Sarbanes-Oxley Act

U.S. Sarbanes-Oxley Act of 2002

Published under Risk Management
Title: Public Company Accounting Reform and Investor Protection Act of 30 July 2002 (commonly referred to as ‘Sarbanes-Oxley’ after the bill’s sponsors, Senator Paul Sarbanes (D-Md.) and Representative Michael G. Oxley (R-Oh.); and commonly abbreviated to ‘SOX’ or ‘Sarbox’)
Source reference:
Topic: U.S. Federal legislation with regard to corporate governance, auditing requirements, public disclosure, financial management and general reporting obligations for U.S. public enterprises.
Direct / indirect relevance Indirect. The text focuses on corporate governance, including auditing, disclosure and reporting, which implies an obligation to implement appropriate RM/RA measures with regard to network/information security.
Scope: Applicable only to U.S. public enterprises, the latter being understood as any company which offers its securities (i.e., stock, options, bonds, etc.) for sale to the general public in the U.S., or from a formal perspective, a company which has filed a Form S-1 with the Securities and Exchange Commission (SEC - and raises money from the public on the U.S. markets.
Legal force: U.S. Federal legislation, which applies directly to any public companies in the U.S. as described above.
Affected sectors: Any public companies in the U.S. as described above.
Relevant provision(s): In the field of RM/RA, the main provisions are generally considered to be Sections 302 and 404.

(a) REGULATIONS REQUIRED.—The Commission shall, by rule, require, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m, 78o(d)), that the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act that—
(1) the signing officer has reviewed the report;
(2) based on the officer’s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading;
(3) based on such officer’s knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report;
(4) the signing officers—
(A) are responsible for establishing and maintaining internal controls;
(B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;
(C) have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and
(D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;
(5) the signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function)—
(A) all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report financial data and have identified for the issuer’s auditors any material weaknesses in internal controls; and
(B) any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls; and
(6) the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.
 (b) FOREIGN REINCORPORATIONS HAVE NO EFFECT.—Nothing in this section 302 shall be interpreted or applied in any way to allow any issuer to lessen the legal force of the statement required under this section 302, by an issuer having reincorporated or having engaged in any other transaction that resulted in the transfer of the corporate domicile or offices of the issuer from inside the United States to outside of the United States.
(c) DEADLINE.—The rules required by subsection (a) shall be effective not later than 30 days after the date of enactment of this Act.

(a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.


(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.
Relevance to RM/RA: Specific accounting standards for public accounting firms are created and supervised by the Public Company Accounting Oversight Board (, established by Sarbanes-Oxley. Apart from increased penalties for corporate fraud cases, Sarbanes-Oxley is specifically relevant because of its introduction of a set of obligations for the targeted public companies, including:

• A requirement that they evaluate and disclose the effectiveness of their internal controls with regard to financial reporting. Independent auditors are required to attest to the validity of this disclosure (Section 302);
• A requirement to have certain financial reports certified by chief executive officers and chief financial officers (Section 404);

Affected companies must install the appropriate procedures and take appropriate measures to ensure compliance with these requirements. As indicated above, this includes all companies which offer their securities (i.e., stock, options, bonds, etc.) for sale to the general public in the U.S. Thus, the scope of Sarbanes-Oxley can include non-U.S. established companies.

See also

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more