Sarbanes-Oxley (SOX): A Simple Guide

Graham Machray |

Sarbanes-Oxley compliance is a crucial responsibility of all public companies. The legislation has been in place since 2002, so many companies are well versed in the best ways to adhere with its guidelines. However, there are certain aspects of SOX compliance that still eat up time and money for US-listed companies.

In essence, the Sarbanes-Oxley Act is a set of guidelines designed to rid the corporate world of fraud, and improve accountability and corporate governance. Let’s take a closer look at this key part of US legislation, and what it means for businesses today.

What is the Sarbanes–Oxley (SOX) Act of 2002?

The Sarbanes-Oxley Act is a piece of legislation which came into force in 2002. The act was passed by the United States Congress, in order to provide crucial protection for shareholders and members of the public, from fraud and significant accounting errors. The act was also designed to improve visibility on corporate disclosures, and avoid inaccuracies.

As as result of the Sarbanes-Oxley Act, companies are required to adhere to strict regulations, and SOX compliance deadlines. There are set guidelines on the rules of compliance, ensuring that companies are always fully accountable for their actions.

The Sarbanes-Oxley Act takes its name from the two member of the US Congress who sponsored it: Paul Sarbanes and Michael Oxley. The pair drafted the act in response to several scandalous fraud cases and criminal accounting cases, such as WorldCom and Enron. Their goal was to ensure that similar cases could never happen again, by drastically improving accountability.

Ease of Use eBook Graphic Banner

SOX Compliance

Since 2002, SOX compliance has been a key responsibility of all public companies, in particular public accounting organizations and management companies. There are also some parts of the Act which must be adhered to by private companies.

In order to fully comply with Sarbanes–Oxley legislation, there are both financial and digital requirements, which businesses must take note of. One of the main areas of SOX regulations companies need to be aware of relates to the storage of information.

SOX legislation does not determine how businesses keep records, nor does it give strict guidelines on the best business practices to use. However, it does set out rules on the types of information that should be kept, and how long this information needs to be kept for. For example, businesses are required to keep electronic records and messages for a minimum of five years. If businesses fail to do this, fines can be enforced. Severe cases can even result in prison sentences.

In order to ensure your business meets all SOX requirements, it’s a good idea to make use of a compliance checklist, which brings together all the rules and regulations from Sections 302 and 404 of the act.

Sections 302 and 404 of SOX

The SOX Act of 2002 has been a fundamental driving force in ensuring accountability across public companies. Two of its key provisions, known as Section 302 and Section 404, have been crucial to its importance to date.

Section 302: This mandate covers a collection of safeguards, which are designed to ensure that senior members of a company’s leadership team are required to formally certify the accuracy of financial reports. The section itself includes safeguards for the prevention of data tampering, safeguards on establishing timelines, verifiable controls on data access and recommended operational safeguards. In addition, this section also covers reporting on the effectiveness of such safeguards, and the detection of potential security breaches.

Section 404: This section requires the implementation of internal controls and reporting methods by both management and auditors. It is costly to establish, as the internal controls it requires are very expensive. These controls cover the disclosure of security safeguards to approved SOX auditors, as well as the disclosure of any possible security breaches and failures to auditors.

Section 802

Recordkeeping is the main focus of Section 802 of the Act. It covers the keeping of records in three distinct ways. Firstly, SOX gives set guidelines on the destruction of records, and the detection of false records. Secondly, SOX sets out the timeline for keeping records. Thirdly, Sarbanes-Oxley gives businesses rules on which records they need to keep. This section also pays particular attention to electronic messages, and the correct ways of storing these.

SOX and spreadsheet risk

Despite the growing importance of increasingly complex corporate IT systems, the use of spreadsheets in businesses is still widespread. So, SOX compliance guidelines must be kept in mind when it comes to managing such spreadsheet estates. There are significant risks associated with not managing spreadsheets effectively, due to their inherent flexibility. The fact that many spreadsheets are also linked to different data sources and other spreadsheets means that spreadsheet risk is a factor that businesses cannot ignore.

Discover PolicyHub

It's the Policy Management solution that’s easy to use, so you can build stronger compliance.

Learn more