SOX Compliance - The Questions You Should Ask Your Vendor

The Sarbanes-Oxley Act (SOX) is a Federal law that is meant for all publicly-held companies in the USA. Non-compliance to this law usually attracts civil and criminal penalties. One of the major aims of the Sarbanes-Oxley Act is to lay a firm foundation for establishing security controls that are verifiable, to prevent disclosure of data that is confidential and sensitive in nature. It also enables tracking of staff and personnel to discover instances of data tampering, which may be related to any kind of fraud. The most critical objective of this act is to prevent instances of fraud and elevate the confidence and trust of the public in a business.

With respect to the questions that an organization should ask a vendor providing SOX compliance and consulting services, the questions should be based on the following sections and subsections mentioned below. Read the SOX compliance checklist below.

Sections of the Sarbanes-Oxley Act (SOX)

The SOX Act comprises of several sections which a company needs to comply with. The two main sections of the Act include -

• Section 302 - This section is essentially meant to safeguard companies from faulty financial reporting. Companies are required to safeguard their data and make sure that their financial reports are not based on incorrect, faulty or tampered data, which may lead to several inaccuracies.
• Section 404 - This section includes the good measures of Section 302 (mentioned above) while also specifying safeguarding measures which need to be in such a state that they can be easily verified by external, independent auditors. This is important because it should be easy for auditors to immediately identify security and finance breaches, and communicate the same to the shareholders of a company and the public. The security of data cannot be concealed or hidden from auditors at any point under this section.

SOX Compliance Questions

Based on the above sections, there are several SOX subsections which businesses need to comply with. We have tried to align the questions you can ask your vendor, while also detailing our own unique ability to handle the same.

• Section 302.2 - Establishing necessary safeguards to avoid tampering of data

  The officer who signs the final SOX compliance report must attest to the validity and authenticity of the information that has been reported. Measures must be taken to ensure data tampering is not done and that the report can be verified by external auditors.

  • Question to Vendor

    Since data is so critical while making such reports, you should ask your vendor to provide written and documented evidence of all secure environments that they maintain on their premises which are used to process your internal data.

  • Our Capability

    At Outsource2india, we closely monitor all the computers that are used to process the sensitive financial data of your company. Besides, we also track the entry of removable storage media to the computers like USB pen drives, CDs, etc. to make sure that no sensitive data is carried out from the computers.

• Section 302.3 - Establishing safeguards to determine timelines

  Fair representation of financial information, as per the accurate time, is crucial when reporting for SOX compliance. This section asks for the signing officer to confirm that the reported information relates to a verifiable period.

  • Question to Vendor

    Your selected vendor must be held answerable and provide accurate timestamps to all the data that is generated as per your project requirements.

  • Our Capability

    At Outsource2india, we store the reported financial data in a remote location, as soon as it is generated, in real-time. We ensure that we prevent any kind of loss of data or alteration of data, by providing a secure audit trail.

• Section 302.4.B - Establishing verifiable controls to monitor data access

  Having control on all the data is very important. This section of SOX compliance emphasizes the importance of having essential internal controls for data security, while making sure that all the relevant data is stored in an internally controlled and secure environment.

  • Question to Vendor

    As a company that is seeking SOX compliance services from an external vendor, you should ask the vendor clearly whether they have access to a secure and verifiable internal framework where your data would remain safe for extended periods of time, and provide evidence for the same.

  • Our Capability

    Outsource2india can process more than two thousand messages per second. Our robust software can manage a surge of over ten thousand messages per second, which are received from different sources. All this data exchange takes places over secure servers, and is constantly guarded against network security breaches.

• Section 302.4.C - Ensuring operational safeguard measures

  This section requires reporting officers to evaluate the efficacy of internal controls on a date that is 90 days prior to the report. It is essential that such a framework of checking internal controls is reviewed and verified periodically.

  • Question to Vendor

    A valid question that you can ask a provider of SOX compliance management services is, "Do you have the required framework in place for periodic review and evaluation of internal controls?"

  • Our Capability

    At Outsource2india, we have a host of facilities that can provide reports daily to the important people in your organization on the status of the continuous performance of our internal systems. In addition, we have a web-based program that can be accessed from your network with a remote login, using which you can check the status of our internal systems at any time.

• Section 302.4.D - Reporting about the efficacy of safeguard measures regularly

  This section calls for a report on the efficacy of the security system that safeguards all sensitive data. This report should be submitted to the officers and auditors of the enterprise on a regular basis.

  • Question to Vendor

    You should ask your vendor about having such a capability to provide reports on security effectiveness at regular intervals.

  • Our Capability

    At Outsource2india, we generate many types of reports, such as, a report on self-generated alerts, a report on all critical messages, etc. They are available in MS Excel format as well as other formats desired by our clients, to make it easy for auditors to go through them. Our reports give you an overview on all the activities that we have undertaken for effectively managing security, within a defined time.

• Section 302.5.A&B - Detecting and identifying breaches in security

  This sub-section is like Section 404 about which you read earlier. It calls for detecting and identifying security breaches (if any) in the system, which may arise due to loopholes in the control system.

  • Question to Vendor

    As a customer, you can ask your vendor to detail out the exact measures they are taking to address security breaches in the system as well as preventing them from happening.

  • Our Capability

    Outsource2india is very particular about security breaches and we pay a lot of emphasis to this. Using a correlation engine, we perform real-time semantic analysis of all messages in the system. This refines and reduces incoming messages to alerts, which then open tickets directed to the IT team to document any breach in security.

• Section 404.A.1.1 - Disclosing security safeguard measures to independent auditors

  This sub-section calls for the management of auditors who are appointed to review the operations. They are also required to review the existing security framework and control mechanisms in place for financial reporting. The parties responsible for security operations must be made clear and disclosed to the relevant appointer auditors.

  • Question to Vendor

    You must ask your vendor for such a facility that enables auditors to understand and review the security framework, even from a remote location, without making too many changes to the security system.

  • Our Capability

    We, at Outsource2india, use role-based permissions to provide access to auditors to review our security situation. Our secure, web-based system enables auditors to review our security framework from a remote location, while allowing them to physically check the premises if so necessary.

• Section 404.A.2 - Disclosing security breaches to independent auditors

  As per this sub-section, auditors are required to evaluate the efficacy of an organization's internal control structure. It is imperative to disclose to the auditor the efficacy of the entire security framework.

  • Question to Vendor

    Please make sure that you ask your vendor about this provision, and whether they will be able to disclose the exact parameters of their security setup to the audit team.

  • Our Capability

    At Outsource2india, we provide a security logging solution that can identify security breaches (if any) and inform our security staff in real-time. All activities to resolve security breaches are recorded for future purposes. Our integrated security system quickly informs security personnel about any cases of suspected data tampering, or the presence of any compromised files.

• Section 404.B - Disclosing failures of security safeguard measures to independent auditors

  This sub-section of the SOX Act asks all auditors to be aware of, and report about any changes that they notice to the existing internal security controls, and failures (if any) that could adversely affect internal controls. There must be a verification process that certifies the existence of a security framework, which is both operational and efficient.

  • Question to Vendor

    Your vendor must ensure that they have a process in place to disclose all their failures while trying to implement security safeguard measures to independent auditors.

  • Our Capability

    At Outsource2india, we conduct regular tests of the existing networks to confirm that the data is being logged, and regular reporting is taking place as per the norms of the SOX Act. Our proactive security monitoring system can trigger an alert or alarm to the auditors in real-time.

Our Related Services

COBIT and ISO 27000 Support

As per this section, the SOX Act requires companies to establish necessary rules by which it is controlled and audited. This type of "internal control" or governance can be established by using many available techniques. One of the most popular techniques is the COBIT Framework, which has been developed by the ISACA. It is a set of guidelines that describe the relevant processes and organizational-level requirements which are necessary to promote security and good governance, that comply with the requirements of the SOX Act.

The ISO/IEC 27000 standard relates to all aspects of information security, which is very critical when it comes to reporting financial data. At Outsource2india, we have implemented security controls (that can be verified) and safeguard measures to adhere to the ISO/IEC 27000 standard.

We closely monitor and track the file structures on all our information systems, including security, software, hardware and network architectures.

Outsource SOX Compliance Management Services to Outsource2india

At Outsource2india, we have a robust system in place to make sure that all the sections of the Sarbanes-Oxley Act are complied with, while ensuring due diligence by providing a verifiable audit trail, well-documented reports, and in-depth reports of all anomalies recorded (if any). Leverage our expertise in understanding SOX compliance requirements and streamline all compliance aspects of your business.

Contact us if you have questions on SOX compliance. Outsource your finance and accounting services to Outsource2india.