SOX Compliance in the Modern Data Stack

Overview 

The purpose of this article is to showcase how SOX compliance audits make their way to the modern data stack. Specifically, how we helped one of our clients increase data governance, implement role-based access control standards, and establish approval and review processes for ARR-related operations to adhere to financial reporting and auditing regulations.  

SOX – A Brief History 

The birth of the modern corporation and the concept of raising capital through public equity markets dates back to1602 to the Dutch East India Company. This is when members of the public (e.g. investors) were able to buy ownership stakes (e.g. shares) in the company. These shares were then traded on the Amsterdam Stock Exchange, the first formal stock exchange.  

In 1792, a group of stockbrokers in New York signed the Buttonwood Agreement, which led to the formation of the New York Stock Exchange (NYSE). This created a central hub for buying and selling shares of U.S. corporations. By the late 1800s, industries such as railroads, oil, and steel had begun issuing public shares, allowing them to raise capital to fuel their growth. 

As the U.S. economy grew and more companies went public to fund their expansion, public speculation of fraudulence increased. This all boiled into fruition during the crash of 1929 that preceded The Great Depression.  As a result, the Securities Act of 1933 and the Securities Exchange Act of 1934 were enacted. Establishing a framework for modern regulation and creating the Securities and Exchange Commission (SEC) to oversee and enforce rules for the protection of investors and the integrity of the markets. 

Then, in 2001, the Enron and WorldCom scandals lead to the creation of the Sarbanes-Oxley Act (SOX), which improved the accuracy and reliability of financial reporting of publicly traded companies. To this day, publicly traded companies need to comply with SOX regulations. Particularly reviewing IT processes and ensuring integrity of data, internal audits, and governance.  

Business Problem 

In our modern, data-rich world we live where a plethora of data can be at the disposal of any professional, the need for enhanced data governance and reconciliation is mandatory.  

To comply with SOX regulations, our client’s internal audit team needed to reduce risk by improving their Annual Recurring Revenue (ARR) and Net Retention Revenue (NRR) operations. Specifically, they needed to: 

  • Document code reviewal process (e.g. mandatory for reconciliation)  
  • Restrict number of users with edit access to source systems, data warehouse, and reporting platforms (e.g. Salesforce, Snowflake, and Tableau respectively) 
  • Create automated alerting & monitoring of ARR related tasks within Snowflake 

Failure to solve the above could result in fines, loss in investor trust, imprisonment, and removal from the stock market.  

Solution Approach 

With the deep data expertise of CloudEQS, we worked with our client to solve their challenges by following the following steps: 

  • Migrate: ARR stored procedures and views in Snowflake to dbt Cloud 
  • Role-Based-Access-Controls (RBAC): Implement in Snowflake and dbt (read more about our playbook here) 
  • Governance standards: Established standards for version control, RBAC, and code approval processes 
  • Failure Alerts: Automated error failure alerts in dbt  
  • Document: reviewal and approval processes for ARR-related operations 

With the new level of governance, automated reconciliation, and documented procedures, the internal audit team can sign off on the new operations knowing they adhere to the regulatory requirements.  

Conclusion 

This case study showcased how the CloudEQS team helped a client improve their SOX compliance by strengthening data governance, setting up role-based access controls, and creating clear approval processes for their ARR and NRR operations. To meet regulatory standards, they migrated Snowflake stored procedures and views and dbt Cloud, automated failure alerts, and documented key reviewal and approval steps to ensure everything was in line with SOX requirements. 

img

A curious data professional passionate about supporting clients on their data journey.

Comments are closed