Major SOX Sections

SOX Act of 2002

Other SOX Resources

Sarbanes Oxley FAQ

What is the Sarbanes-Oxley Act of 2002?
Effective in 2006, all public companies will be required (for the first time) to submit an annual assessment of the effectiveness of their internal financial auditing controls to the Securities and Exchange Commission (SEC). Additionally, each company's external auditors are required to audit and report on the internal control reports of management, in addition to the company’s financial statements.

Why was the Sarbanes-Oxley Act passed?
The Sarbanes-Oxley Act of 2002, also known as SOX, was passed due to the accounting scandals at Enron, WorldCom, Global Crossing, Tyco and Arthur Andersen, that resulted in billions of dollars in corporate and investor losses. These huge losses negatively impacted the financial markets and general investor trust. The Sarbanes-Oxley Act mandates a wide-sweeping accounting framework for all public companies doing business in the US.

What companies need to comply with Sarbanes-Oxley?
All publicly-traded companies in the United States, including all wholly-owned subsidiaries, and all publicly-traded non-US companies doing in business in the US are effected. In addition, any private companies that are preparing for their initial public offering (IPO) may also need to comply with certain provisions of Sarbanes-Oxley.

When did Sarbanes-Oxley compliance take effect?
All parts of the Sarbanes-Oxley Act with the exception of Section 409 are effective now. For Section 404, public companies with a market capitalization over US $75 million needed to have their financial reporting frameworks operational for their first fiscal year-end report after November 15, 2006, then for all quarterly reports thereafter. For smaller companies, compliance is required for the first fiscal year-end financial report, then for all subsequent quarterly financial reports after July 15, 2006.

What is the Sarbanes-Oxley Act comprised of?
The Sarbanes-Oxley Act itself is organized into eleven sections, but sections 302, 404, 401, 409, 802 and 906 are the most important in terms of compliance. Section 404 seems to cause the most difficulties for compliance. More specifically, Sarbanes-Oxley established new accountability standards for corporate boards and auditors, established a Public Company Accounting Oversight Board (PCAOB) under the Security and Exchange Commission (SEC), and specified civil and criminal penalties for noncompliance.

What does Sarbanes-Oxley compliance require?
All applicable companies must establish a financial accounting framework that can generate financial reports that are readily verifiable with traceable source data. This source data must remain intact and cannot undergo undocumented revisions. In addition, any revisions to financial or accounting software must be fully documented as to what was changed, why, by whom and when.

What are the penalties for noncompliance with Sarbanes-Oxley?
Besides lawsuits and negative publicity, a corporate officer who does not comply or submits an inaccurate certification is subject to a fine up to $1 million and ten years in prison, even if done mistakenly. If a wrong certification was submitted purposely, the fine can be up to $5 million and twenty years in prison.

What is a SAR report and when do I need to fill one out?
OFAC compliance involves the use a Suspicious Activity Report (SAR). If you are aware of, or observe, suspicious activity involving an individual on the OFAC list, you are required to fill out a SAR.

Can I tell the customer they are on the OFAC list?
You are permitted to inform customer they are on the OFAC list, and that is the reason their assets were blocked or transaction rejected.

How long do I need to keep OFAC records for?
OFAC-affected transactions must be kept for five years and made available to OFAC on request.

What is the punishment for OFAC non-compliance?
Failure to comply with OFAC can result in fines up to $10 million and 30 years in prison for a corporation.

What Federal law or regulation does OFAC fall under?
OFAC regulations fall under the Code of Federal Regulations (CFR) 31 CFR 500.