Companies are now scrambling to meet the SOX deadline

Today is the federal deadline for investment companies and other public companies to comply with the internal audit controls outlined in the Sarbanes-Oxley Act (SOX) of 2004. But it looks like many companies may miss the deadline.

Under SOX, also known as the Public Company Accounting Reform and Investor Protection Act, the U.S. Securities and Exchange Commission can impose severe penalties on companies that fail to comply with its provisions.

Industry observers reported last week that many companies were racing against time to meet today’s deadline.

Financial firms are at a loss over compliance, according to reports posted on the Sarbanes-Oxley website over the weekend.

One example cited on the website comes from a Bloomberg News report that PricewaterhouseCoopers expects 80 percent of its clients will likely miss today’s deadline for financial control certification. PricewaterhouseCoopers is the third-largest accounting firm in the United States.

The intention of the law

Greg Murphy, CEO of wireless security firm AirWave, which is one of the companies working with corporations to get them compliant by the deadline, said the law is designed to hold companies accountable for the security of data on their networks. It requires corporate executives to establish internal controls to ensure the security of company data.

The law requires corporate auditors to certify that internal controls over the use of encryption for all data and network access comply with the new law.

“This law makes the auditor responsible for annual certification. It’s an ongoing process, not a one-time transaction,” Murphy told E-Commerce Times.

The law requires IT departments to work with their corporate auditors to clarify and deliver secure networks. Murphy said every access point on a network, whether wired or wireless, is critical and can become a major compliance issue.

Ultimately, the auditor must have knowledge of each access point and confirm that data is encrypted.

Compliance audit

AirWave conducted security checks of corporate networks to find access points that were unknown or unsecure.

Master the Complexity of Today's Customer Experience Conversations

Murphy said what is most important is that corporations have adequate internal controls over the security of their networks.

Murphy said that in addition to stiff penalties for companies that miss the deadline, the SEC could also ban the company from trading its shares on the U.S. market.

“I suspect there will be a lot of catching up to do after November 15,” Murphy said. “This is the most important piece of corporate law since the 1930s.”

SOX Review

The Sarbanes-Oxley Act consists of three main sections that define compliance requirements:

Section 302 establishes corporate accountability for security reporting. CEO and CFO must prepare a statement confirming financial reporting and disclosures.
Section 404 establishes the need for an evaluation of internal controls. An internal control report must accompany the annual report that takes responsibility for and evaluates the effectiveness of internal controls.
Section 409 requires real-time disclosure of security matters. Material changes affecting financial disclosures must be reported “promptly and on an ongoing basis.”

The Sarbanes-Oxley Act provides the basis for a lasting regulatory policy to ensure the security of financial networks.

“As new technologies develop, requirements will change to meet new security threats,” Murphy said.