The Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act, often referred to simply as “SOX,” is a US federal law enacted in July 2002 with the aim of improving the accuracy and reliability of financial disclosures for all US public company boards, management and public accounting firms.

Following a number of high-profile corporate and accounting scandals – including the collapse of various large organisations such as Enron, Tyco and WorldCom – as well as the bursting of the dot-com bubble in the late 1990s, SOX was introduced to restore confidence in the accuracy of the financial information released by public companies.

SOX changes the way corporate boards and executives work, making them accountable for the accuracy of financial statements and removing the defence of board-level ignorance. Financial information must now be certified by management and criminal penalties for fraudulent financial activity are now much more severe.

SOX applies to all US public companies and the CPAs (Certified Public Accountants) and CPA firms that provide them with auditing services.

• Title I: Public Company Accounting Oversight Board (PCAOB)
• Title II: Auditor Independence
• Title III: Corporate Responsibility
• Title IV: Enhanced Financial Disclosures
• Title V: Analyst Conflicts of Interest
• Title VI: Commission Resources and Authority
• Title VII: Studies and Reports
• Title VIII: Corporate and Criminal Fraud Accountability
• Title IX: White Collar Crime Penalty Enhancement
• Title X: Corporate Tax Returns
• Title XI: Corporate Fraud Accountability

While the Act lays down detailed requirements for organisational governance, the three highest profile sections are 302, 404, and 409.

• Section 302: Corporate Responsibility for Financial Reports requires the quarterly certification of financial reports, including the disclosure of all known control deficiencies and acts of fraud, by the principal executive officer(s) and principal financial officer(s).
• Section 404: Management Assessment of Internal Controls requires management and external auditors to certify internal controls on financial reporting in an annual internal control report.
• Section 409: Real Time Issuer Disclosures requires information on changes in organisations’ financial condition or operations to be disclosed publicly.

Non-compliance penalties vary according to the section violation and are at their greatest when information has been deliberately falsified, altered or destroyed. They range from the loss of exchange listing and loss of D&O (directors and officers) insurance to multimillion dollar fines and prison sentences for company officers.

If a CEO or CFO knowingly certifies a periodic report that does not satisfy the requirements of the Act, they are subject to fines of up to $1 million and imprisonment for up to 10 years. If they falsify the certification wilfully, the fine may be up to $5,000,000 and imprisonment up to 20 years.

ISO 27001 is the ideal solution for businesses that need to ensure that they comply with Sarbanes-Oxley IT control requirements. The rapidly changing world of corporate governance makes it essential for listed companies to implement effective IT governance structures.

Organisations with multiple compliance requirements (such as SOX, HIPAA, the PCI DSS and the GLBA) often seek registration to ISO 27001, since this international standard can centralise and simplify disjointed compliance efforts.

ISO 27001 presents a comprehensive and international approach to implementing and maintaining an ISMS (information security management system), and it is often the case that companies will achieve compliance with a host of related legislative frameworks simply by achieving ISO 27001 registration. By virtue of its all-inclusive approach, ISO 27001 encapsulates the IT control requirements of SOX by providing an auditable information security management system designed for continual improvement.

Furthermore, the additional external validation offered by ISO 27001 registration is likely to improve an organization’s cybersecurity posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.

Learn more about benefits of ISO 27001 certification

Buy your copy of the ISO 27001 standard

Having led the world’s first ISO 27001 certification project, we are the global pioneer of the Standard. Let us share our expertise and support you on your journey to SOX compliance and ISO 27001 certification.

/product/isoiec-27001-2022-standard

/product/nine-steps-to-success-an-iso-270012022-implementation-overview

/product/certified-iso-270012022-isms-foundation-training-course

/product/certified-iso-270012022-isms-lead-implementer-training-course

/product/certified-iso-270012022-isms-lead-auditor-training-course

ISO 27001 Toolkit | GRC Solutions