The Sarbanes-Oxley (SOX) Act and the Impacts of Non-Compliance

The Sarbanes-Oxley Act of 2002 (SOX) is a critical piece of new legislation that affects how public organizations and accounting firms deal with Corporate Governance, financial disclosure and the practice of public accounting.

The SOX legislation is being implemented in a phased approach, with executive management already being impacted by Section 302 of the Act. Most audit firms today have established practices around SOX compliance and are actively working with their customers on how to comply with the next phase of the legislation. The impacts of non-compliance range from fines to jail terms, and includes the harsh reality that failure to comply will ultimately impact the organization’s public image.

The next major section for legislated compliance is Section 404. Section 404 centers around the internal controls of an organization and how effective they are (in the context of how this may impact financial reporting). The chart below delineates the three highest profile sections of the legislation for public companies, the dates associated with mandatory compliance, and some high-level details around each.

Details Section
302 404 409
What is it about? Certification of financial reports quarterly
  • Annual certification of internal controls
  • Independent accountant attests to report
  • Quarterly reviews for updates/change
  • Material event reporting
  • “Real-time” implications
Who signs off?
  • CEO
  • CFO
  • Management
  • Independent accountant/ auditor
  • Management
  • Independent accountant/ auditor
Effective Date? August 29, 2002 Fiscal year ends on/after:

  • November 15, 2004 for accelerated filers*
  • FY ending on/before July 15, 2005 for all others
*Note: For organizations on a calendar fiscal year, this means that compliance is an issue for January, 2004
  • Not finalized
  • Expected in 2004

For more information, please refer to the Securities & Exchange Commission Web site (, the Sarbanes-Oxley Web site ( or contact your auditing firm.

Assessing the Path to Section 404 Compliance

The reality of the Sarbanes-Oxley Act is that each public company needs to develop an individualized approach to reporting and compliance.

For Section 404, it begins with a self-assessment of the internal controls the organization has around its financial reporting process. This self-assessment will typically involve internal stakeholders as well as an external audit firm who will work through a standardized framework (COSO) to identify the gaps in compliance, as well as any associated risks. This framework allows audit firms to map internal control objectives back to SOX requirements, enabling organizations to then apply process frameworks, like the one described in the April 2004 National Cyber Security Partnership (NCSP) Corporate Governance task force report entitled “Information Security Governance: A Call to Action”, to address the relevant gaps for compliance.

Once the assessment has been completed, organizations must then establish a process to achieve compliance within the relevant timeframe (as described in the chart above). Working with their audit firm, organizations will be looking to not only address the gaps that have been identified within the legislated timeframe, but do so in a cost-effective manner. In today’s economically challenging times, compliance means a balance between both time and cost, particularly since this is not a one-time event and that there may be more far-reaching costs than simply implementing internal controls.

Entrust and Sarbanes-Oxley

Entrust security solutions can be used to help close a number of common gaps identified on the path to Sarbanes-Oxley Section 404 compliance.

Secure Identity Management

Companies that are focused on remaining productive and competitive understand that customers, partners, and employees all need deeper access to the organization, giving them what they need, at the right time. Doing this effectively and in real-time means managing a multitude of user identities and interacting with a variety of systems in an environment of constant change – all while keeping quality of service high and the enterprise secure.

The Entrust Secure Identity Management Solution is a comprehensive, highly scalable solution that helps to address key challenges faced by commercial organizations working to comply with Section 404 of the Sarbanes-Oxley Act, namely:

Identity provisioning

  • quickly and securely view, change, audit and report on all user identities and access privileges across all users and organizations
  • replace time-consuming, expensive and error-prone processes with secure one-step process to add users or remove them from systems
  • workflow capabilities allow mandatory corporate approval processes to be enforced and audited

Policy-based access control

  • enable user single sign-on (SSO) to the applications and content they are authorized to see
  • easily extend access control to include Web services applications via standards such as SAML
  • centrally manage access to applications and information via policy, providing a single point of policy enforcement and audit of access for all users
  • apply rules, in accordance with corporate policy, to augment internal controls for Section 404 compliance, including time-specific restrictions or access control based on the location of the originator
  • capitalize on an unlimited user, per-processor pricing model that enables organizations to only pay for the value that they are deploying through their portal

Strong authentication

  • enable Web-based authentication using a broad range of identity types, including usernames and passwords, SAML, Microsoft Passport, and digital certificates stored on a user’s computer or on a hardware smart card, token access, or biometric device
  • enable strong authentication in a client-server environment, helping to ensure that only strongly authenticated users are able to access sensitive information contained in encrypted files, folders and email messages

Data Protection & Integrity

Internal controls around both data access and data integrity can be enforced through the use of encryption and digital signatures, respectively. Data contained in files, folders, or email messages can be encrypted to prevent unauthorized access due to security breaches or weak access controls. That same data can be digitally signed to provide both transaction accountability and data integrity, supplying organizations not only with information on who signed the data, but also verification that it did not change from the time it was signed, regardless of whether it traveled across the Internet or was stored locally.

The Entrust Secure Data Solution consists of a comprehensive, highly scalable suite of data security products and services that help organizations mitigate the risk of data loss, corruption and disclosure so they can confidently capitalize on new technologies that enable greater stakeholder collaboration and, ultimately, business growth. It includes the following key capabilities that can help with Section 404 compliance:

  • encryption of files and folders on employee workstations and theft-vulnerable laptop computers; only properly authenticated, authorized individuals can decrypt and access sensitive information
  • digital signatures on data for integrity, including working with industry leaders, such as Adobe, to deliver secure electronic forms for both desktop and Web environments
  • end-to-end encryption and digital signing of sensitive data during Web transactions
  • developer toolkits to enable encryption and digital signature capabilities in custom applications

The Entrust Secure Messaging Solution transparently adds “end-to-end” security to email applications like Microsoft® Outlook® and Lotus Notes®, making it possible to mitigate risk and help comply with Section 404. It enables email messages to be encrypted and digitally signed both in transit and while at rest on email servers or in end-user inboxes and outboxes. This ability to secure emails can help organizations better control access to sensitive information that often times is transmitted via email.