How to Comply with the Sarbanes-Oxley (SOX) Act
Compliance with the Sarbanes-Oxley Act of 2002 is a legally mandated must for all U.S. public companies and some other entities, as well. But meeting the requirements of this important law can be incredibly difficult.
Preparing for a SOX compliance audit requires so much work that companies often designate entire teams full-time to the task. The law is that complex. Each of its 11 sections delivers a different mandate covering oversight, auditor independence, corporate responsibility, financial statements, annual reports, and more. At the heart of it all is security.
Noncompliance is not an option. The federal Securities and Exchange Commission (SEC) enforces SOX with steep penalties: up to tens of millions in fines for the organization and 20 years in prison for its CFO.
Will your enterprise meet the test?
Relax. We’re here to help. This guide to all things SOX answers the most commonly posed questions about the act and how to comply with it.
Sprinkled throughout, you’ll find links to SOX-related content that gives you more detail, leading you step-by-step through the SOX compliance process.
And to help you sail through that all-important audit, we’ve compiled a guide telling how to use the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework to measure your compliance.
What is SOX Compliance? – Definition & Background
SOX compliance means compliance with the Sarbanes-Oxley Act of 2002, a United States federal law enacted to protect the public from corporate fraud and accounting errors.
SOX makes financial reporting more transparent, and requires public companies to put in place a system of checks and balances to ensure that corporate financial reports are accurate.
In the meantime, the internal controls that SOC requires also strengthen data security—a win for companies as well as their customers, partners, and shareholders.
Sarbanes-Oxley: A Short History
Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH-4) wrote the Sarbanes-Oxley Act (SOX) in response to several high-profile corporate scandals, including:
- The 2001 audit failure and bankruptcy of the Houston energy company Enron Corporation. Enron fell into bankruptcy in the light of fraud and criminal activities by its executives.
- Fraudulent accounting practices at WorldCom, a telecommunications company that filed for bankruptcy in 2002. Its executives were convicted of criminal charges and the company fined $750 million by the Securities and Exchange Commission (SEC).
- Convictions at Tyco International, a security systems organization whose former CEO and CFO were convicted of stealing hundreds of millions of dollars from the company, falsifying business records, and violating other business laws.
The bill sailed through the House and Senate with near-unanimous passage: only three members voted against it. In signing it into law, former U.S. President George W. Bush called SOX “the most far-reaching reforms of American business practices since the time of Franklin Delano Roosevelt.”
What SOX Compliance Entails
SOX states that its purpose is “to protect investors by improving the accuracy and reliability of corporate disclosures.” In doing so, it also helped to restore shareholder confidence.
To demonstrate your ongoing compliance with SOX, your organization will need to pass annual SOX audits by an external independent auditor. Under SOX, this auditor can only perform specific services—and to make sure they follow the rules, the Public Accounting Oversight Board (PCAOB), created as a result of SOX, sets standards and rules for audit reports and enforces accounting firms’ compliance.
Although SOX contains 11 sections, accountants tend to focus primarily on a few compliance requirements:
- Section 302, Corporate Responsibility for Financial Reports, which requires that:
- CEOs and CFOs review all corporate financial reports;
- The reports be “fairly presented” and free of misrepresentations;
- CEOs and CFOs hold responsibility for internal accounting controls;
- CEOs and CFOs must report any deficiencies in internal accounting controls, or any fraud involving the management of the audit committee, and
- CEOs and CFOs must indicate any material changes in internal accounting controls.
- Section 404, Management Assessment of Internal Controls, a corporate governance section requiring that:
- Companies publish in their yearly financial reports the details of their internal accounting controls and procedures for financial reporting;
- Corporate executives certify the accuracy financial statements, and
- Executives be personally liable for violations.
- The Whistleblower Protection Act, which forbids retaliation of any kind against employees and contractors who report or provide testimony of fraud
SOX auditors focus on a number of other important provisions, as well, addressing such topics as:
- Access: Physical controls such as locks and physical security checks at building entry points as well as electronic controls such as identity authentication and privileged access.
- Security: Data security to prevent system breaches and information theft.
- Data Backup: Off-site backups of all financial records.
- Change Management: Defined processes to add or change users, add software, and make changes in financial databases and applications.
Who Must Comply with SOX?
SOX primarily applies to publicly-traded corporations. But some private companies must comply, as well, and some SOX provisions govern non-profit organizations.
Private companies must adhere to SOX if they:
- Are preparing for an IPO. As soon as a private company files a registration statement under the Securities Act of 1933 (the “1933 Act”), it must be in compliance with SOX–even if the company later withdraws the registration statement. If you’re planning to file this statement, you’ll need to get SOX compliant beforehand.
- Have registered debt securities. Companies with registered debt as a part of their capital structures are subject to many SOX provisions.
- May be acquired by a public company. What if your non-SOX-compliant private company were acquired by a public company? Your non-compliance could be a liability for acquisitions.
- Have a large outside shareholder base or institutional investors. Yours might not be a public company, but its shareholders may expect conformity with parts of the act, anyway—such as corporate governance requirements.
- Have an ESOP as a shareholder. If an employee stock ownership plan (ESOP) primarily or wholly owns your company, it may require higher standards of corporate governance based on the Act.
- Deal with venture capital investors, lenders, and insurers. Venture capital funds, private equity investors, and commercial banks increasingly are requiring covenants in financing agreements related to corporate governance.
Third-party providers of financial services to SOX-compliant companies must also comply with SOX. Instead of a full-blown yearly SOX audit, however, these companies may be able to show compliance with a Statement on Standards for Attestation Engagements No. 18 (SSAE 18) which attests that the service organization has undergone an examination of their control objectives and control activities, including controls over information technology and related processes.
Provisions That Apply to Private Companies
Most of SOX’s provisions apply only to public companies, but some do affect private companies, including
- Criminal liability for document destruction. Penalties include fines and up to 20 years’ imprisonment for “knowingly altering, destroying, concealing, or falsifying any record, document, or tangible object with intent to impede, obstruct, or influence the investigation or administration of any matter within the jurisdiction of any department or agency of the United States of any bankruptcy case under Title 11 of the United States Code.” It’s a good idea to adopt a document retention policy or update yours now.
- Increased penalties for securities fraud. SOX extends the statute of limitations for federal securities fraud litigation to five years. It also forbids discharging via bankruptcy any debts incurred in violation of federal or state securities laws or via any common-law fraud.
- Increased liability for white-collar crimes. SOX makes any attempt or conspiracy to commit an offense under white-collar-crime or consumer protection laws punishable to the same extent as the underlying crime. It also increased penalties for mail and wire fraud to 20 years, and raised penalties for certain Employee Retirement Income Security Act of 1974 (ERISA) violations.
- Liability for retaliation against whistleblowers. SOX imposes a fine and imprisonment for up to 10 years for knowingly retaliating against any person who has reported to law enforcement information regarding a federal crime or offense.
Other key provisions under SOX include those that:
- Require disclosure of off-balance-sheet transactions and relationships that might affect organizational finances;
- Prohibit personal loans from companies to executives;
- Set fines and prison terms for tampering or destroying documents during an investigation or court action; and
- Require lawyers who are representing public companies before the SEC to report security violations to company CEOs.
How Many Sections Are in SOX?
The Sarbanes-Oxley Act of 2002 (SOX) has 11 major sections, called “titles,” each of which contains subsections, called “sections,” for a total of 66.
Whew! That’s a lot of rules to follow.
The law reforms and augments four principal areas of business:
- Corporate responsibility
- Increased criminal punishment
- Accounting regulation
- New protections.
Fortunately, not every SOX section is appropriate for every organization, and not all spell out requirements for businesses to meet. A few, however, are significant, and could spell trouble for companies that don’t take them seriously.
To help you navigate this tricky terrain, we’ve summarized each SOX title and described in more detail the sections of special importance.
Title 1: Public Company Accounting Oversight Board
This title establishes the Public Company Accounting Oversight Board (PCAOB), created to manage audits of public companies. The board sets forth standards and rules for audit reports and inspects, investigates and enforces compliance. The PCAOB oversees the independent accounting firms that audit public companies.
Title 2: Auditor Independence
This title’s nine sections describe standards for external auditor independence, aimed at eradicating conflicts of interest.
- It requires that employees of audit firms may not take a job as an executive with a former client until at least one year after leaving the firm.
- It sets restrictions on new auditor approvals and auditor reporting requirements.
- It prohibits a firm that provides auditing services to a client from performing any other services for that same client.
Title 3: Corporate Responsibility
This title makes senior executives individually responsible for the accuracy of their organizations’ financial reports.
SOX Section 302—Corporate Responsibility for Financial Reports
- Public companies must establish a system of effective disclosure controls.
- Senior corporate officers must certify in writing that the company’s financial statements “comply with SEC disclosure requirements and fairly present in all material aspects the operations and financial condition of the issuer.”
- Those who knowingly certify inaccurate financial statements face criminal penalties, including prison time.
Title 4: Enhanced Financial Disclosures
This title greatly increases the number of disclosures a company must make public, requiring timely reporting of:
- Off-balance-sheet transactions
- Stock transactions involving corporate officers
- Pro-forma figures.
SOX Section 401—Disclosures in Periodic Reports
This section stipulates that annual and quarterly financial reports shall disclose material information including “off-balance-sheet transactions” and ‘other relationships’ with unconsolidated entities that may affect the financial condition of the issuing company. An off-balance-sheet transaction is “an undisclosed transaction that may expose a company to risks or loss that are not fully transparent to investors.”
SOX Section 404—Management Assessment of Internal Controls
This section regulates corporate governance.
- Management and auditors must establish internal controls as well as reporting methods to ensure that the controls are adequate.
- Companies must publish in their annual reports the details of their internal accounting controls–such as Internal Control—Integrated Framework, published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)—and report any material weakness, as well as their procedures for financial reporting.
- Corporate executives must certify the accuracy of organizational financial statements.
- An audit committee must review annual financial reports.
- Executives are personally liable for violations of this section.
SOX section 404 is among the most complicated, most contested, and most expensive SOX requirements with which to comply.
SOX Section 409—Real-Time Issuer Disclosures
This section requires companies to disclose “on a rapid and current basis” information concerning material changes in its financial condition or operations.
Title 5: Analyst Conflicts of Interest
This title aims to improve investor confidence in securities analysts’ reporting. It:
- Includes codes of conduct and addresses the disclosure of known conflicts of interest.
- Mandates that everything be reported, such as if the analyst holds stock in the company or has received any corporate compensation, or if the company is a client.
Title 6: Commission Resources and Authority
This title addresses the Securities and Exchange Commission’s (SEC) authority to remove someone from the position of broker, advisor or dealer.
Title 7: Studies and Reports
This title delineates studies and reports that the SEC and the comptroller general must produce. Among these reports are analyses of public accounting firms, credit rating agencies and investment banks to ensure that they don’t engage in poor or illegal practices in securities markets.
Title 8: Corporate and Criminal Fraud Accountability
- Establishes that altering, concealing, or destroying records in hope of influencing the outcome of a federal investigation is punishable by fines and up to 20 years in prison;
- Allows imprisonment and fines for helping to defraud shareholders of publicly traded companies, and
- Provides special protections to whistleblowers.
SOX Section 802—Criminal Penalties for Altering Documents
“Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.”
SOX Section 806—Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud
This section prohibits any “officer, employee, contractor, subcontractor, or agent” of a publicly traded company from retaliating against any employee for disclosing potential or actual violations of the section’s six categories of protected conduct:
- Securities fraud
- Shareholder fraud
- Bank fraud
- A violation of any SEC rule or regulation
- Mail fraud
- Wire fraud.
It prohibits retaliatory employment actions including discharging, demoting, suspending, threatening, harassing, or discriminating against a whistleblower. Merely “outing” or disclosing the identity of a whistleblower is actionable retaliation, according to a federal court ruling.
Remedies under SOX Section 806 include:
- Reinstatement to the seniority status that the employee would have had if discrimination had not occurred,
- Back pay, with interest,
- Compensation for special damages sustained as a result of the discrimination, including litigation costs, expert witness fees, and attorney fees.
Title 9: White Collar Crime Penalty Enhancement
This title mandates increased criminal punishment for white-collar crimes. It makes failing to certify corporate financial reports a criminal offense, and encourages stronger sentencing guidelines.
SOX Section 902—Attempts and Conspiracies to Commit Fraud Offenses
This section makes it a crime to corruptly alter, destroy, mutilate, or conceal any document with the intent to impair its integrity or availability for use in an official proceeding.
SOX Section 906—Corporate Responsibility for Financial Reports
Certifying a misleading or fraudulent financial report is punishable by up to $5 million in fines and 20 years in prison.
Title 10: Corporate Tax Returns
This title mandates the need for the Chief Executive Officer to sign company tax returns.
Title 11: Corporate Fraud Accountability
This title includes seven sections that define corporate fraud. It:
- Defines record tampering as a criminal offense,
- Provides sentencing guidelines and increases penalties, and
- Allows the SEC to freeze transactions considered “large” or “unusual.”
What is SOX Reporting?
The Sarbanes-Oxley Act of 2002 Section 404 requires United States public companies’ annual reports to include the organization’s assessment of its own internal controls over financial reporting, and an external auditor’s attestation.
The auditor must report to the SEC at the end of each fiscal year on the effectiveness of the controls the filer has used to ensure the accuracy, transparency and integrity of its financial statements during the previous fiscal year.
Only accounting firms certified by the Public Company Accounting Oversight Board (PCAOB) are authorized to perform SOX audits. Most use an internal control framework such as Internal Controls—Integrated Framework published by COSO to generate internal control reports. Our SOX audit guide, “Preparing for a SOX Audit Using COSO,” will guide you through the steps you need to take to be audit-ready for SOX compliance.
A review of a company’s internal controls can be the largest component of a SOX compliance audit, and is the core of Section 404 compliance. The assessment will include your controls over risk and over the technologies that process or store your company’s financial data. This area will require most of your time and attention when preparing for your SOX audit.
What is a SOX Compliance Audit?
An audit to determine compliance with the Sarbanes-Oxley Act must occur once a year for:
- Public companies located in the United States
- Their wholly-owned subsidiaries
- Non-U.S. companies doing business in the U.S.
Private companies preparing to issue an Initial Public Offering (IPO) would do well to commission a SOX audit, as well, to ensure that they are compliant before becoming public. Otherwise, they could face steep penalties including fines and prison time.
SOX’s purpose is to protect shareholders, customers, and the U.S. economy from the effects of corporate fraud and accounting mistakes by requiring CEOs and CFOs to verify the accuracy of their organizations’ financial reporting. Congress enacted the law in 2002 in the wake of fraud scandals at several major companies including Enron and WorldCom.
SOX places the onus on your organization to find and hire a Public Company Accounting Oversight Board (PCAOB)-certified accounting firm to conduct the audit. The auditor will review your financial statements and your internal controls on risk as well as on the technologies you use to process financial data.
The SOX requirements are lengthy and audits can be extremely complex—making compliance expensive. Most SOX auditors use an internal control framework such as COSO’s to determine the effectiveness of internal controls. Our “Preparing for a SOX Audit Using COSO” guide helps steer you through the process of getting ready for your audit, helping to reduce the time and expense you’ll need to devote to this complex task.
Checklist – What are SOX Compliance Requirements?
The Sarbanes-Oxley Act of 2002 (SOX) is a long and complex corporate governance law. It imposes many requirements on publicly-traded companies and their service providers, aimed at ensuring the accuracy, honesty, and integrity of corporate financial statements.
Written by Sen. Paul Sarbanes (D-MD) and Rep. Michael G. Oxley (R-OH-4), SOX came about in response to a string of high-profile corporate scandals involving fraud and other crimes at Enron, WorldCom, and Tyco International, among other organizations.
Although the law is more than 60 pages long, SOX compliance generally entails meeting the mandates in Sections 302, Corporate Responsibility for Financial Reports, and 404, Management Assessment of Internal Controls.
Any public company wanting to attain SOX compliance certification can save money and time by measuring its financial reporting and data protection processes against SOX compliance requirements, providing SOX training to relevant personnel, and familiarizing itself with SOX controls before seeking validation and certification from accounting firms.
To help, we’ve compiled a brief list of action items for SOX compliance using the financial reports requirements in SOX Section 302 and the SOX controls list in Section 404. You can find a more detailed compliance checklist in our audit guide, “Preparing for a SOX Audit Using COSO.”
SOX Compliance Checklist
- Use an accepted framework to assess your organizational controls’ effectiveness. Most commonly used are
- COSO’s Internal Controls—Integrated Framework
- Control Objectives for Information and Related Technology (COBIT), an IT governance and management framework from the Information Systems Audit and Control Association (ISACA).
- Establish safeguards to prevent data tampering and establish timelines (such as with time stamping).
- Establish verifiable controls to track and record access to sensitive data.
- Test your safeguards and controls, and report the results to the SOX auditor.
- Establish a system for detecting security breaches, and set protocols for handling and disclosing them.
- Require and collect SSAE 18 reports from service organizations that process or store your financial data.
Many of, if not all, SOX compliance tasks can be performed automatically using security software and a quality governance, risk, and compliance solution.
Supporting SOX Frameworks: COBIT and COSO
The Sarbanes-Oxley Act of 2002 (SOX) is a law regulating financial reporting at publicly traded companies and their financial service providers. It’s a corporate governance and risk management law whose long list of requirements is specifically aimed at establishing internal controls over the accuracy, transparency, and integrity of financial statements. To ensure that those controls are effective, auditors use a control framework.
The most commonly used frameworks for auditing SOX are:
- The COSO publication Internal Controls—Integrated Framework
- Control Objectives for Information and Related Technology (COBIT), an IT governance and management framework from the Information Systems Audit and Control Association (ISACA).
COSO’s guide, written by the Committee of Sponsoring Organizations of the Treadway Commission, advises organizations on how to use internal controls to prevent fraud. It was primarily designed to enable Sarbanes-Oxley (SOX) 404 requirements, COSO limits itself to a certain area of an organization’s IT environment. Meanwhile. COBIT 5 extends beyond financial reporting to the whole environment. Therefore, the two complement each other as well as the overarching risk, compliance, and governance program.
Which should you use to determine your compliance? That depends on your organization and, in particular, the preferences of your SOX auditor. To help you decide, here are brief descriptions of both.
COSO’s Internal Control—Integrated Framework lists five components of internal control:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities.
This COSO document, written in 2002 and revised in 2013, addresses 17 principles, as well, with supporting “points of focus” to help organizations design, implement, conduct, monitor, and assess internal control processes.
Although not specifically created for SOX, the framework’s guidelines satisfy SOX requirements—so many auditors use COSO to audit for SOX compliance. Essentially, COSO and SOX go hand-in-hand, the framework helping entities to protect their data, especially financial information, from tampering and unauthorized changes of any kind. Auditors know that mapping COSO principles to SOX controls is a great way to determine SOX compliance.
Another COSO framework, Enterprise Risk Management — Integrated Framework, may also prove helpful. This COSO framework is a once and internal control framework and a risk management framework. COSO last updated it in 2017, and answers frequently-asked questions in this pdf.
The COBIT framework is designed to help your organization maximize its governance in all areas while minimizing risk, especially IT-related risk.
Developed by the Information Systems Audit and Control Association (ISACA), COBIT is a complex framework with 37 principles. Compliance is a lengthy and complicated journey, requiring a dynamic approach to enterprise governance and a recognition that, in the digital age, IT is a central component of business from end to end.
So—how does COBIT relate to the Sarbanes-Oxley Act of 2002?
In most companies, data moves among various groups and IT systems to end up in the financial reports that SOX Section 404 requires the CEO and CFO to verify. Attesting to the accuracy of the data requires confidence in accounting procedures and controls—the area addressed in the COSO framework.
But a SOX 404 attestation also requires executives to feel confident in its IT systems and databases and their processes and controls. COBIT 5, recently updated to COBIT 2019, helps implement governance and control over IT by providing a general controls matrix. Auditors may apply COBIT IT control objectives for SOX compliance audits.
Penalties for SOX Noncompliance
The punishment can be extremely harsh for non-compliance with the Sarbanes-Oxley Act of 2002 (SOX). Non-compliance can bring criminal penalties including steep fines and prison time.
The United States federal government enacted SOX in response to fraud and other criminal scandals at Enron, WorldCom, and other public companies. The law requires companies to use strong internal controls over their data and financial reporting to ensure that financial statements are transparent and accurate.
SOX applies to:
- Publicly held American companies,
- International companies that have registered equity or debt securities with the U.S. Securities and Exchange Commission (SEC),
- Third-party businesses, including accounting firms, that provide financial services to either of the above.
SOX requires CEO’s or CFOs to sign attestations that their organizations’ periodic reports containing financial statements are accurate.
Under SOX Section 906, anyone signing off on inaccurate or incorrect financial statements is subject to up to $1 million in fines and 10 years’ imprisonment.
If the signer knows that the report is false, the maximum penalty increases: $5 million and 20 years’ imprisonment.
How to Automate SOX Compliance
Compliance with the Sarbanes-Oxley Act of 2002 (SOX) requires so much work and time that companies often designate people or even entire teams full-time to the task. The costs of SOX compliance, risk and control automation, however, can shave many hours from the effort.
According to federal law, every public company must comply with SOX. The U.S. Securities and Exchange Commission watches financial reporting closely and, since the law’s passage in 2002, has demanded that those reports be transparent, accurate, and verified by an independent auditor. Noncompliance could cost your organization millions in fines and send your CFO or CEO to prison for 20 years.
If you’re using old-fashioned spreadsheets to track your compliance efforts, you’re doing it all wrong. A quality governance, risk, and compliance software solution can do so much of the work of SOX compliance for you, including:
- Monitoring of internal controls, including access controls
- Real-time, continual risk assessment
- SOX Section 404 controls testing automation
- Unlimited internal audits in just a few clicks
- User-friendly dashboards showing your SOX compliance posture in a glance.
Reciprocity’s GRC solution, ZenGRC, has all these features and more. It also consolidates all your compliance efforts, showing where controls for one framework meets requirements for others—so you can avoid duplicating your efforts.
And ZenGRC’s “Single Source of Truth” repository gathers and stores all your documentation in one easy-to-access location so that, when PCAOB-certified external auditors need to see your SOX audit trail, you can provide the evidence quickly and easily.
Some organizations spend as many as 15 years getting to SOX compliance, and significant time and effort maintaining that compliance. Yours doesn’t have to be one of them. Why not let ZenGRC do much of your SOX heavy lifting for you? Then, you’ll be freer to focus on other concerns—such as serving your customers and boosting your bottom line.