SOX Compliance

What Is SOX Compliance?

Compliance can be an underutilized opportunity within a public company. It doesn’t just keep regulators at bay—it’s an important tool that management can use to manage risk and improve operations.

The Sarbanes-Oxley Act of 2022 came into law on the heels of major accounting scandals at companies like Enron and WorldCom. The goal of the Sarbanes-Oxley Act, commonly known as SOX, is to help protect investors from fraudulent reporting by publicly traded companies. 

In this article, we summarize the SOX compliance requirements and explain the benefits of compliance.

What are the SOX compliance requirements?

SOX compliance boils down to a few essential functions: financial reporting, internal controls, and auditing. It is designed to ensure corporate executives provide accurate information—if they don’t, they may face financial and even criminal repercussions.

Financial Reporting

  • SOX Section 302 & 906: The Chief Executive Officer (CEO) and Chief Financial Officer (CFO) are responsible for the accuracy of financial reporting and the efficiency of internal accounting controls. They must review all financial reports, and those reports cannot misrepresent financial data. Internal controls must also be reviewed, and any deficiencies in those controls must be disclosed. The CEO and CFO must sign off that the company’s financial statements comply with Security and Exchange Commission (SEC) disclosure requirements in a written statement included in quarterly or annual reports that include financial disclosures. Corporate executives who sign off on financial statements with misleading or fraudulent data can face fines of up to $5 million and 20 years in prison. 
  • SOX Section 401: Financial records produced throughout the year, such as quarterly reports, must be accurate too. These statements should include material off-balance sheet liabilities, obligations, and transactions.
  • SOX Section 409: Material changes to a company’s financial condition or operations must be reported in real-time (or close to it).
  • SOX Section 902: It is a crime to alter, destroy, mutilate, or conceal documents with the intent to make them unavailable or call their integrity into question in official proceedings.

Audits and Internal Controls

  • SOX Section 303: Officers cannot fraudulently influence or manipulate a SOX compliance audit. Materially misleading information can subject officers to penalties. 
  • SOX Section 404: Annual reports must include an Internal Control Report confirming that management is responsible for internal controls. These controls have to be adequate and must be assessed for their effectiveness. Shortfalls in a company’s internal control structure and cybersecurity must be disclosed. External auditors must validate the accuracy of management reports and test the adequacy of their control structure. Companies must prove they maintain internal controls.
  • SOX Section 802: Anyone who alters, destroys or falsifies documents used in an ongoing legal investigation, audit, or bankruptcy case is subject to criminal penalties. Individuals cannot destroy or falsify records. To maintain document integrity, the internal audit department and external accounting firms are required to retain documents that are part of an audit for up to five years. Business records that are part of the audit also need to be maintained. This includes electronic records, such as email or text messages. Accountants who knowingly fail to comply with this requirement can face up to 10 years in prison.

Whistleblower Protections

  • SOX Section 806 & 1107: To preserve the integrity of the SOX compliance process, there are additional requirements in the law that protect whistleblower employees who shed light on financial fraud. Individuals found guilty of retaliation may face criminal charges, including fines or up to 10 years in prison.

Who does SOX compliance apply to?

All publicly traded companies in the United States have to comply with SOX, as well as wholly owned subsidiaries and foreign companies that conduct business in the United States.

Within a company, accountants, auditors, corporate executives, and other management-level officers are the individuals most impacted by SOX compliance requirements.

What are the benefits of SOX compliance?

An often-overlooked byproduct of corporate compliance is that it can initiate important internal investments that lead to improved business processes. Audits and assessments can help management identify improvements that save time and money. Those savings can lead to improved performance in a company’s core business offering or higher profits. 

Protects investors

The primary benefit of SOX compliance is that it protects investors. Reporting requirements ensure investors receive materially important information promptly—before making investment decisions.

With the increased demand for corporate responsibility, SOX compliance is also a way for companies to demonstrate good corporate governance. Adherence to SOX requirements demonstrates that a company takes financial reporting seriously and is reliable in the data they provide. 

Creates standardized internal processes

A byproduct of being SOX compliant is that it forces companies to practice good recordkeeping and develop standardized processes. Standardization across business departments makes it easier to identify errors or weaknesses in processes within a company. This, in turn, reduces administrative overhead and can lower operating costs.

Standardization also strengthens internal controls by creating consistent policies and practices across different business lines and levels of management. This protects the controls’ integrity, which strengthens the overall process.

Reduces the risk of fraud and error

SOX compliance introduces different levels of checks and balances within a company to ensure errors are caught before they are publicly reported. These checks and balances can help identify fraud or other accounting mishaps and protect key stakeholders, including employees or vendors who rely on a business for employment or other services they provide. 

Compliance is also a way to get board members involved in financial reporting—especially audit committee members. Committee members cannot have financial or personal ties to the company, and at least one must have some degree of financial expertise.

What are SOX non-compliance penalties?

Companies that fail to meet SOX compliance requirements can face steep penalties, ranging from fines to jail time. While SOX was designed to protect investors from fraudulent financial reporting, it doesn’t necessarily distinguish the intent behind such reporting. 

Companies that misreport information—even by accident—are still subject to these penalties. Officers and corporate executives who sign off on statements that they know are inaccurate can be held personally liable.  

If an executive knowingly submits a report that does not meet SOX requirements, they can be penalized with a fine of up to $1 million or serve up to ten years in prison.

Certifying a report that does not meet requirements can also be penalized. These are some of the harshest penalties invoked by the Sarbanes-Oxley Act because it puts the final responsibility of accuracy on corporate executives. If an executive intended to mislead or deceive investors, they can be fined up to $5 million or serve 20 years in prison.

Corporate executives and officers aren’t the only ones liable for complying with SOX reporting requirements. Entire entities can also be impacted. For example, violations can lead to a company being delisted from a public stock exchange, leading to los value for shareholders and investors.

Common SOX compliance challenges

Adequately implementing SOX compliance protocols can be one of the biggest challenges companies face. This often stems from management not committing to developing adequate controls or not taking SOX compliance efforts seriously. It can also come from internal departments if processes aren’t clearly defined or executed.

Companies can also make SOX compliance overly bureaucratic. Having too much documentation or multiple layers of checks and balances can make it difficult for auditors to make sense of a company’s controls. This can obfuscate who is responsible for reporting accurate financial information, making it difficult to root out problems.

Corporate culture can also pose a challenge to SOX compliance activities. Some individuals or departments may not adequately integrate controls into their daily job functions. Others may not know how to use new software or technology. This aversion can lead some individuals to default to manually performing control functions, increasing the opportunity for errors.

While some executives, managers, or employees might see SOX compliance as unnecessary and bureaucratic, it’s crucial for protecting the public and can give companies an opportunity to invest in their business  and standardize and streamline financial reporting.

Stakeholders should become familiar with reporting requirements and perform a SOX compliance audit of internal controls or processes to understand their weaknesses. This will uncover opportunities to invest in automation tools, talent, or capital to implement changes. As a result, the entire business becomes stronger and can lead to better outcomes in the long run.

Stefan van Duyvendijk

Stefan van Duyvendijk is FloQast's first Accounting Operations Evangelist. Stefan is a tenured controller who has consistently nurtured finance professionals and improved accounting processes throughout his career. Previously he was Corporate Controller for Kodiak Cakes where he led a 10-member finance team through a pre-IPO initiative. Before that, he was U.S. Controller for Skullcandy and senior associate at KPMG.