What is SOX?

The Sarbanes-Oxley Act of 2002 (SOX) is a federal law of the United States. SOX was passed by the United States Congress and subsequently signed into law by President George W. Bush. Co-sponsored by Senators Paul Sarbanes and Michael Oxley, SOX was designed to improve the accuracy and reliability of corporate disclosures in financial statements and to protect investors from fraudulent accounting practices. The bill was introduced following the Enron Corporation, WorldCom, and Tyco International fraud and accounting scandals in the early 2000s.

The SOX regulation has eleven titles, which are further organized into sections, that set forth new or overhauled existing requirements for companies and public accounting firms. Titles 1 and 2 of the Act created the Public Company Accounting Oversight Board (PCAOB) to oversee the activities of audit firms and established requirements for external auditor independence. Titles 3 and 4, which contain some of the key provisions of SOX, require senior management to attest to the accuracy of a company’s reported financial statements (Section 302) and require the establishment of internal controls and reporting on the adequacy of the established controls (Section 404). Titles 5, 6, and 7 focus on requirements for securities analysts and requires the Securities and Exchange Commission (SEC) to conduct various studies and report on the results for topics such as securities violations, enforcement actions and other topics. Titles 8 – 11 cover penalties for destroying, manipulating or altering financial records, establishes activities such as the failure to certify financial reports and corporate fraud as criminal offenses and establishes whistleblower protections. Finally, these sections require that the company’s Chief Executive Officer sign the corporation’s tax return.

While the SOX regulation is extensive, the most significant sections are Section 302 which requires senior management to certify the accuracy of a company’s reported financial statements and Section 404 which requires establishment, testing, and reporting on internal controls over financial reporting and the adequacy of the internal control environment.