The Sarbanes-Oxley Act of 2002 (SOX) or Public Company Accounting Reform and Investor Protection Act of 2002 is a United States federal law for boards and management of US public companies as well as accounting companies enacted on July 30, 2002.
The purpose of SOX is to prevent corporate scandals and rebuild the trust of the general public towards the stock markets.
Goals of SOX are:
- Ensuring independence of auditors and preventing conflict of interest
- Increasing transparency by providing additional financial disclosures
- Creating an environment which supports corporate responsibility
This framework influences US public companies and their auditors. Its reach is however wider since US-listed companies that are subject to SOX often control companies outside of the US. In addition some countries created their own versions of SOX (e.g. Japan).
SOX consists of 11 titles divided into more detailed sections as indicated below:
- Public Company Accounting Oversight Board
- Auditor Independence
- Corporate Responsibility
- Enhanced Financial Disclosures
- Analyst Conflicts Of Interest
- Commission Resources And Authority
- Studies And Reports
- Corporate And Criminal Fraud Accountability
- White-Collar Crime Penalty Enhancements
- Corporate Tax Returns
- Corporate Fraud And Accountability
Most often referred to sections are 302 and 404.
Section 302 (Corporate responsibility for financial reports) describes a set of procedures that guarantee the quality of financial disclosures.
Section 404 (Management assessment of internal controls) requires the evaluation of internal controls and risks by management board.
The influences of implementing SOX on IT mainly relates to data integrity and support for audits. Focus areas are:
- Confidentiality of information
- Ensuring integrity of data and its availability to entitled entities
- Audits and logging of events
- Change management
There are several frameworks supporting SOX implementation. The most popular Internal Control System framework is COSO.