SOX compliance for digital asset treasury management

The Sarbanes-Oxley Act of 2002 was created in the wake of high-profile corporate fraud and financial mismanagement cases like the Enron scandal.

Sarbanes-Oxley, often shortened to Sarbox or SOX, brought in reforms that required United States public companies to adhere to a set of standards for accounting and corporate responsibility.

SOX principles are now well-established in the corporate sphere. But what about when it comes to emerging financial technologies?

This article will look at how SOX measures can be applied to digital asset treasury management, using the specific example of Bitcoin.

Please note: this article is intended for general informational purposes and does not constitute financial advice.

SOX compliance: an overview

The SOX Act covers several key areas of corporate responsibility, from enhanced financial disclosures to leadership oversight. We will cover some of these in more detail below.

Who does SOX apply to?

There are some exceptions, but SOX primarily applies to:

  • US publicly listed companies
  • Non-US companies that have registered debt or equity with the US Securities and Exchange Commission (SEC)
  • Accounting firms that carry out SOX audits.

Companies that are not required by law to comply with SOX requirements should nonetheless consider it, for two main reasons.

  • Firstly, if they are considering an IPO, or may become public through a purchase process, then laying the groundwork for a SOX-compliant approach in advance will save time, expense, and complication in the future.
  • Secondly, SOX requirements are widely considered to be best practice. Adhering to the principles of the SOX Act is an investment in corporate responsibility and building a culture of financial transparency.


Finally, when it comes to digital assets, the evolving nature of the regulatory landscape and recent events such as the collapse of FTX have put compliance issues in the spotlight.

The US Institute of Internal Auditors has recently called for more robust governance requirements for cryptocurrency exchanges, while the Securities and Exchange Commission (SEC) has issued interpretive guidance on accounting in the crypto custody sphere.

Companies holding or operating with digital assets can lay the groundwork for any future regulatory changes by following SOX guidelines wherever possible.

SOX compliance and digital assets

alt Bitcoin transaction on a spreadsheet

Digital asset treasury operations is still considered a new field where industry standards continue to evolve.

The underlying technology, such as decentralized finance (DeFi) and blockchain, may seem very different to established financial processes in the fiat world.

However, the “transparency by design” of blockchain-based digital assets such as Bitcoin, which runs on an immutable public ledger, can help a SOX-informed approach to treasury management.

Before we explore this in more detail, let’s look at which parts of the SOX legislation are most relevant when it comes to digital asset treasury management.

Relevant sections of SOX

SOX is divided into 11 parts, which are called “titles” in the wording of the legislation. These titles are further broken down into sections.

Some sections are particularly relevant when it comes to treasury operations because they relate to internal controls and reporting. These include:

  • Section 302: Corporate Responsibility for Financial Reports
  • Section 401: Disclosures in Periodic Reports
  • Section 404: Management Assessment of Internal Controls

Let’s cover these one by one.

Section 302

This section is focused on financial reporting and stresses the personal accountability of the officers (ie the CEO and CFO) who sign off on a company’s financial disclosures. Specifically, during the quarterly and annual reporting period.

Section 401

Again, the focus of this section is on financial disclosures. It states that any information provided to the public or the SEC must not contain untrue statements or omit any facts.

In keeping with the financial transparency goals of SOX, financial statements must comply with Generally Accepted Accounting Principles (GAAP). Off-balance sheet transactions must also be reported on.

Section 404

This section concerns internal controls and requires that the CFO and CEO take responsibility for this. Specifically, the responsibility for establishing and maintaining controls over financial reporting.

As Deloitte notes in its SOX compliance readiness guide (PDF), contributions to financial reports come from across the business, so controls are needed over processes and systems that feed into the reports as well as the reports themselves.

Challenges of SOX compliance

Let’s now look at some of the challenges faced by organizations when applying these principles to digital asset treasury management.

Difficulty in implementing internal controls

One the main challenges in creating systems for financial disclosures of digital assets is the incompatibility of the raw data with legacy financial systems.

This can result in labor-intensive manual processes for finance teams, who must reconcile data from, for example, the Bitcoin blockchain with financial reports structured for fiat currency.

Not only are such manual processes time-consuming, but they can also lead to inaccuracies caused by human error.

Furthermore, there can be a significant cost to the business when key staff are involved in activity that peaks around reporting periods, rather than being able to focus on tasks that generate value or relate to business functions such as risk management.

Lack of understanding among stakeholders

SOX is clear about the personal responsibilities of CFOs and CEOs when it comes to management oversight of internal controls. However, there can be a steep learning curve when it comes to operating with digital assets.

Unfamiliarity with the underlying technology can cause additional complications for leadership, internal audit teams, and external auditors alike.

A recent PwC survey found that many compliance teams are already struggling to keep pace with the escalating complexity of external requirements.

Risks around third-party contractors

SOX requires that any third-party providers that a business uses are SOX compliant in their own processes.

This can create additional headaches for compliance teams when it comes to procurement of digital asset custodial services, exchange platforms or payroll providers.

Treasury operations with Fortris

Fortris is a digital asset treasury management platform that supports the reporting and security requirements of enterprise business and financial institutions.

The Fortris platform works in harmony with existing financial systems such as enterprise resources planners (ERPs) and accounting software, such as Oracle NetSuite (via the dedicated Fortris SuiteApp).

Here are some of the ways Fortris delivers a compliance-ready solution for finance teams and C-suite leadership alike.

No single point of failure

When it comes to authorizing payments, Fortris divides the responsibility between multiple users.

These roles can be configured at a team and individual level to exactly mirror the existing access controls of the business.

GAAP-compatible reporting

Fortris creates detailed journal reports that translate raw blockchain data into a user-friendly format.

Finance teams get the best of both worlds – the inherent transparency of blockchain, and a tailored subledger that is compatible with legacy financial systems.

This also means CEOs and CFOs can have a single view of the company’s complete financial position, rather than having to decode complicated raw blockchain data.

User actions are logged

Fortris has been built to support a culture of financial transparency. The system records which individuals created and signed off on each transaction made within the system.

alt Screenshot of a spreadsheet with 7 columns showing

An example of a Fortris journal entry.

Minimize counterparty risk

Companies that wish to avoid exposure to third-party custodians and exchanges can use the Fortris PSP and self-custody tools to securely manage their own digital assets.

Fortris also has an inbuilt account recovery tool that means no business is reliant on the Fortris system to access its digital assets.

Fortris handles digital asset treasury operations for enterprise business.

Want to learn more? Book a demo today.

Table of contents