SOX Key Provisions

SOX Compliance

Software for SOX

Last updated

Sarbanes Oxley FAQ

What is the Sarbanes-Oxley Act of 2002?
Effective in 2006, all public companies are required to submit an annual assessment of the effectiveness of their internal financial auditing controls to the Securities and Exchange Commission (SEC). Additionally, each company's external auditors are required to audit and report on the internal control reports of management, in addition to the company's financial statements.

Sarbanes-Oxley is known in the U.S. Senate as the "Public Company Accounting Reform and Investor Protection Act" and in the House of Representatives as the "Corporate and Auditing Accountability and Responsibility Act". Sarbanes-Oxley is commonly referred to as SOX or Sarbox.

Why did Congress pass the Sarbanes-Oxley Act?
The Sarbanes-Oxley Act of 2002 was passed due to the accounting scandals at Enron, WorldCom, Global Crossing, Tyco and Arthur Andersen, that resulted in billions of dollars in corporate and investor losses. These huge losses negatively impacted the financial markets and general investor trust. The Sarbanes-Oxley Act mandates a wide-sweeping accounting framework for all public companies doing business in the US.

What companies need to comply with Sarbanes-Oxley?
All publicly-traded companies in the United States, including all wholly-owned subsidiaries, and all publicly-traded non-US companies doing in business in the US are effected. In addition, private companies that are preparing for their initial public offering (IPO) also need to comply with certain provisions of Sarbanes-Oxley.

When did Sarbanes-Oxley compliance take effect?
All parts of the Sarbanes-Oxley Act with the exception of Section 409 are effective now. For Section 404, public companies with a market capitalization over US $75 million needed to have their financial reporting frameworks operational for their first fiscal year-end report after November 15, 2006, then for all quarterly reports thereafter. For smaller companies, compliance is required for the first fiscal year-end financial report, then for all subsequent quarterly financial reports after July 15, 2006.

What is the Sarbanes-Oxley Act comprised of?
The Sarbanes-Oxley Act itself is organized into eleven sections that span over 60 pages, but sections 302, 401, 404, 409, 802, and 906 are the most important in terms of compliance. Section 404 seems to cause the most difficulties for compliance. More specifically, Sarbanes-Oxley established new accountability standards for corporate boards and auditors, established a Public Company Accounting Oversight Board (PCAOB) under the Security and Exchange Commission (SEC), and specified civil and criminal penalties for noncompliance.

What does Sarbanes-Oxley compliance require?
All applicable companies must establish a financial accounting framework that can generate financial reports that are readily verifiable with traceable source data. This source data must remain intact and cannot undergo undocumented revisions. In addition, any revisions to financial or accounting software must be fully documented as to what was changed, why, by whom and when.

What are the penalties for noncompliance with Sarbanes-Oxley?
Besides lawsuits and negative publicity, a corporate officer who does not comply or submits an inaccurate certification is subject to a fine up to $1 million and ten years in prison, even if done mistakenly. If a wrong certification was submitted purposely, the fine can be up to $5 million and twenty years in prison.

Who manages Sarbanes-Oxley in a company?
Section 302 requires that a company's principal officers, typically the CEO and CFO, certify and approve of their company's financial statements and the effectiveness of internal "disclosure controls and procedures".

How is HIPAA and Sarbanes-Oxley related from a data compliance perspective?

They both require internal security controls, reporting systems, and annual audits, yet they are different. SOX defines which business records a company must store and for how long (data retention policy). HIPAA defines who can view stored data as well as when the data must be destroyed (data privacy policy). SOX must prove that its data has not been altered from the time it was stored to the time it was retrieved. HIPAA must provide an audit trail of who has accessed what data and when, then prove the data was properly disposed of when the retention period is up. For more information on HIPAA regulations, see HIPAA 101.

How can I keep my workplace trained and certified to help meet SOX compliance?

Consider investing in a modern Learning Management System (LMS). For more information, see Workplace Training Software for SOX.