The Sarbanes–Oxley Act (SOX) 2002
What is the Sarbanes–Oxley Act?
The Sarbanes–Oxley Act, often referred to simply as "SOX," is a US federal law enacted in July 2002 with the aim of improving the accuracy and reliability of financial disclosures for all US public company boards, management, and public accounting firms.
Why was it needed, and who does it apply to?
Following a number of high-profile corporate and accounting scandals—including the collapse of various large organizations including Enron, Tyco and WorldCom—as well as the bursting of the dot-com bubble in the late 1990s, SOX was introduced to restore confidence in the accuracy of the financial information released by public companies.
SOX changes the way corporate boards and executives work, making them accountable for the accuracy of financial statements and removing the defense of board-level ignorance. Financial information must now be certified by management and criminal penalties for fraudulent financial activity are now much more severe.
SOX applies to all US public companies and the Certified Public Accountants (CPAs) and CPA firms that provide them with auditing services.
What is in Sarbanes–Oxley?
There are 11 titles to SOX, each of which contains sections detailing their requirements and responsibilities as well as possible penalties for non-compliance.
The 11 Titles of Sarbanes–Oxley:
- Title I: Public Company Accounting Oversight Board (PCAOB)
- Title II: Auditor Independence
- Title III: Corporate Responsibility
- Title IV: Enhanced Financial Disclosures
- Title V: Analyst Conflicts of Interest
- Title VI: Commission Resources and Authority
- Title VII: Studies and Reports
- Title VIII: Corporate and Criminal Fraud Accountability
- Title IX: White Collar Crime Penalty Enhancement
- Title X: Corporate Tax Returns
- Title XI: Corporate Fraud Accountability
Implementation of Sarbanes–Oxley
While the Act lays down detailed requirements for the governance of organizations, the three highest profile sections are 302, 404, and 409.
- Section 302: Corporate Responsibility for Financial Reports requires the quarterly certification of financial reports, including disclosure of all known control deficiencies and acts of fraud, by the principal executive officer(s) and principal financial officer(s).
- Section 404: Management Assessment of Internal Controls requires management and external auditors to certify internal controls on financial reporting in an annual internal control report.
- Section 409: Real Time Issuer Disclosures requires information on changes in organizations’ financial condition or operations to be disclosed publicly.
Penalties for noncompliance with SOX
Noncompliance penalties vary according to the section violation and are at their greatest when information has been deliberately falsified, altered, or destroyed. They range from the loss of exchange listing and loss of directors and officers liability insurance (D&O) to multimillion dollar fines and prison sentences for company officers.
If a CEO or CFO knowingly certifies a periodic report that does not satisfy the requirements of the Act, he or she is subject to fines of up to $1 million and imprisonment for up to 10 years. If he or she falsifies the certification willfully, the fine may be up to $5,000,000 and imprisonment up to 20 years.
Sarbanes–Oxley and ISO27001
ISO27001 is the ideal solution for businesses that need to ensure that they comply with Sarbanes–Oxley IT control requirements. The rapidly changing world of corporate governance makes it essential for listed companies to implement effective IT governance structures.
Organizations with multiple compliance requirements (such as SOX, HIPAA, the PCI DSS, and the GLBA) often seek registration to ISO27001, since this international standard can centralize and simplify disjointed compliance efforts. ISO27001 presents a comprehensive and international approach to implementing and maintaining an information security management system (ISMS), and it is often the case that companies will achieve compliance with a host of related legislative frameworks simply by achieving ISO27001 registration. By virtue of its all-inclusive approach, ISO27001 encapsulates the IT control requirements of SOX by providing an auditable information security management system designed for continual improvement.
Furthermore, the additional external validation offered by ISO27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders—essential for securing certain global and government contracts.
Why IT Governance?
IT Governance is a specialist in the field of information security and IT governance and has led more than 400 successful registrations to ISO27001 around the world.
IT Governance has created ISO 27001 packaged solutions to give US organizations online access to world-class expertise. Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and budget appropriate to your individual needs.
Speak to an expert
One of our qualified ISO 27001 lead implementers are ready to offer you practical advice about the best approach to take for implementing an ISO 27001 project alongside SOX copmliance.