Skip to main content

Sarbanes-Oxley Act of 2002

Sarbanes-Oxley requires US public companies to maintain and assess internal controls over financial reporting, with executive certification and auditor attestation. It has major IT implications for access control, change management, and audit trails, and carries severe penalties for false reporting.

Jurisdiction
United States

What Sarbanes-Oxley Is and Why It Exists

The Sarbanes-Oxley Act of 2002 (SOX) is a US federal law passed in response to major accounting scandals such as Enron and WorldCom, which destroyed shareholder value and shook trust in public markets. SOX reforms corporate governance and financial disclosure for publicly traded companies. It makes senior executives personally accountable for the accuracy of financial statements and requires companies to establish and assess internal controls over financial reporting.

Though framed around accounting, SOX has deep IT implications, because most financial data flows through systems whose integrity, access controls, and change management determine whether reporting can be trusted.

Who It Applies To

SOX applies to all companies publicly traded in the United States, including foreign companies listed on US exchanges, and to their registered public accounting firms. It also reaches subsidiaries and, indirectly, service providers whose systems affect financial reporting. Private companies are generally exempt, though some adopt SOX-like controls in anticipation of going public.

Key Requirements

  • Section 302: the CEO and CFO must personally certify the accuracy of financial reports and the effectiveness of disclosure controls.
  • Section 404: management must assess and report on internal control over financial reporting, and external auditors must attest to that assessment.
  • Section 802: records must be retained and tampering is criminalized.
  • IT general controls supporting these aims typically include access management, change control, segregation of duties, and reliable audit trails.
  • An independent audit committee and auditor independence rules are also required.

Penalties for Non-Compliance

SOX carries severe penalties. Executives who knowingly certify false financial statements face fines up to several million dollars and imprisonment for up to 20 years. Destroying or altering records to obstruct investigations is a felony. Companies risk delisting, regulatory action by the SEC, restated earnings, and significant reputational and shareholder-litigation costs.

How to Comply

  • Map the systems and processes that feed financial reporting and define the relevant controls.
  • Implement IT general controls: least-privilege access, segregation of duties, change management, and audit logging.
  • Document control design and test operating effectiveness throughout the year.
  • Have management certify controls and coordinate the external auditor's attestation.
  • Maintain robust record retention and tamper-evident archives.
  • Remediate deficiencies promptly and track them to closure.

Automating evidence collection and access reviews greatly reduces the recurring burden of SOX compliance.

IT General Controls in Practice

For technology teams, SOX largely materializes as IT General Controls (ITGCs) over the systems that produce financial data. The core domains are access management, change management, and operations. Auditors test whether access is granted on least privilege and reviewed periodically, whether code and configuration changes are authorized, tested, and documented before reaching production, and whether jobs and backups run reliably. Automation has transformed this work: provisioning workflows, infrastructure-as-code with approval gates, and immutable audit logs produce far stronger and cheaper evidence than manual screenshots. Treating ITGCs as engineering practices rather than annual audit theater both reduces compliance cost and genuinely improves the reliability of financial systems.