The Sarbanes-Oxley (SOX) Act of 2002, a federal US law, was introduced in response to a number of highly publicized corporate financial scandals earlier that decade (Enron Corporation, Tyco International plc, and WorldCom.) and is aimed to protect investors from fraudulent financial reporting by corporations. The act created strict new rules for accountants, auditors, and corporate officers and imposed more stringent recordkeeping requirements.
Companies based in the USA or doing business in the USA are subject to SOX regulations and therefore need to ensure compliance. If not, they risk heavy criminal penalties and significant loss of credibility - especially to investors.
SOX requires management and external auditors to report on the adequacy of the company’s internal control over financial reporting. Therefore, companies must design their IT systems to be auditable: so there is a record of all actions being taken that impact financial reports.
Any changes made that impact the financial figures need to go through proper controls /process which include three main areas:
- Access management for access to the platform used to generate these figures
- Change management: Tracking any change requests made that impact financial figures in the platform
- IT operations: incident management for the platform
How does Pigment support this?
Pigment is built with transparency in mind - granular access controls mean information can easily be shared with the right people, and users can easily audit and track any actions taken in the platform. With every feature we ensure that users are able to view the configuration made so they can easily manage any access management or changes to the model. Pigment employs world-class engineering practices that govern our deployment process and incident management, even with updates made to improve the platform every day.
Note Pigment is not inherently SOX-compliant. It is the responsibility of the customer, and not of Pigment, to own the set of policies and procedures when using Pigment to ensure compliance with SOX. Pigment however has been built with the principles in mind to ensure our features have the capability for customers to design their controls such that they meet their SOX obligations if needed.
Whenever we build a feature, we keep these principles in mind:
- For features critical for security
We have extensive features for auditing the platform prioritizing traceability (not exhaustive across all features but the most important ones). These include:
- Centralized access through Groups, Application Access rights and Permissions which is used to manage the access - updates on changes to these are tracked through our Audit API.
- User management (inviting, deactivating and activating users), modeling updates (formula updates, block creation), and updates made to data (e.g. inputs, data loads) are all also tracked with the API.
- For features that might be less critical for security
We prioritize having UI elements for easy configuration and management. At a glance a user is able to see all the actions that have been taken and the settings selected for configuring their data visualizations.
Next steps
To read a full outline of all the access control and change management features in Pigment, as well as a list of policy and process recommendations for SOX compliance, visit the Pigment Community.
To read more about Pigment’s security accreditations, view our trust report here.