What Does Your IT Team Need to Know About the Sarbanes-Oxley Act?
The Sarbanes-Oxley Act (SOX) has had a significant impact on IT teams across industries, though it is largely focused on financial services. This page is designed to help you understand what it could mean for you, your equipment, and how you dispose of IT assets.
What Is the Sarbanes-Oxley Act?
The Sarbanes-Oxley Act was passed and signed into law in 2002 as a response to major financial scandals that played a role in the collapse of Enron and WorldCom. SOX was created to protect shareholders as well as the general public from criminal accounting practices in large, publicly held companies.
SOX compliance is monitored and enforced by the Securities and Exchange Commission, which provides a brief overview as well as the full text of the act here: https://www.sec.gov/answers/about-lawsshtml.html#sox2002
For IT assets, SOX is both direct and extremely far reaching. Some companies have said that it is too intensive and claim to have based decisions to go public outside of U.S. markets because of SOX.
Who Is Impacted by the Sarbanes-Oxley Act?
Any company or individual who administers the systems related to or relevant to financial and accounting data are regulated under SOX. This means financial institutions and large corporations are covered as are software vendors and service providers who may analyze, process, or store this data.
The good news is that this compliance requirements only impacts publicly traded companies, so you may only need to meet requirements with some of your clients if you are not a publicly traded company yourself.
What Does SOX Compliance in IT Mean?
Audits and easy-to-track activities are the core focus of SOX. The act requires a comprehensive log of files and other documents for all financial transactions and interactions to be kept on hand for five years.
Records must be stored with simple and controlled access, and records must be kept for access as well as changes. Shareholders and the SEC must get copies of this data regularly.
An important note is that your company must keep both paper and electronic records.
Your IT team must be able to produce electronic records of audits for fiscal data and activity across almost any business activity. In recent years, this has included the SEC looking for data on activities that occurred in messaging services, data storage, system and data virtualization, and even broader networking to understand who would have had access to data, as well as had access to systems that could potentially give access to that data.
What Does This Mean for Old IT Assets?
The Sarbanes-Oxley Act creates a significant set of guidelines for auditing and maintaining financial data and related records. When your IT assets are being replaced, you need to ensure that data and records are kept in a way that the flow of information between old and new assets is recorded.
You will also need to include the destruction of IT assets in your audit data. SOX has limitations for who can access financial data and requirements for tracking access. You must note that IT assets are being destroyed and provide audits of their destruction to ensure the SEC that you have removed a potential access point.
By destroying the data and having an audit trail for your partner, you protect your business while meeting SEC guidance and regulatory requirements.
How Can Securis Help?
At Securis, we focus on complete destruction of data and access via old IT assets, plus the removal of hidden sensitive information left in older devices you might not think of, such as copiers and smartphones.
To help you stay in compliance with the Sarbanes-Oxley Act, we’ll provide you with thorough and complete destruction of devices and sensitive information, plus a verifiable audit trail that explains the entire disposal process. So, you stay in SOX compliance when you upgrade and change equipment.
It’s how we do our part, and we welcome a conversation with you about how you can do your part to protect your organization, customers, and even the environment.