoint Online, Skype for Business, StaffHub, Stream, Sway, To-Do, Web Rendering Service, Yammer Enterprise

Audits, reports, and certificates

SOC 1 Type 2 reports for:

  • Azure and Power BI
  • Dynamics 365
  • Office 365

Frequently asked questions

How can I use Microsoft SOX compliance to facilitate my organization's compliance process?

When you migrate your applications and data to covered Microsoft cloud services, you can build on the attestations and certifications that Microsoft holds. Independent auditor reports attest to the effectiveness of controls that Microsoft has implemented to help maintain the security and privacy of your data. However, you're wholly responsible for ensuring your organization's compliance with all applicable laws and regulations.

Resources

Q&A What

Related Posts

When an increase in one variable result in a decrease in another variable the relationship is directly proportional?
When an increase in one variable result in a decrease in another variable the relationship is directly proportional?

What is known as a statistical technique in risk management used to quantify risks?
What is known as a statistical technique in risk management used to quantify risks?

What is 15 out of 21 as a grade?
What is 15 out of 21 as a grade?

What is the range of the function f(x)=2^(3sin4x+1)
What is the range of the function f(x)=2^(3sin4x+1)

Which of the following actions you take first when preparing to assist with chest tube insertion
Which of the following actions you take first when preparing to assist with chest tube insertion

What are the two main ways of preventing cross-contamination?
What are the two main ways of preventing cross-contamination?

What should the operator of a give way vessel do to avoid colliding with a stand-on vessel quizlet?
What should the operator of a give way vessel do to avoid colliding with a stand-on vessel quizlet?

What is the probability of getting a 5 hand card that only contains cards from the same suit?
What is the probability of getting a 5 hand card that only contains cards from the same suit?

What is the right intervention for a 16 year old child who is hospitalized according to Erik Erikson?
What is the right intervention for a 16 year old child who is hospitalized according to Erik Erikson?

What should you do if your vehicle becomes disabled on an expressway
What should you do if your vehicle becomes disabled on an expressway

How long can koi fish live in a bucket
How long can koi fish live in a bucket

¿Qué hacer cuando la computadora no encuentra la impresora?
¿Qué hacer cuando la computadora no encuentra la impresora?

Your Lie in April characters age
Your Lie in April characters age

What part of Vermont is closest to New York?
What part of Vermont is closest to New York?

Why are my Mods not working Vortex?
Why are my Mods not working Vortex?

Galaxy note 8 qualcomm vs exynos
Galaxy note 8 qualcomm vs exynos

Average cost of living in California per year
Average cost of living in California per year

Who is the real king of country music?
Who is the real king of country music?

How do you say chief in spanish
How do you say chief in spanish

What triggers the final mission in me3?
What triggers the final mission in me3?

LATEST NEWS

There are three phases of gastric secretion. the cephalic phase occurs
1 years ago . by OperativeApologise
How was the Battle of Saratoga won?
1 years ago . by SubtleSolicitation
How does a Taurus man text when he likes you
1 years ago . by UrinaryLigament
What is the distance covered by the athlete?
1 years ago . by GeopoliticalSchooner
At which value will the graph of have a zero
1 years ago . by InsatiableAnomaly
How long does it take to go from Texas to Mexico border?
1 years ago . by UndecidedMouthful
Why are t statistics more variable than z scores
1 years ago . by SubstantialResurgence
How much water at 32°c is needed to just melt 1.5 kg of ice at -10°c?
1 years ago . by ErsatzNursery
What was created to prevent similar banking disasters?
1 years ago . by Ground-floorCorpus
A client has answered some questions in a query, so you’re able to edit the _________ ones.
1 years ago . by MaroonRodeo

Populer

About

Legal

Help

Social

Copyright © 2024 ShotOnMac Inc.