Background
The United States Congress passed the Sarbanes-Oxley Act in 2002 and established rules to protect the public from fraudulent or erroneous practices by corporations and other business entities. The goal of the legislation is to increase transparency in the financial reporting by corporations and to require a formalized system of checks and balances in each company.
SOX compliance is not just a legal obligation but also a good business practice. Of course, companies should behave ethically and limit access to internal financial systems. But implementing SOX financial security controls has the side benefit of also helping to protect the company from data theft by insider threat or cyberattack. SOX compliance can encompass many of the same practices as any data security initiative.
History
Senator Paul Sarbanes (D-MD) and Representative Michael G. Oxley (R-OH-4) wrote this bill in response to several high profile corporate sandals – Enron, Worldcom, and Tyco in particular.
The stated goal of SOX is “to protect investors by improving the accuracy and reliability of corporate disclosures.” The bill established responsibilities for Boards and officers of publicly traded companies and set criminal penalties for failure to comply. The bill passed by overwhelming majorities in both the House and Senate – only three members voted to oppose.
Applicability
SOX applies to all publicly traded companies in the United States as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States. SOX also regulates accounting firms that audit companies that must comply with SOX.
Private companies, charities, and non-profits are generally not required to comply with all of SOX. Private organizations shouldn’t knowingly destroy or falsify financial data, and SOX does have language to penalize those companies that do. Private companies that are planning an Initial Public Offering (IPO) should prepare to comply with SOX before they go public.