Are There Holes in Your SOX? (Sarbanes-Oxley Compliance for Public and Private Companies)


The illicit transgressions by Enron and those alike in the late 1990s, lead to regulations created to standardize the trustworthiness of financial institutions and public companies. Companies facing SOX compliance will need to consider the following: what are the best practice processes, how do these processes differ from existing practices, how should new processes be implemented, and how can short term processes be balanced with longer “term strategic goals?”

– – – – – – – – –

A World Before SOX:

The enterprise world had a rude awakening after a series of well-publicized corporate financial scandals. Many stories of misappropriated corporate dollars surfaced in the late 1990s involving the likes of Enron, Tyco and WorldCom. Legislation soon responded to the multitude of gross transgressions committed by the upper echelon management of the enterprise world.

Offenses committed by these industry heads ranged from extravagant multi-million dollar trips to exotic locals, large private gifts to spouses and shuffling company funds to bankroll other investments. The corporate world needed to be held accountable for its misdeeds. SOX (Sarbanes-Oxley Act) or the Public Company Accounting Reform and Investor Protection Act of 2002 came into fruition to improve corporate governance and help police possible future misdeeds.

The 2002 Sarbanes-Oxley Act requires publicly traded entities to define, evaluate and document processes which lead to senior management accountability. SOX requires that audits or substantial verification controls must be in place to ensure senior management is held culpable for their financial actions.

Why Should Privately Held Businesses Care About SOX?

While SOX applies directly to publicly traded companies, those privately held businesses who wish to do business with businesses traded on places like the NASDQ must also become Sarbanes-Oxley compliant.

Many large public corporations will simply refuse to do business with privately held companies who are not SOX compliant. Private firms who want to do business with large public entities are now also thrown into a SOX compliant landscape .

SOX affects a broad range of industries who “touch” information of those traded firms, they include and are not limited to:

  • Attorneys
  • Accountants and Auditing Firms who review company financial statements
  • Brokers or dealers and their employees
  • Security companies handling electronic transactions
  • International businesses who operate in the United States

Acceptance of SOX by private companies is not an issue, as “73% of private company CEOs said SOX has done at least a decent job of improving financial governance and transparency for public companies.”(1)

Who’s Responsible for SOX Communication Compliance?

SOX requires incoming and outgoing correspondence be monitored. Depending on the business’s structure, communication exchanges can be monitored by the Chief Compliance Officers (CCOs) Chief Information Officers (CIOs) and Chief Risk Officers (CROs). These executives are responsible for the security, accuracy and the reliability of the organization’s reporting and messaging systems.

Well-groom organizations have policies set in place by their high level primary officers outlining what sorts of information may or many not be communicated outside a department and outside the organization. While these rules exist, firms often don’t take the necessary steps to make sure employees within the organization understand these rules, and their importance.

What are the Key Elements of SOX Which Relate to Electronic Data Storage and E-mail Security?

  • SOX Section 404: Financial spreadsheets and reports must be safeguarded from being falsified or accidentally or deliberately redistributed.
  • SOX Section 409: Real time disclosure of material that impacts the company’s finances must be reported within 48 hours
  • SOX Section 802: Guarantees that documents and records are not altered
  • SOX Section 1102: Corrupting, altering, mutilating, destroying or concealing records are violations. Those found guilty of obstructing an investigation or official proceeding will face 20 years in prison and fines.

The Sarbanes-Oxley Act focuses on corporate governance, accountability and the reporting practices of publicly held companies. Yet the act also impacts private firms that one day might become public and those who do business with publicly traded companies.

What are the Holes in Your SOX Compliance?

While sharing information online is a convenient luxury of e-commerce, it also creates a great vulnerability as information, data and correspondence are traded from business to business. Data and email exchange can pose both SOX compliance and privacy concerns.

This errant misuse of company information isn’t exclusive to U.S. companies. Staff at 18% of large UK firms gained unauthorized access to information during 2005, the report says. Nine per cent of those large firms saw staff misuse restricted information.(2)

How Can Your Firm Sew Up its SOX Holes?

Executive management seeking to be SOX compliant must have the fortitude and commitment to strategic planning and execution to the Sarbanes-Oxley Act’s directives. The firm’s CEO, CFO, CCO/CRO and CIO must cooperate and have demanding attention to detail when establishing policies to be SOX compliant. The need for creating and implementing strong electronic data and email retention policies and compliance in line with SOX has never been greater than in today’s fluxing electronic business world.

Email is not necessarily secure against interception. Whether or not email is encrypted in transmission depends on your software. It is therefore our policy not to send emails to you that contain identifiable information about you, your household, or business.

Andy Purdy, acting director of the National Cyber Security Division of the Department of Homeland Security in a 2006 interview with CNET identifies the importance in protecting a company’s important digital assets:

“Small businesses and large enterprises and the government are all important when trying to reduce the cyber-risk. We’re trying to raise awareness with partners of the responsibility and techniques consumers can use to help secure their systems…”(3)

Before Sarbanes-Oxley, corporations saw a gross abuse of executive power at the cost of earnest growth in business. Today, stiff criminal and civil penalties for violations of securities law will be instituted against companies who do not meet SOX standards.

How can private firms flourish in today’s email reliant arena, while being SOX compliant. Introducing strong compliance policies in line with SOX which include firewalls, up-to-date virus protection, encryption and email anti-theft measures can help a business work cooperatively with publicly traded companies.

Benefits of Email Anti-Theft Sofware

Implementing email anti-theft allows a company to grow in credibility, reputation and trust; all factors which lead to increased clientele and revenue.

With security measures to keep company correspondence as well as protect outbound email, SMB firms can be both prudent with their technology budgets and well-armed with the tools and resources necessary to be industry compliant. Clients will feel more secure about sharing their personal information with compliant SBM offices, paving the way to better and safer communication.

– – – – – – – – – – –

End Notes:

1.) Rob Preston “Time to Regulate the Regulations” Information Week, 27 February, 2006, 78.

2.) BBC News, “Firms lax on ID theft safeguards” 16 March 2006, BBC Online; URL:

3.)Joris Evers, “Newsmaker: Locking down America’s Net defenses” 16 February 2006, CNet – []

Leave a Comment