What is SOX compliance? In brief, SOX compliance is a regulation that requires firms to provide accurate financial statements and have internal controls in place to protect financial information, with the overall aim of reducing malpractice that would harm investors and the public.
But what requirements does SOX compliance entail? Who does it impact? And why is it so important? Here, we outline everything you need to know about the regulation.
SOX compliance explained
SOX compliance came into effect back in 2002 when the Sarbanes Oxley Act – named after Paul Sarbanes and Michael Oxley who created it - was passed by the United States congress. For that reason, the regulation is sometimes referred to as Sarbanes Oxley compliance.
The regulation is all about improving transparency within US public companies by making corporate disclosures more accurate and reliable, while also improving governance and accountability across firms. Security is another focus, with the regulation placing onus on firms to have sufficient internal controls. Combined, these measures intend to protect the public, as well as investors or shareholders, from fraud and other misconduct.
Why was Sarbanes Oxley compliance introduced?
The Sarbanes Oxley Act was passed in congress following multiple high-profile scandals such as those involving ENRON, Tyco, and WorldCom. These scandals resulted in billion-dollar losses for both firms and investors, and they had a significant detrimental impact on the financial market. Unsurprisingly, investors lost trust in companies.
It became clear that new compliance standards were necessary to ensure such scandals never happened again. The SOX compliance measures were introduced to fulfil this need by preventing fraudulent practices and restoring confidence in the industry.
Who does the regulation affect?
The Sarbanes Oxley requirements affect the following:
- Public companies
- Their wholly owned subsidiaries
- Publicly traded foreign companies who do business in the United States
For these companies, the Sarbanes Oxley requirements are mandatory.
This has wide-reaching implications for many within these companies, including finance and IT departments. IT, for example, can play a part in protecting electronic financial data against breaches. Executives such as CEOs and CFOs also have additional responsibilities under the SOX requirements.
For private companies and charities, compliance is not mandatory under law, although it is still good practice to adhere to the requirements.
What are the SOX compliance requirements?
The SOX requirements are divided into eleven titles with multiple sections under each title. The sections that you should be most aware of are 302, 404, 409, 802 and 906. In particular, the focus of most companies will be on sections 302 and 404 as these will make up the majority of your compliance efforts.
Section 302 – Corporate Responsibility for Financial Reports
This section states that CEOs and CFOs are personally responsible for:
- Certifying all periodic financial reports
- Making sure that these reports and financial statements provide an accurate picture of their company’s business operations and financial status
- Submitting these statements to the Securities and Exchange Commission (SEC), which is the body that oversees compliance
When it comes to internal controls, company executives must also:
- Ensure that they are implemented and adequate, having been regularly assessed and evaluated within 90 days prior to the report
- Disclose any weaknesses that could negatively impact financial reporting and any significant changes
- Report any fraud involving management or staff working with internal controls
Section 404 – Management Assessment of Internal Controls
It is widely agreed that this section can cause the most trouble for companies. 404 states that companies need to publish an annual report which must:
- State that management, such as the CEO and CFO, is responsible for both having sufficient internal controls over financial reporting and assessing these
- Make known any shortcomings within their internal control over financial reporting
This section also sets out responsibilities for external auditors, who must annually:
- Evaluate the company’s controls and processes, including their documentation and the competency of employees who perform control activities
- Certify that the company’s claim that their internal controls are implemented and effective is accurate and truthful
Section 409 – Real Time Issuer Disclosures
Companies are required to promptly disclose any material changes in their financial condition or operations. For example, this includes information such as acquisitions, divestments, and when significant personnel leave the company. These disclosures, which aim to protect investors and the public, must be written in plain English that is easy to understand.
Section 802 – Criminal Penalties for Altering Documents
If you alter, destroy, mutilate, conceal, or falsify any records or documents with the intention of disrupting or influencing an investigation, you can face severe penalties. Section 802 defines this as:
- Up to 20 years imprisonment for any company found guilty
- Up to 10 years imprisonment for any accountant, auditor or other individual who knowingly and wilfully aids the company in altering documents
Section 906 – Corporate Responsibility for Financial Reports
Finally, section 906 states that CEOs and CFOs must personally sign and certify the report that contains financial statements. They must confirm that this document:
- Complies with SEC reporting requirements
- Accurately represents the company’s finances and operations
Certifying a misleading or fraudulent report could also lead to significant consequences – over $5 million in fines and potentially 20 years imprisonment.
For a more in depth look at each of these requirements, you can read the full Sarbanes Oxley Compliance Act.
What is a SOX control?
Throughout this blog, we have talked a lot about internal controls. But what exactly are these?
Put simply, they are the safeguards or countermeasures you implement in order to achieve compliance with SOX regulation. There is not one single approach you are required to follow with your SOX controls; this is down to the individual company.
Nonetheless, the measures you can take include standards, policies, processes, procedures, or other activities such as risk assessment, monitoring, or security measures to protect financial data. By having adequate controls in place, you will be better able to spot and prevent problems, and thereby avoid the risks that accompany non-compliance or an insecure environment.
The importance of SOX compliance
Failing to comply with the requirements could result in hefty fines and even imprisonment, as per sections 802 and 906. There’s also the reputational damage to worry about. So, ensuring your company has appropriate measures in place to meet and manage SOX requirements is imperative.
What’s more, the UK government recently announced that they are considering adopting SOX compliance-inspired regulation to restore trust in audit and corporate governance.
With the need for accurate and reliable financial reporting, improved governance and accountability, and proper security in the minds of regulators across the globe, there’s no better time to ensure your company is prepared.
Now that you have a better understanding of ‘What is SOX compliance?’, find out how our SOX compliance solution can assist your company, with features that help to relieve the burdens of section 404 and 302.
Find out how our SOX compliance solution can help your organisation.