ELI5: What is Sarbanes-Oxley?
After some big companies got caught lying about their money, the government made a rule that bosses must double-check and personally sign off that their numbers are honest.
Definition
The Sarbanes-Oxley Act (SOX) of 2002 is a US federal law enacted in response to major accounting scandals (Enron, WorldCom) that requires publicly traded companies to establish, maintain, and annually assess the effectiveness of internal controls over financial reporting. Section 404 specifically mandates that management assess internal controls and that an independent auditor attest to that assessment. IT security controls that protect financial systems are within SOX scope.
Key Details
- Section 302: CEO and CFO must personally certify the accuracy of financial reports and effectiveness of internal controls; criminal liability for false certifications
- Section 404: annual management assessment of internal controls over financial reporting (ICFR); auditor must attest to management’s assessment
- IT controls in scope: access controls to financial systems, change management, data integrity controls, audit logging
- Applies to: US publicly traded companies and their subsidiaries; non-US companies listed on US exchanges
- Non-compliance: criminal penalties (up to 20 years imprisonment for willful violations), SEC enforcement, and delisting
Connections
- Parent: regulations-and-frameworks — SOX is the primary US regulation governing financial reporting integrity
- See also: glba
- See also: regulatory-audit