The Sarbanes-Oxley Act, sometimes referred to by the acronym SOX, was signed into law on 30 July 2002 by President Bush. The Act is designed to oversee the financial reporting landscape for finance professionals. Its purpose is to review legislative audit requirements and to protect investors by improving the accuracy and reliability of corporate disclosures.
What does SOX cover?
SOX’s fill name gives a summary of what the law covers.
Public Law 107 202 – Sarbanes-Oxley Act of 2002
An act to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes.
The act covers issues such as establishing a public company accounting oversight board, auditor independence, corporate responsibility, and enhanced financial disclosure. It also significantly tightens accountability standards for directors and officers, auditors, securities analysts and legal counsel. The law is named after Senator Paul Sarbanes and Representative Michael G. Oxley.
Why was the Sarbanes-Oxley Act created?
The Sarbanes-Oxley (SOX) Act is a 21st-century U.S. milestone data compliance and disclosure law created to protect both investors and businesses by improving the accuracy and reliability of corporate disclosures.
Portions of this definition originally appeared on Datamation.com and are excerpted here with permission.
The SOX Act was passed in 2002 after several major fraud cases made it clear that additional safeguards needed to be in place to protect the integrity of businesses and investors from malicious actors.
The bill guards against faulty or misrepresented disclosures of publicly traded companies’ financial data and requires C-suite executives to take responsibility for honest financial reporting, formalized data security policies, and documentation of all relevant financial details.
By requiring companies to maintain a thorough, accurate record of their financial data and to upkeep their network security around their financial data, SOX ensures internal and external shareholders are not given false information about their investments.
What are the SOX Act’s important features?
The Sarbanes-Oxley Act:
- Establishes auditing policies, procedures, and standards through the Public Company Accounting Oversight Board (PCAOB)
- Prevents conflicts of interest between auditors, their clients, and the services they exchange
- Ensures senior executives are held responsible for maintaining accurate financial statements and reports and requires the CEO to sign company tax returns
- Defines scenarios in which a broker, advisor, or dealer can barred from practicing
- Provides certain protections for whistleblowers while also enforcing criminal penalties for violators who knowingly manipulate financial data or obstruct investigations
- Establishes and supports reporting and compliance enforcement on the part of the U.S. Securities and Exchange Commission (SEC)
Datamation goes in depth on how SOX impacts tech companies with SOX Requirements and Rules.
What are data-specific rules in the SOX Act?
As the SOX Act regulates the financial data of publicly traded companies, the federal law enacts several rules for financial data, especially as it relates to corporate transactions.
The rules require companies to submit for regular external audits and enable companies to conduct internal reporting and controls to support financial data accuracy. Companies are also expected to report to the SEC with concrete evidence of changes in the financial condition.
In addition to federal regulations, the SOX Act also requires an internal control report, which details all of a company’s financial history, and additional documentation that indicates financial data is monitored regularly.
Specific data points that should be included in the internal control report include:
- Demonstration of internal controls
- Network, database, and user activity
- Security concerns related to activity, such as failed logins and authentications
- Information access
And while the SOX Act does not outline any specific security protocols or expectations, the SEC requires formal data security policies with proof of communication and enforcement across a corporate network.