SOX (US)

SOX overview

The Sarbanes-Oxley Act of 2002 (SOX) is a US federal law administered by the Securities and Exchange Commission (SEC). Among other things, SOX requires publicly traded companies to have proper internal control structures in place to validate that their financial statements reflect their financial results accurately. SOX is heavily influenced by customer’s internal processes especially when it comes to controls for financial reporting. For example, SOX requirements involve internal customer controls for the preparation and review of financial statements, and especially controls that affect accuracy, completeness, effectiveness, and public disclosure of material changes related to financial reporting.

The SEC does not define or impose a SOX certification process. Instead, it provides broad guidelines for publicly traded companies to determine how to comply with SOX reporting requirements.

Azure and SOX

As cloud adoption gains momentum, more and more customers are exploring how to migrate applications and workloads subject to SOX compliance obligations to the cloud. Even though there is no SOX certification or validation for cloud service providers, Azure can help you meet your SOX obligations.

If you are subject to SOX compliance obligations, you should review the Azure SOC 1 Type 2 attestation, which is performed according to:

• SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (AICPA, Professional Standards).
• SOC 1 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (AICPA Guide).

The AICPA SSAE 18 standard replaced SAS 70, and it is appropriate for reporting on controls at a service organization relevant to user entities internal controls over financial reporting. This is the formal audit that you can rely on for third-party reviews of technology service providers when pursuing your own industry specific compliance obligations for assets deployed on Azure. It includes auditor’s opinion on control effectiveness to achieve the related control objectives during the specified monitoring period.

Moreover, Azure has produced guidance documentation to help you use Azure’s existing compliance reports when addressing your own SOX compliance obligations. It draws on internal Microsoft experience with migrating SOX relevant applications to Azure. Moreover, this guidance provides migration best practices, including SOX compliance implications, reviews of two publicly available case studies, and lessons learned from Microsoft’s internal migration projects.

Applicability

• Azure

Office 365 and SOX

For more information about Office 365 compliance, see Office 365 SOX documentation.

Guidance documents

Microsoft has published the following guidance document:

• Azure guidance for Sarbanes Oxley (SOX) is intended to help you deploy applications subject to SOX compliance obligations. It provides customer guidance based on existing Azure audit reports and lessons learned from migrating internal Microsoft SOX relevant applications to Azure.

Resources

• Azure compliance documentation
• Azure enables a world of compliance
• Microsoft 365 compliance offerings
• Compliance on the Microsoft Trust Center
• Sarbanes-Oxley Act of 2002 (SOX)
• Securities and Exchange Commission (SEC)
• Microsoft Cloud for financial services
• Microsoft financial services resources on Service Trust Portal
• Azure solutions for the finance industry
• Microsoft Cloud financial services compliance program
• Compliance map of cloud computing regulatory principles and Microsoft online services
• Risk assessment and compliance guide for financial institutions in the Microsoft Cloud