What is SOX? SOX is the Sarbanes-Oxley Act of 2002, a US federal law that requires public companies to maintain and certify accurate financial reporting and internal controls. Learn why it exists, Sections 302 and 404, ICFR, and who must comply.
The short version
SOXis the Sarbanes-Oxley Act of 2002, a US federal law that requires public companies to maintain accurate financial reporting backed by effective internal controls. It makes a company's CEO and CFO personally certify the financial statements, requires an external auditor to attest to the internal control over financial reporting, and created the Public Company Accounting Oversight Board to oversee those auditors. SOX compliance means you can prove, with evidence, that the numbers you report to investors can be trusted.
Last updated .
SOX was passed in 2002 after a run of accounting scandals, most famously Enron and WorldCom, destroyed shareholder value and shook confidence in public markets. Those collapses exposed weak internal controls, misleading statements, and conflicted auditors.
Congress responded by holding executives personally accountable for the accuracy of financial reporting and by making the audit profession answer to an independent regulator. The law is named for its sponsors, Senator Paul Sarbanes and Representative Michael Oxley.
Two sections carry most of the weight. Section 302 puts a personal signature on the numbers; Section 404 demands proof that the controls behind them work.
Section 302
Requires the CEO and CFO to personally certify, in each periodic report, that the financial statements are accurate and that they are responsible for the internal controls behind them. It puts a named signature, and personal accountability, on the numbers.
Section 404
Requires management to assess and report on the effectiveness of internal control over financial reporting, and requires the external auditor to attest to that assessment. This is the most demanding and resource-intensive part of SOX.
Both sections rest on the same foundation: internal control over financial reporting, or ICFR. ICFR is the set of processes and controls that give reasonable assurance the financial statements are reliable. SOX is, in effect, a law about getting ICFR right and being able to prove it.
SOX is enforced through people signing their names and an independent check on those signatures.
Four steps, run every reporting cycle, that turn the law into a working control program.
Identify the processes that affect the financial statements and document the controls over them. This is the foundation of internal control over financial reporting (ICFR).
Evaluate whether each control is designed to do its job, then test whether it actually operated over the period. Gaps and failures become deficiencies to track.
Close control gaps and material weaknesses, document what changed, and re-test. Deficiencies that are not remediated flow into management's assessment.
Management certifies the controls under Sections 302 and 404, and the external auditor attests under Section 404. Keep the evidence the auditor and the PCAOB-regulated firm will request.
Many teams still run SOX in spreadsheets and email, which buckles as the control inventory grows. SOX compliance software keeps the controls, testing, deficiencies, and evidence in one place so certification season is calm.
A ready-to-use checklist that turns Section 302 and 404 requirements into a scored, control-by-control assessment, so you can see where ICFR stands before the auditor arrives.
The questions finance and compliance teams ask most about the Sarbanes-Oxley Act.
RiskWatch keeps your ICFR controls, testing, deficiencies, and evidence in one place, with Section 302 and 404 work mapped to a shared control library. 30-day free trial, no credit card.
No credit card required · 30-day free trial · Cancel anytime
