SOX Compliance Requirements for Mobile Apps
Mobile app developers and providers, take note: Sarbanes-Oxley Act (SOX) rules for mobile apps apply to those that allow users to transmit, store, and otherwise handle financial data. It’s a big deal — failure to adhere to the laws established in the SOX Act can result in significant fines and, in some cases, prison.
While SOX primarily focuses on corporate accounting regulations and requirements, several provisions established in the law apply to some mobile apps. This guide will give you some background about the Act and a summary of SOX rules for mobile apps.
Sarbanes-Oxley Act (SOX)
SOX (sometimes called Sarbox) is a U.S. law drafted by Paul Sarbanes and Michael Oxley. The law’s primary goal is to protect investors from fraudulent corporate accounting activities. The Act was enacted in response to highly-publicized scandals in the early 2000s involving fraudulent financial activities committed by companies like Enron and WorldCom.
The law spells out rules corporations must follow when disclosing financial information and includes provisions aimed at preventing accounting fraud in general. For mobile app developers and providers, SOX typically comes into play as it relates to financial information processed and stored via apps and the internal controls in place to safeguard that data.
SOX rules for mobile apps
The SOX Act specifies three types of companies that must stay in compliance with the regulations:
Publicly-held American companies
Companies that have registered equity or debt with the SEC
Accounting firms that perform financial services for companies that fall into these two categories
If a mobile app deals with some element of financial reporting for a company falling into one of these groups, many SOX regulations will apply. For most mobile apps, the key elements to bear in mind are those related to protecting financial data.
Section 404 of the SOX Act is of particular importance for mobile app developers dealing with financial data. This section specifies that public companies must include an “Internal Control Report” within their annual financial report, including an assessment of the adequacy of the controls in place. Any controls that fall short of what is considered “adequate” under SOX must be reported, and third-party auditors must sign off on the adequacy, accuracy, and effectiveness of the Internal Control Report.
SOX specifies that the following internal controls be included in annual audits:
Access controls (including physical and electronic controls) and password management
Security controls that prevent data breaches
Change management controls, including detailed record keeping of network changes
Backup procedures that protect sensitive data
SOX compliance controls for mobile apps
To meet the requirements under Section 404, companies may need to make significant investments in IT. SOX establishes a high threshold for what is considered an adequate internal control.
SOX does not explicitly list specifically required controls for protecting financial data. Instead, the provisions leave this up to individual companies. However, the Public Company Accounting Oversight Board (PCAOB), a group that provides oversight of certain SOX elements, refers to the Committee of Sponsoring Organizations (COSO) framework for guidance on internal controls. While it is not required that companies follow COSO, it may be helpful.
One approach for hitting the threshold is to utilize data encryption to lessen the risk of unauthorized transactions or breaches. Throughout the data security stratosphere, encryption is widely regarded as a critical security control.
Another standard approach is to establish two-factor authentication controls within mobile apps dealing with financial data. Both of these approaches can drastically reduce the number of vulnerabilities present in apps and are likely to satisfy SOX requirements for establishing adequate internal controls.
The U.S. Securities and Exchange Commission (SEC) is tasked with overseeing SOX compliance. The SEC has the authority to impose costly fines for publicly traded companies that fail to maintain adequate internal controls.
Failure to comply with SOX can lead to serious consequences, including:
Fines up to $1 million for unintentional violations; $5 million for intentional violations
Criminal charges; 10-20 year prison terms if convicted
Mobile app developers must consider SOX
Any app that includes a financial element should be SOX-compliant. The ramifications can be so severe that they can bankrupt small companies and lead to lengthy legal battles.
Aside from these clear consequences, there’s also a company’s reputation to consider. Today’s mobile users increasingly expect companies to safeguard their data when they use mobile apps. This is especially true when it comes to entering their sensitive financial data and payment information. Data breaches have negative, expensive impacts on businesses of all sizes.
The good news is that many SOX requirements can be met by establishing robust, common-sense controls throughout corporate networks that carry over to apps in development. Investing in technologies like data encryption and multi-factor authentication is a best practice, regardless of SOX rules for mobile apps.
When in doubt, be sure to consult with an attorney or other professional well-versed in SOX, specifically as it relates to mobile apps.