Sarbanes-Oxley (SOX)

The bill, which contains eleven sections, was enacted as a reaction to a number of major corporate and accounting scandals, including Enron and WorldCom. The sections of the bill cover responsibilities of a public corporation’s board of directors, add criminal penalties for certain misconduct, and require the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law.

Issued by the United States Congress (2002). SOX, is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms. A number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation.

Two sections of SOX are of particular importance.

  1. Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared”
  2. Under Section 404 of the Act, management is required to produce an “internal control report” as part of each annual Exchange Act report. The report must affirm “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting”. The report must also “contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting”. To do this, managers are generally adopting an internal control framework such as that described in COSO.

SOX is legislation and not an implementable framework. Although neither the SOX Act nor the SEC mandates the COSO framework, the SEC’s earlier announced COSO as the preferred framework for SOX compliance. The COSO framework components establish the overall guidelines for corporate governance to ensure reliable and complete financial reporting, but it does not provide the actual processes that IT organizations can use to establish effective internal controls in preparation for IT audits. An IT internal control framework is needed to create an environment that is prepared for the audits now mandated by SOX. Several IT internal control frameworks exist, however, the IT control objectives known as COBIT are considered particularly useful and aligned with the spirit of SOX requirements.