If you are considering hosting any data covered by the Sarbanes-Oxley (SOX) Act either in the US or Canada, know what you are getting into. Outsourced SOX hosting has specific implications for your Managed Services Provider (MSP) and if they are not compliant, you're both at risk. When the Sarbanes-Oxley Act (SOX or Sarbox for short) first passed into law in July 2002, then President George W. Bush proclaimed its provisions “the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt.” Since its passage, SOX, also known as the “Public Company Accounting Reform and Investor Protection Act,” has been a source of consternation and debate among affected companies because of its dynamic rules, severe penalties, and arduous auditing requirements. Passed in the wake of massive accounting scandals such as Enron and World.com, SOX was meant to crack down on the defrauding of shareholders and insider trading. Like like another prominent piece of American legislation HPIAA, SOX also has implications for Canadian MSPs dealing with American clients. There’s also a Canadian equivalent nicknamed C-SOX. Many of the same rules apply to Canadian MSPs servicing publicly traded Canadian companies as they do for their American counterparts. Ultimately, all North American MSPs that want to provide cloud services involving the financial data of public companies will need to understand SOX fully and also be compliant.
What SOX Means for Companies
The goal of SOX, stated by its primary enforcer, The US Securities and Exchange Commission (SEC) is “to protect investors by improving the accuracy and reliability of corporate disclosure." SOX thus deals with standards for safeguarding the integrity and transparency of financial data. It focuses specifically on preserving what are called audit trails. According to a SearchCompliance.com FAQ, that is “any form of log files or electronic records that contain, relate or comment upon” financial data. Under SOX, these audit trails are sacred - they must NOT be destroyed, altered, or falsified, and they must be retained for up to five years. The penalties for non-compliance with SOX are not to be trifled with. Under section 302 of the act, CEOs and CFOs must regularly sign off on the accuracy and completeness of their company’s records and internal controls, and assure these controls have been reviewed in the last 90 days. Executives who willfully submit incorrect information to a SOX audit can face fines up to $5 million and up to 20 years in jail. Even failing to maintain proper documentation can result in hefty fines and jail terms of up to ten years. Companies that have run afoul of SOX include Morgan Stanley, which faced a $15 million penalty in 2004 for failing to provide email records; Microsoft, which was penalized $1.4 million in 2014 for similar reasons; and Merrill Lynch, which was more recently tagged for $2.5 million.
What SOX Hosting Means for MSPs
Given the importance of SOX, it's no surprise that many publicly traded companies want greater assurances in how their financial records are dealt with. And given IT’s dominant role in the management of that financial data, it makes sense that SOX compliance requires broad IT accountability measures and controls. Additionally, SOX includes provisions for what the law calls “service organizations." These are entities that publicly traded companies outsource financial work to and they can include MSPs (categorized as “Data Centers” under SOX). Data Center responsibilities include: ● Identifying data under SOX’s purview. ● Creating and implementing a plan to retain that data for seven years. ● Getting that data audited by third-party audit firms, and then retaining that audit data for five years and ensuring it’s readily available. ● Creating and maintaining internal data protection controls. ● And monitoring for leaks of insider information as well as attempts at data tampering or destruction.
The MSP Impact of SOX Auditing
MSPs dealing with the financial data of public companies should comply with SOX because not doing so could put their clients and themselves at risk. Thankfully, SOX gives MSPs avenues to demonstrate they are "SOX ready" while also bypassing some of the arduous auditing requirements set for public companies. It’s now commonly accepted that an MSP seeking SOX compliance should submit to an annual SSAE No. 16 service auditor’s report. (This often requires taking two levels of SSAE 16 audits referred to by specialists as SOC 1 and SOC 2.) SSAE stands for “The Statement on Standards for Attestation Engagements.” It’s a special set of standards developed for certified public accountants (CPAs) to assess a service organization's internal controls and the impact they may have on a client’s ability to meet their financial reporting requirements. The Canadian equivalent is called CSAE 3416. A typical SOX audit will cover any computers, networks, and other IT infrastructure that financial data passes through. As a result, MSPs need to carefully consider what standard framework(s) they'll work from while optimizing their internal controls. Several industry organizations and frameworks already exist to provide IT guidance for SSAE 16. These include the ISACA and their COBIT framework, COSO, the Cloud Security Alliance (CSA) and others. In adapting one or more of these approaches, MSPs must pay close attention to four areas of IT governance SOX auditors will spotlight. According to MSP Compliance and Security Software Provider BlackStratus, MSPs completing a SOX audit must consider 1. Their physical and electronic controls gatekeeping access to financial data. This includes measures making sure servers, and data centers are in secure locations; it also includes measures such as proper password protections, lock-out screens, firewalls, data encryption and cryptographic keys, and so on, to protect against unauthorized users, hackers and malicious software that might compromise data confidentiality or integrity. 2. Security measures including breach prevention, reporting and follow-up strategies. This includes investing in services or applications providing real-time network monitoring to catch breaches as they occur - or at least, give SOX auditors detailed forensic data if a violation is discovered later. 3. Change management strategies: that is, processes for updating and vetting new users, software and workstations; and for keeping a rolling record of changes. That includes tracking and changing authorizations so a single disgruntled employee can’t cause havoc. 4. Finally, backup procedures and disaster recovery strategies. As BlackStratus notes, third-party data centers storing backed-up financial data are subject to the same backup compliance requirements as in-house operations.
The SOX bottom line
SOX compliance is without a doubt complex. For unprepared companies, it can be time-consuming and expensive. But running the SOX gauntlet yields tangible benefits for MSPs who are prepared. Compliant MSPs will typically improve their existing internal controls. The process will help identify redundancies and gaps in their data management procedures and effectively create another high-value service for their clients. Cartika has been fully SOX compliant for many years. If we can help in any way, or simply answer a question, just reach out.