SOX Compliance
Note: SOX policy framework requires Enterprise Edition.
The Sarbanes-Oxley Act (SOX) policy framework detects exposure of financial data and internal controls information that could impact financial reporting integrity.
Overview
SOX establishes requirements for public company financial reporting and internal controls. Aquilon DLP’s SOX policy helps organizations comply with:
- Section 302: Corporate responsibility for financial reports
- Section 404: Management assessment of internal controls
- Section 409: Real-time issuer disclosures
Protected Data Categories
The SOX policy detects:
| Data Category | Scanners | Severity | SOX Section |
|---|---|---|---|
| Financial Account Numbers | bank_account, iban, aba_routing | Critical | 302, 404 |
| Tax Identifiers | ein, ssn | Critical | 302 |
| Internal Financial Data | financial_keyword | High | 404 |
| Audit Documentation | audit_keyword | High | 404 |
| Executive Communications | exec_keyword | Medium | 302 |
International Subsidiaries
Multinational corporations with global subsidiaries must protect employee and financial data across jurisdictions. Aquilon DLP includes 28 country-specific national ID scanners for comprehensive coverage.
Global Employee and Tax Data
| Region | Scanners | SOX Relevance |
|---|---|---|
| Europe | germany_steurid, france_nir, uk_nino, + 11 more | EU subsidiary employee tax data |
| Americas | brazil_cpf, argentina_cuit, + 2 more | Latin American subsidiary payroll |
| Asia-Pacific | india_pan, japan_my_number, + 6 more | APAC subsidiary financial records |
Note: SOX Section 404 internal controls extend to material subsidiaries. Unauthorized exposure of subsidiary employee tax identifiers or financial data may indicate control deficiencies.
See Policy Frameworks for the complete list of all 28 national ID scanners.
Scanner Mappings
Critical Severity
Financial data requiring immediate protection:
- Bank Account Numbers: Direct access to company funds
- IBAN/SWIFT: International financial identifiers
- ABA Routing Numbers: US bank routing information
- EIN: Employer Identification Number
- Tax Documents: Tax returns, W-2s, 1099s
High Severity
Internal controls and audit information:
- Financial Statements: Balance sheets, P&L, cash flow
- Audit Working Papers: Internal audit documentation
- Control Documentation: SOX control matrices, test results
- Material Information: Pre-earnings, M&A data
Medium Severity
- Executive Communications: C-suite financial discussions
- Budget Data: Forecasts, projections
- Vendor Financial Data: AP/AR information
Configuration
Basic Configuration
[policies]
enabled_policies = ["sox"]
Advanced Configuration
[policies.policy_configs.sox]
settings = { confidence_threshold = "0.75", sensitivity_level = "3", detect_material_info = "true" }
Configuration Options
| Option | Description | Default |
|---|---|---|
confidence_threshold | Minimum scanner confidence | 0.7 |
sensitivity_level | Severity multiplier | 2 |
detect_material_info | Flag material non-public information | true |
quiet_period_days | Days before earnings (heightened sensitivity) | 14 |
Context Detection
The SOX policy elevates severity when financial context is detected. Enable the sox_financial context profile for automatic keyword detection:
[context]
enabled_profiles = ["sox_financial"] # Add to existing profiles
Financial Context Keywords
The sox_financial profile detects:
- Strong indicators: 10-K, 10-Q, 8-K, SEC filing, GAAP, IFRS, PCAOB, balance sheet, income statement, SOX 404, material weakness
- Weak indicators: revenue, earnings, quarterly, annual, profit, EBITDA, margin, budget, forecast, audit
Note: The SOX policy requires explicit financial context signals for
financial_figuresfindings to avoid false positives on arbitrary currency amounts (e.g.,$10in shell scripts).
Quiet Period Detection
During earnings quiet periods, severity is elevated for:
- Financial projections
- Earnings estimates
- Material business changes
Violation Metadata
Each SOX violation includes:
{
"policy": "SOX",
"severity": "critical",
"data_category": "financial_account",
"sox_section": "302",
"material_info": false,
"control_impact": "financial_reporting"
}
Compliance Reporting
Query Financial Data Exposures
-- All critical financial data exposures
SELECT path, scanner, severity, timestamp
FROM aquilon_dlp_alerts
WHERE policy = 'SOX'
AND severity = 'critical';
-- Internal controls documentation exposure
SELECT * FROM aquilon_dlp_alerts
WHERE policy = 'SOX'
AND scanner LIKE '%audit%';
-- Financial data by department (based on path)
SELECT
CASE
WHEN path LIKE '%/finance/%' THEN 'Finance'
WHEN path LIKE '%/accounting/%' THEN 'Accounting'
WHEN path LIKE '%/treasury/%' THEN 'Treasury'
ELSE 'Other'
END as department,
COUNT(*) as count
FROM aquilon_dlp_alerts
WHERE policy = 'SOX'
GROUP BY department;
Audit Committee Reporting
Generate reports for audit committee:
-- SOX control deficiency indicators
SELECT
date(timestamp) as date,
severity,
COUNT(*) as findings
FROM aquilon_dlp_alerts
WHERE policy = 'SOX'
AND timestamp > datetime('now', '-30 days')
GROUP BY date, severity
ORDER BY date DESC;
Best Practices
Monitoring Strategy
- Immediate alert: Bank accounts, tax IDs, material info
- Daily review: Financial statements, audit documentation
- Weekly audit: Executive communications, budget data
Control Environment
Use findings to strengthen internal controls:
- Identify: Where financial data is stored
- Assess: Whether storage is appropriate
- Remediate: Move to secure locations
- Document: Update control documentation
Segregation of Duties
Monitor for inappropriate access patterns:
-- Financial data in non-finance directories
SELECT * FROM aquilon_dlp_alerts
WHERE policy = 'SOX'
AND severity = 'critical'
AND path NOT LIKE '%/finance/%'
AND path NOT LIKE '%/accounting/%';