Sarbanes-Oxley Act of 2002 (SOX)

SOX overview

The Sarbanes-Oxley Act of 2002 (SOX) is a US federal law administered by the Securities and Exchange Commission (SEC). Among other things, SOX requires publicly traded companies to have proper internal control structures in place to validate that their financial statements reflect their financial results accurately. SOX is heavily influenced by customer’s internal processes especially when it comes to controls for financial reporting. For example, SOX requirements involve internal customer controls for the preparation and review of financial statements, and especially controls that affect accuracy, completeness, effectiveness, and public disclosure of material changes related to financial reporting.

The SEC doesn't define or impose a SOX certification process. Instead, it provides broad guidelines for publicly traded companies to determine how to comply with SOX reporting requirements.

Microsoft and SOX

Microsoft cloud services customers subject to compliance with the Sarbanes-Oxley Act (SOX) can use the SOC 1 Type 2 attestation that Microsoft received from an independent auditing firm when addressing their own SOX compliance obligations. This attestation is appropriate for reporting on internal controls over financial reporting.

Even though there's no SOX certification or validation for cloud service providers, Microsoft can help customers meet their SOX obligations. For example, SOX requires internal controls for the preparation and review of financial statements, especially controls that affect the accuracy, completeness, effectiveness, and public disclosure of material changes related to financial reporting. To help companies, Microsoft maintains a SOC 1 Type 2 attestation appropriate for reporting on such controls across a broad portfolio of services that can be used to build a wide range of applications. It's based on the American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements 18 (SSAE 18) and the International Standard on Assurance Engagements No. 3402 (ISAE 3402). (This attestation replaced SAS 70.)

The audit report, produced by a third-party auditing firm, attests that Microsoft controls were designed appropriately, in operation on a specified date, and operating effectively over a specified time period. Customers can review the reports to learn about Microsoft control objectives and the effectiveness of its controls, and get access to complementary controls.

At Microsoft, we share the responsibility of compliance with our customers. We supply the specifics about our compliance programs, which you can verify by requesting detailed audit results from the certifying third parties. Ultimately, however, it's up to you to determine whether our services comply with the specific laws and regulations applicable to your business. For example, there are SOX-related security controls, such as user access to cloud resources, that are your responsibility: your organization must develop appropriate auditing of these controls as part of your SOX compliance.

Microsoft in-scope cloud platforms & services

  • Azure
  • Dynamics 365
  • Intune
  • Office 365
  • Power BI cloud service (either as a standalone service or as included in an Office 365 branded plan or suite)

Azure, Dynamics 365, and SOX

As cloud adoption gains momentum, more and more customers are exploring how to migrate applications and workloads subject to SOX compliance obligations to the cloud. Even though there's no SOX certification or validation for cloud service providers, Azure can help you meet your SOX obligations.

If you're subject to SOX compliance obligations, you should review the Azure SOC 1 Type 2 attestation, which is performed according to:

  • SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (AICPA, Professional Standards).
  • SOC 1 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting (AICPA Guide).

The AICPA SSAE 18 standard replaced SAS 70, and it's appropriate for reporting on controls at a service organization relevant to user entities internal controls over financial reporting. This is the formal audit that you can rely on for third-party reviews of technology service providers when pursuing your own industry specific compliance obligations for assets deployed on Azure. It includes auditor's opinion on control effectiveness to achieve the related control objectives during the specified monitoring period.

Office 365 and SOX

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
Commercial Augmentation Loop, Auto Alt Text, Azure Information Protection, Binary Conversion Services, Bookings, Delve, Document Item, Editor, Exchange Online, Forms, Insert Online Media, Insights, Kaizala, Microsoft Analytics, Microsoft Booking, Microsoft Graph, Microsoft Teams, MyAnalytics, Office 365 Cloud App Security, Office 365 Groups, OneDrive for Business, Planner, Power Apps, PowerApps, Power Automate, Power BI, PowerPoint Designer, PowerPoint Online Document Service, SharePoint Online, Skype for Business, StaffHub, Stream, Sway, To-Do, Web Rendering Service, Viva Engage

Audits, reports, and certificates

SOC 1 Type 2 reports for:

  • Azure and Power BI
  • Dynamics 365
  • Office 365

Frequently asked questions

How can I use Microsoft SOX compliance to facilitate my organization's compliance process?

When you migrate your applications and data to covered Microsoft cloud services, you can build on the attestations and certifications that Microsoft holds. Independent auditor reports attest to the effectiveness of controls that Microsoft has implemented to help maintain the security and privacy of your data. However, you're wholly responsible for ensuring your organization's compliance with all applicable laws and regulations.

Resources