All public companies in the U.S. are subject to Sarbanes Oxley (SOX) compliance without exceptions. SOX compliance requirements also apply overseas operations of U.S. public companies and international companies listed on U.S. exchanges. Failure to comply with SOX can result in fines of up to 5 million dollars and up to 20 years of imprisonment of C-level executives accountable for SOX implementation. Other countries have similar laws, for example, Canada enacted a regulation known as Bill 198, Japan established aptly named J-SOX, and both are very similar to the "American" SOX in many parts.
SOX requires public companies to adopt Internal Controls over Financial Reporting (ICFR), and these controls of course include IT controls that affect financial reporting operations. The Act includes two sections that affect IT departments: Section 302 (15 U.S.C. § 7241: "Corporate Responsibility for Financial Reports") and 404 (15 U.S.C. § 7262: "Management Assessment of Internal Controls") of SOX. SOX defines three major requirements: establishing of controls, ongoing evaluation of controls (monitoring and testing), and disclosure ("auditability") of control effectiveness (including defects and weaknesses that can result in fraud). Manual implementation of these requirements can result in increased operational costs, while automation usually results in much lower compliance costs, increased efficiency, and other benefits.
"It can be difficult to know what changed, when it changed, and who changed it. Add regulatory compliance and you'll need to hire a full crew to keep up the changes over time." /Michael Domingo, Executive Editor of MCPmag.com/
The Sarbanes-Oxley Act does not provide any recommendations for implementation of SOX and this why several organizations created different standards of IT controls implementation. The most widely recognized IT-specific standards are COSO "Internal Control - Integrated Framework" endorsed by SEC and COBIT (Control Objectives for Information and Related Technology) created by ISACA (www.isaca.org).
Netwrix Auditor covers SOX requirements of both frameworks to maintain compliance and pass compliance audits. In general, this automated compliance solution helps to maintain established controls by tracking and reporting all changes in IT infrastructure for auditing purposes and implementing secure identity management practices to ensure system security.
Disclaimer: This information is not intended to provide legal advice or substitute for the advice of an attorney.