SOX Act: what are the key requirements?

After a wave of financial scandals in the  United States, Senator Paul Sarbanes and Representative Michael G. Oxley proposed the Sarbanes Oxley Act (or SOX) in 2002 which was endorsed by an overwhelming majority! Its objective? To make the financial reports of U.S. companies listed on the stock exchanges more accessible and to formalise a monitoring procedure in order to protect shareholders and the public.

Thus, CEOs, CFOs and Boards of Directors of public corporations are required to ensure the transmission of factual, complete and detailed information, by means of financial statements, to the Securities and Exchange Commission (SEC).

Violations of this law can result in criminal penalties that can include fines and imprisonment.

Which types of companies are subject to SOX?

SOX applies to companies listed on the U.S. stock exchanges – irrespective of whether they are U.S. or foreign companies operating in the United States. – and their subsidiaries. Accounting firms, which are responsible for auditing these companies, are also subject to the law.

Private companies, associations and NGOs are however exempted from this legal obligation.

Why comply with SOX?

Ensuring compliance with SOX is key to achieving not only a lawful but also a sound business practice. In addition to preventing fraudulent practices, the Sarbanes-Oxley financial security law also helps to protect the company against internal and external data theft.

In light of this, SOX requires companies to implement, communicate and enforce specific strategies to ensure the security of corporate data.

Compliance with SOX conveys the message that a company’s financial position is secure – a way to reassure partners and the public. Transparency regarding their financial data also makes it easier for these companies to access the financial markets.

What is a SOX compliance audit?

When conducting a SOX audit, the auditors are tasked with checking the company’s accounts and ensuring that they are properly disclosed to shareholders. The current year’s figures are compared with those of previous years to check if they meet the legal requirements.

In order to carry out this exercise successfully and make sure that they are able to provide all the information that the auditor may require, it is very important that companies regularly update their reporting and internal audit systems. It is also essential to ensure that SOX compliance software systems are working as planned.

The reason being that these tools allow for the centralisation and analysis of data collected, the detection and rectification of anomalies, the elimination of IT security threats and real-time tracking of the state of progress of the SOX compliance process.

Finally, to ensure the accuracy of the financial statements, an auditor may need to gather testimonies from staff members.

What are the steps to ensure SOX compliance?

There are three measures to achieve SOX compliance.

1. Establish internal audit procedures

The internal controls strategy should be clear and effective, to govern employee conduct and ensure documentation of the company’s good governance practices.

2. Deploy multiple whistleblowing methods

A hotline can encourage employees who detect a SOX violation to report it discreetly, without fear of retaliation. Addressing breaches internally protects companies and executives, and prevents financial loss.

3. Provide training

Providing training to the right people, such as directors, officers, relevant employees, and business partners, on proper internal accounting control and documentation practices can reduce the risk of failure when conducting a SOX audit.


Transparency and reliability. Two words with a strong message: zero tolerance. Companies that comply with this policy earn the trust of investors and that of the public – not only from a legal perspective but also from a moral one, thanks to their good governance practices.

However, internal auditing is in the process of being radically redefined. In the current pandemic context, remote working has a significant impact on risk management. The emphasis should now be laid on agility.

Test Kantik
for free

Discover how to digitise and automate your internal accounting controls.