Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Sarbanes-Oxley Act of 2002 (SOX)

Overview

What is the Sarbanes-Oxley Act of 2002 (SOX)

The Sarbanes-Oxley Act of 2002 consists of several sections designed to improve the quality and integrity of financial reporting. The section that closely impacts IT functions is Section 404, "Management Assessment of Internal Controls." Section 404 requires that a corporation must annually report the following:

  • Management's responsibility to establish and maintain adequate internal control over financial reporting
  • The framework used as criteria for evaluating the effectiveness of the company's internal control over financial reporting
  • Management's assessment of the effectiveness of the company's internal control over financial reporting and disclosure of any material weaknesses

Check Point intelligent security solutions address SOX requirements by using the process control objectives from the IT Governance Institute's "Control Objectives of Information and Related Technology" (COBIT) for guidance. COBIT is a commonly accepted IT governance model that provides both company-level and activity-level objectives along with associated controls. Using the COBIT framework, an organization can design a system of IT controls to comply with section 404 of SOX.

Who should be concerned about SOX

The Sarbanes-Oxley Act primarily affects public companies with a market capitalization of $75 million listed on U.S. exchanges, a well as foreign filers trading in US markets. SOX requires that public companies evaluate and disclose the effectiveness of their internal controls as they relate to financial reporting, and that independent auditors for such companies "attest" (i.e., agree, or qualify) to such disclosure. In the United States, SOX makes corporate executives explicitly responsible for establishing, evaluating and monitoring the effectiveness of internal control over financial reporting.

What IT systems and processes are impacted by SOX

With the widespread use of IT systems, from mainframe through client-server environments, any system of internal controls must include Information Technology controls. To comply with Sarbanes-Oxley, organizations must understand how the financial reporting process works and must be able to identify the areas where technology plays a critical part. In considering which controls to include in the program, organizations should recognize that IT controls can have a direct or indirect impact on the financial reporting process. While there are many IT systems operating within an organization, Sarbanes-Oxley compliance only focuses on those that are associated with a significant account or related business process.

More About SOX: