SOX Folder Governance



Get Training

Information that is stored for SOX documentation and compliance should be separated from other business content in your account. Create shared folders with granular permissions to serve as protected access points for collaboration.


Account Structure

In the Box administration console, create a group specifically for SOX custodians and individuals delegated with creating and maintaining this content. Content creators should be have at least an Editor role so they can edit, upload and delete content. Individuals such as 3rd party auditors can be invited with a Viewer role, so they can consume but not create content. 

Common Roles

  • Admin: Account administrator
  • Co-Admin: Account co-admin or C-level responsible for SOX compliance. The CFO, for example, is a member of the audit team and closely monitors the compliance process and control effectiveness. A compliance officer might also fill this role.
  • Group Admin: Custodian responsible for SOX compliance, such as the SOX project manager.  A process owner might also fill this role.
  • Audit Committee: Create a group that is responsible for defining the controls of the SOX environment and working together to build the folder structure, taxonomy and process.

Common Folders

  • Budgets
  • Financial Reports
  • General
  • Insurance
  • Payments
  • Policies
  • Procedures
  • Sales Data
  • Tax
  • SOX
    • General Ledger
    • Revenue

Folder Settings
Use the following settings to enhance the security and validity of information stored in your SOX folder structure.

Folder Properties – Disable uploads by email and in the security tab, select that only owners and co-owners can send collaborate invites, and restrict shared links to collaborators only.

Figure 1: These settings can also be set at the account level.

Content Expirations – If content is time-sensitive, use content sharing expirations and auto deletion options. Alternatively, you can add password protection for the most secure file sharing scenarios.


For example, you could use passwords to control access timing for releasing quarterly results. You would send everyone the link to the password-protected file and only release the password for the file at the specified time (for example, 9 am).


Locking Files – If you do not want anyone editing content while you are working on it, you can lock a file for editing. You can manually unlock the file or set an automatic expiration time file lock.

Figure 2: The content owner and folder owner can unlock files.

Auditing Files
Box automatically tracks when anyone views, edits, downloads or creates a file.  You can easily report on who accessed which content and when – helping you understand what has happened around a single piece of content. Box also tracks and maintains a complete version history from a document control perspective.

Figure 3: If the name is unknown, Box displays the IP Address


Previous: Data Security

Next: SOX Groups and Compliance Reporting

Was this article helpful?
3 out of 3 found this helpful