In SOX reporting, the IT department provides the proof that the company is in compliance by demonstrating that the organization has met the necessary data security and financial transparency thresholds. 

In 2002, the United States Congress passed the Sarbanes-Oxley Act (SOX) to help protect investors and the general public from fraudulent financial reporting by corporations.   

As part of the Sarbanes-Oxley Act of 2002, a company has to establish internal controls and procedures for financial reporting and evaluate the adequacy of those controls. Every corporation has to produce an internal control report stating that managers are responsible for maintaining internal controls and procedures for financial reporting.

Senator Paul Sarbanes, a Democrat from Maine, and Congressman Michael Oxley, a Republican from Ohio, crafted Sarbanes-Oxley to enhance corporate governance and accountability in the wake of high-profile financial scandals at large corporations, such as Enron Corp., Tyco International PLC, and WorldCom. 

After these scandals, investors were no longer confident that they could trust the financial statements of any corporation. Consequently, they demanded that legislators overhaul decades-old regulatory standards.

As such, the Sarbanes-Oxley Act of 2002 set strict standards for financial reporting by public companies in the United States. However, parts of the law also apply to private companies and non-profit organizations. 

Section 302 of the Sarbanes Oxley Act relates to a company’s financial reporting. SOX mandates that an organization’s CEO and CFO personally certify that all records are complete and accurate. Specifically, they must confirm that they accept personal responsibility for all internal controls and that they have reviewed these controls in the past 90 days.

In addition, the CEO and CFO are required to report any deficiencies in the internal accounting controls as well as any fraud involving the management of the audit committee.

Additionally, SOX compliance pertains to companies that file public statements with the U.S. Securities Exchange Commission and the accounting firms that perform their audits. 

Section 404 of the Sarbanes-Oxley Act requires that companies provide annual disclosures and quarterly updates to shareholders and the U.S. Securities and Exchange Commission. Section 404 also requires that management and auditors create internal controls and reporting methods to ensure the adequacy of those internal controls.

Section 404 also mandates that an annual financial report include an internal control report stating that management is responsible for an “adequate” internal control structure, and an assessment by management of the effectiveness of the control structure. 

However, some critics of the Sarbanes-Oxley Act have complained that the requirements in Section 404 can negatively affect publicly traded companies because it’s expensive to develop and maintain the required internal controls.

Section 802 of the Sarbanes-Oxley Act contains three rules that affect recordkeeping. One pertains to destroying and falsifying financial data. Another rule details how long a company must store its records. The third rule defines the specific business records that companies must store, including electronic communications.

Besides the financial side of a business, such as audits, accuracy, and controls, the Sarbanes-Oxley Act also details the requirements for information technology departments regarding electronic records.

Although SOX doesn’t indicate a specific set of business practices in this regard, it does detail the records an organization needs to keep on file and for how long. In addition, the Sarbanes-Oxley Act doesn’t specify how a company should store its records, just that the IT department has to store them.

To ensure SOX compliance, companies must have the correct internal controls in place to ensure the accuracy of their financial data. The Public Company Accounting Oversight Board (PCAOB) enforces Sarbanes-Oxley.