The SOX act does, however, establish extensive civil and criminal penalties for non-compliance, and executives who approve faulty documentation can face fines of up to $5 million and jail time of up to 20 years. (Jan 23, 2018)

 SOX Act of 2002

SOX Act Summary

SOX Section 302

SOX Section 401

SOX Section 404

SOX Section 409

SOX Section 806

SOX Section 902

SOX Section 906

SOX Compliance

SOX Checklist

SOX Certification

SOX Audits


The Links to the right go directly to the

Sarbanes Oxley website

   To Top                     

Sarbanes Oxley FAQ

What is the Sarbanes-Oxley Act of 2002?                                                                                              To Top

Effective in 2006, all public companies are required to submit an annual assessment of the effectiveness of their internal financial auditing controls to the Securities and Exchange Commission (SEC). Additionally, each company's external auditors are required to audit and report on the internal control reports of management, in addition to the company's financial statements.

Sarbanes-Oxley is known in US Senate as the "Public Company Accounting Reform and Investor Protection Act" and in the House of Representatives as the "Corporate and Auditing Accountability and Responsibility Act". Sarbanes-Oxley is commonly referred to as SOX or Sarbox.

Why did Congress pass the Sarbanes-Oxley Act?                                                                                 To Top

The Sarbanes-Oxley Act of 2002 was passed due to the accounting scandals at Enron, WorldCom, Global Crossing, Tyco and Arthur Andersen, that resulted in billions of dollars in corporate and investor losses. These huge losses negatively impacted the financial markets and general investor trust. The Sarbanes-Oxley Act mandates a wide-sweeping accounting framework for all public companies doing business in the US.

What companies need to comply with Sarbanes-Oxley?                                                                      To Top

All publicly-traded companies in the United States, including all wholly-owned subsidiaries, and all publicly-traded non-US companies doing in business in the US are effected. In addition, private companies that are preparing for their initial public offering (IPO) also need to comply with certain provisions of Sarbanes-Oxley.

When did Sarbanes-Oxley compliance take effect?                                                                              To Top

All parts of the Sarbanes-Oxley Act with the exception of Section 409 are effective now. For Section 404, public companies with a market capitalization over $75 million needed to have their financial reporting frameworks operational for their first fiscal year-end report after November 15, 2006, then for all quarterly reports thereafter. For smaller companies, compliance is required for the first fiscal year-end financial report, then for all subsequent quarterly financial reports after July 15, 2006.

What is the Sarbanes-Oxley Act comprised of?                                                                                      To Top

The Sarbanes-Oxley Act itself is organized into eleven sections that span over 60 pages, but sections 302, 401, 404, 409, 802, and 906 are the most important in terms of compliance. Section 404 seems to cause the most difficulties for compliance. More specifically, Sarbanes-Oxley established new accountability standards for corporate boards and auditors, established a Public Company Accounting Oversight Board (PCAOB) under the Security and Exchange Commission (SEC), and specified civil and criminal penalties for noncompliance.

What does Sarbanes-Oxley compliance require?                                                                                  To Top

All applicable companies must establish a financial accounting framework that can generate financial reports that are readily verifiable with traceable source data. This source data must remain intact and cannot undergo undocumented revisions. In addition, any revisions to financial or accounting software must be fully documented as to what was changed, why, by whom and when.

What are the penalties for noncompliance with Sarbanes-Oxley?                                                       To Top

Besides lawsuits and negative publicity, a corporate officer who does not comply or submits an inaccurate certification is subject to a fine up to $1 million and ten years in prison, even if done mistakenly. If a wrong certification was submitted purposely, the fine can be up to $5 million and twenty years in prison.

Who manages Sarbanes-Oxley in a company?                                                                                       To Top

Section 302 requires that a company's principal officers, typically the CEO and CFO, certify and approve of their company's financial statements and the effectiveness of internal "disclosure controls and procedures".

How is HIPAA and Sarbanes-Oxley related from a data compliance perspective?                             To Top

The are similar yet different. SOX defines which business records a company must store and for how long (date permanence). HIPAA defines who can view stored data as well as when the data must be destroyed (data privacy). SOX must prove that its data has not been altered from the time it was stored to the time it was retrieved. HIPPA must provide an audit trail of who has accessed what data and when, then prove the data was properly disposed of when the retention period is up. For more information on HIPAA, see HIPAA 101.

How can I keep my workplace up-to-date with Sarbanes compliance?                                               To Top

Consider in investing in a modern learning management system (LMS) for employee training.

For more information, see LMS Software Advice.


Let us show you where your data/money is most at risk!
Digital Data System Guards and Controls

Give us a call today!