Sarbanes-Oxley Act of 2002 (SOX)


SOX, the Public Company Accounting Reform and Investor Protection Act, was enacted in July 2002 to improve corporate integrity and help restore investor confidence.

The focus of SOX is in three areas:

  • Corporate governance and gate keeping
  • Personal accountability and responsibility
  • Enhanced disclosure and financial reporting

SOX has significantly increased accountability of directors, officers, auditors, and legal council.

The main regulatory bodies for SOX are the Securities Exchange Commission, the New York Stock Exchange, and NASDAQ.

The main oversight organization for SOX is the Public Company Accounting Oversight Board developed by the SEC to specifically oversee the audit of public companies under SOX.

Even though the initial focus was public companies, private companies are now embracing SOX as a best practice for overseeing the internal controls & processes surrounding financial reporting.

SOX does not directly regulate Information Technology and Security. However, IT is the backbone of the financial processes that SOX regulates.

Section 302, "Certification of Financial Reports", requires that the CEO, CFO, and an attesting public accounting firm certify the accuracy of the financial statements and must certify that the statements fairly present the operations and financial condition of the issuer. It also requires that material information used to generate reports be safely retained and made available to the public. This requires the IT systems that generate and retain the information be secure and reliable.

Section 404, addresses the necessity of corporate management to be fully accountable for the integrity of all data associated with their financials. The Management Team must establish and maintain adequate Internal Controls over their financial reporting systems to safeguard against unauthorized and improper use of financial information. SOX also requires that companies keep detailed records related to its financial systems. This includes electronic records as well as paper records. The requirement to safely secure these records is critical.

Best Practices for Complying with SOX

The most widely used best practice for complying with SOX is the Committee of Sponsoring Organizations (COSO), Internal Control-Integrated Framework.

COSO has been accepted by the American Institute of Certified Public Accountants (AICPA) and the Auditing Standards Board (ASB).

COSO states there are five components associated with creating, maintaining, and verifying Internal Controls.

  1. Control Environment
  2. Risk Assessment
  3. Control Activities
  4. Information and Communication
  5. Monitoring

Using Pivot Group to Assist in SOX Compliance

  • Policies, Processes, and Procedures Reviews and Improvement
  • Risk Assessments Monitoring, Auditing, and Reporting
  • Technology Recommendations and Deployment
  • Best Practice Education

For more information about SOX, please refer to our Resource Guide.