Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act (SOX) of 2002 governs corporate governance and financial disclosure for US public companies, strengthening transparency and accountability.
Summary
The Sarbanes-Oxley Act (SOX) is a US federal law enacted on July 30, 2002, in response to major accounting scandals including Enron and WorldCom. It fundamentally reformed corporate governance requirements for publicly traded companies in the United States.
- Internal Controls: Sections 302 and 404 require executives to certify financial statements and assess internal control systems.
- Audit Committees: Requirements for independent audit committees and external auditors.
- Whistleblower Protection: Protection for employees who report violations.
- Criminal Penalties: Enhanced penalties for securities fraud and obstruction of justice.
History
Following a series of high-profile corporate scandals – most notably the collapse of Enron (2001) and WorldCom (2002) – millions of investors lost their savings. The US Congress responded with the most sweeping securities reform legislation since the Great Depression. Senator Paul Sarbanes and Representative Michael Oxley led the bipartisan legislative initiative. The law was signed by President George W. Bush on July 30, 2002, with overwhelming majorities. In subsequent years, the SEC refined implementing regulations, particularly for Section 404, and the PCAOB (Public Company Accounting Oversight Board) was established as a new oversight body for auditors.
Scope
SOX applies to all companies whose securities are registered with the US Securities and Exchange Commission (SEC) – both US domestic and foreign private issuers. Core requirements apply to:
- All publicly traded corporations in the USA
- Foreign companies listed on US stock exchanges
- Audit firms that audit such companies
- Employees and management of these companies (whistleblower provisions)
Certain relief provisions apply to smaller companies (Non-Accelerated Filers) with respect to Section 404(b).
Key Requirements
- Section 302: CEOs and CFOs must personally certify the accuracy of financial reports and confirm the effectiveness of disclosure controls.
- Section 404: Management must annually assess the effectiveness of internal controls over financial reporting; external auditor must attest to this assessment (404(b), for Accelerated Filers).
- Section 409: Real-time disclosure obligation for material changes in financial condition.
- Section 802: Retention requirements for audit records (7 years per SEC implementing regulation) and prohibition on destruction of evidence.
- Section 806: Protection of whistleblowers from retaliation.
- PCAOB Registration: All audit firms must register with the PCAOB and are subject to its inspections.
Related Frameworks
Corrections & Errata
3 corrections:
- SOX key_dates: PCAOB date June 27, 2003 is not verifiable
- SOX key_dates: SEC Section 404 date is wrong
- SOX: Section 802 retention requirement is 7 years, not 5 years