What does the US Sarbanes-Oxley (SOX) Act of 2002 stand for? Who is it for? And what are the most important controls covered by the Act? Find out in our quick guide below.
What does SOX stand for?
The Sarbanes-Oxley Act (SOX), also known as the Corporate Responsibility Act, is a US regulatory framework that was implemented in 2002 in response to a series of large corporate frauds in the US capital markets. It introduced a new set of reforms to existing securities law and imposed much stricter penalties on executives and organisations that committed accounting fraud against investors.
The main objective of the mandate was, therefore, to increase accountability within boards for more accurate and reliable financial reporting. This also meant tighter and more demanding internal control and audit requirements for organisations.
Stay on top of the latest governance, regtech and innovation trends and insights!
Subscribe to our monthly newsletter >
SOX is all about corporate governance and financial disclosure. So, a large aspect of it is focussed on ensuring the accuracy of financial reporting and facilitating the processing of financial transactions through the so-called internal controls over financial reporting (ICFR).
In addition to the strict regulatory requirements, SOX also introduced a protection measure for company whistleblowers who are willing to provide evidence of fraud, which prohibits companies from retaliating against them.
Who must comply with SOX?
The SOX mandate applies to all US public companies, affecting all their wholly-owned domestic and foreign subsidiaries that are operating and publicly trading in the US. According to Section 404, all publicly traded firms, regardless of size, must include an Internal Controls Report in their year-end financial reporting, whilst all large organisations must also have an external annual audit of their ICFR.
Sox is also relevant for all accounting firms that audit public companies in the US. Under the SOX regulation, firms that perform audits for a publicly held company are prohibited from providing any additional services to it, such as bookkeeping, business valuations, designing or implementing an information system, investment advisory, banking services, and/or consulting on other management issues.
Privately-owned companies, charities and non-profit organisations are generally exempt from complying with SOX. However, they're still required to keep all company data secure and must not knowingly destroy or falsify any financial data and documentation. Private-held companies that are planning to go public through an IPO would also have to get ready to comply with SOX before their actual listing.
What are the most important controls covered by SOX?
The SOX regulatory framework consists of the following 11 section titles:
Public company accounting oversight board
Enhanced financial disclosure
Analyst conflicts of interest
Commission resources and authority
Studies and reports
Corporate and criminal fraud accountability
White-collar crime penalty enhancements
Corporate tax returns
Corporate fraud and accountability
Each title covers a number of sections, but in terms of compliance, sections 302, 401, 404, 409, 802, 806, 902 and 906 are considered to be the most important. Below is a brief overview of each one of these core sections:
SOX Section 302: Corporate Responsibility for Financial Reports
Every public company is due to submit periodic financial reports with the US Securities and Exchange Commission (SEC). Both the CEO and CFO must review and sign off all reports, and certify that all reported information is "fairly presented". In addition, they are also responsible for implementing and managing an effective internal SOX control process and framework.
SOX Section 401: Disclosures in Periodic Reports
All financial statements should be accurate and presented in a way that doesn't contain incorrect statements or admit to state material information. Such financial statements should also include all material off-balance sheet liabilities, obligations and transactions.
SOX Section 404: Management Assessment of Internal Controls
All annual financial reports must include an Internal Control Report stating that management is responsible for an "adequate" internal control setup, and an assessment of the effectiveness of that setup. The report should also include any shortcomings in these controls. Additionally, appointed external auditors must attest to the accuracy of the company management's assertion that internal accounting controls are in place, operational and effective.
SOX Section 409 - Real Time Issuer Disclosures
Companies are required to report in real-time any information concerning material changes in its financial condition or operations.
SOX Section 802 - Criminal Penalties for Altering Documents
Anyone who knowingly alters documents in an ongoing legal investigation, audit, or bankruptcy proceeding can be fined, imprisoned for no more than 20 years, or both.
SOX Section 806 - Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud
SOX provides whistleblower protection for anyone who is willing to give evidence of fraud, and prohibits companies from retaliating against them.
SOX Section 902 - Attempts & Conspiracies to Commit Fraud Offenses
It is a crime for any person to corruptly alter, destroy, mutilate, or conceal any document with the intent to impair the object's integrity or availability for use in an official proceeding.
SOX Section 906 - Corporate Responsibility for Financial Reports
Under this section, anyone who certifies a misleading or fraudulent financial report can be liable for $5 million in fines and 20 years in prison.
How to comply with SOX
Complying with SOX is an onerous and expensive process. According to a 2008 SEC survey of officers at public companies, Sarbanes-Oxley cost the average company $2.3 million annually in direct compliance costs, including staff time, documentation, and external audits, compared with estimates of $91,000 in annual costs before the Act was passed.
SOX compliance is usually implemented in two stages:
Stage 1) An external auditor who specialises in SOX compliance is appointed to implement a comprehensive audit and identify any risk areas for the organisation
Stage 2) An effective internal control system is adopted to facilitate and ensure the company's ongoing SOX compliance
But what is an effective internal control system?
It's a system of internal controls that allows organisations to establish and maintain a complete audit trail (preferably in real time) of all relevant financial data, documentation and procedures required under SOX.
Adopting a specialised internal controls management software like ControlNet can significantly facilitate the entire SOX compliance process by eliminating the need to use inefficient, manual and paper-based systems and processes.
To learn more about how you can effectively manage internal controls within your organisation, download our latest whitepaper below.
Still using paper-based checklists or excel spreadsheets to manage your internal risks and controls?
ControlNet helps you automate the process, and create an efficient, accountable and secure operational environment.