What is the Sarbanes–Oxley Act?
The Sarbanes–Oxley Act, often referred to simply as "SOX," is a US federal law enacted in July 2002 with the aim of improving the accuracy and reliability of financial disclosures for all US public company boards, management, and public accounting firms.
Why was the Act needed, and who does it apply to?
Following a number of high-profile corporate and accounting scandals—including the collapse of various large organizations including Enron, Tyco and WorldCom—as well as the bursting of the dot-com bubble in the late 1990s, SOX was introduced to restore confidence in the accuracy of the financial information released by public companies.
SOX changes the way corporate boards and executives work, making them accountable for the accuracy of financial statements and removing the defense of board-level ignorance. Financial information must now be certified by management and criminal penalties for fraudulent financial activity are now much more severe.
SOX applies to all US public companies and the Certified Public Accountants (CPAs) and CPA firms that provide them with auditing services.
The 11 Titles of Sarbanes–Oxley
There are 11 titles to SOX, each of which contains sections detailing their requirements and responsibilities as well as possible penalties for non-compliance.
- Title I: Public Company Accounting Oversight Board (PCAOB)
- Title II: Auditor Independence
- Title III: Corporate Responsibility
- Title IV: Enhanced Financial Disclosures
- Title V: Analyst Conflicts of Interest
- Title VI: Commission Resources and Authority
- Title VII: Studies and Reports
- Title VIII: Corporate and Criminal Fraud Accountability
- Title IX: White Collar Crime Penalty Enhancement
- Title X: Corporate Tax Returns
- Title XI: Corporate Fraud Accountability
Implementation of Sarbanes–Oxley
While the Act lays down detailed requirements for the governance of organizations, the three highest profile sections are 302, 404, and 409.
- Section 302: Corporate Responsibility for Financial Reports requires the quarterly certification of financial reports, including disclosure of all known control deficiencies and acts of fraud, by the principal executive officer(s) and principal financial officer(s).
- Section 404: Management Assessment of Internal Controls requires management and external auditors to certify internal controls on financial reporting in an annual internal control report.
- Section 409: Real Time Issuer Disclosures requires information on changes in organizations’ financial condition or operations to be disclosed publicly.
Penalties for noncompliance with SOX
Noncompliance penalties vary according to the section violation and are at their greatest when information has been deliberately falsified, altered, or destroyed. They range from the loss of exchange listing and loss of directors and officers liability insurance (D&O) to multimillion dollar fines and prison sentences for company officers.
If a CEO or CFO knowingly certifies a periodic report that does not satisfy the requirements of the Act, he or she is subject to fines of up to $1 million and imprisonment for up to 10 years. If he or she falsifies the certification willfully, the fine may be up to $5,000,000 and imprisonment up to 20 years.
Sarbanes–Oxley and ISO 27001
ISO/IEC 27001 is the ideal solution for businesses that need to ensure that they comply with Sarbanes–Oxley IT control requirements. The rapidly changing world of corporate governance makes it essential for listed companies to implement effective IT governance structures.
Organizations with multiple compliance requirements (such as SOX, HIPAA, the PCI DSS, and the GLBA) often seek registration to ISO 27001, since this international standard can centralize and simplify disjointed compliance efforts.
ISO 27001 presents a comprehensive and international approach to implementing and maintaining an information security management system (ISMS), and it is often the case that companies will achieve compliance with a host of related legislative frameworks simply by achieving ISO27001 registration. By virtue of its all-inclusive approach, ISO 27001 encapsulates the IT control requirements of SOX by providing an auditable information security management system designed for continual improvement.
Furthermore, the additional external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders—essential for securing certain global and government contracts.
Learn more about benefits of ISO/IEC 27001 certification >>
Purchase your copy of the ISO/IEC 27001 standard today >>
Ready to simplify your security? Let’s get started
Having led the world’s first ISO 27001 certification project, we are the global pioneer of the Standard. Let us share our expertise and support you on your journey to SOX complaince and ISO 27001 certification.
Speak to an expert
To find out more on how our cybersecurity products and services can protect your organization, or to receive some guidance and advice, speak to one of our experts.