Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act, often abbreviated as SOX, is a United States federal law passed in 2002 in response to corporate failures and fraud that resulted in substantial financial losses to institutional and individual investors in the early 2000s. SOX was designed to enhance transparency and accountability in financial reporting and to protect investors and the public from fraudulent financial practices within publicly traded companies.

Definition and purpose

The Sarbanes-Oxley Act is primarily aimed at restoring and maintaining investor confidence in the financial markets. Its core objectives include:

  • Ensuring the accuracy and reliability of corporate financial disclosures
  • Holding corporate executives and boards of directors accountable for the accuracy of financial statements
  • Establishing stringent internal control requirements to prevent fraud and financial misstatements
  • Enhancing corporate governance by requiring independent oversight of financial reporting

Governing Body

The Sarbanes-Oxley Act is enforced and overseen by various regulatory bodies, including the U.S. Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB). The SEC plays a pivotal role in enforcing compliance with SOX requirements, while the PCAOB is responsible for overseeing the audits of public companies that are subject to the securities laws.

Last updated

While there have been no major updates to SOX since it passed in 2002, several bills have been introduced to amend the act over the years. A recent bill proposes to amend SOX to permit the PCAOB to allow its disciplinary proceedings to be open to the public to promote transparency, among other purposes.

Applies to

The Sarbanes-Oxley Act applies primarily to publicly traded companies in the United States. It affects a wide range of industries, including finance, technology, manufacturing, and more, as long as a company's securities are publicly traded on U.S. exchanges or it registers with the SEC. While SOX only directly applies to publicly traded companies, it is considered best practice for private companies as well. 

Controls and requirements

SOX mandates various controls and requirements, including but not limited to:

  • Internal Control Framework: Both SEC's regulations and PCAOB’s Auditing Standards state that management is required to base its assessment of the effectiveness of the company’s internal control over financial reporting on a suitable, recognized control framework established by a body of experts that followed due process procedures. While neither mandates the use of any particular framework, the Committee of Sponsoring Organizations of the Treadway Commission’s “Internal Control—Integrated Framework” (or the COSO Framework) is commonly used. 
  • CEO and CFO Accountability: The CEO and CFO are required to personally certify the accuracy of their companies’ financial statements.
  • Auditor Independence: Public companies must have an independent auditor attest to management’s assessment of the effectiveness of internal control over financial reporting. Audit firms now must report to an independent audit committee as well.

Please refer to the official legal text for detailed information on SOX requirements. 

Audit type, frequency, and duration

SOX compliance involves both internal and external audits:

  • Internal Audits: Public companies are required to conduct annual internal assessments of their financial controls and financial reporting processes. These assessments must be included with their annual financial reports.
  • External Audits: External auditors must report if they agree with management’s assessment of the company’s internal control over financial reporting. These must also be conducted annually. The duration of external audits varies depending on the complexity and size of the company but typically spans several weeks to months.

Get compliant using Secureframe Custom Frameworks