Contributor:
Yani Diaz | Senior Manager, Risk & Accounting Advisory
What Is Sarbanes-Oxley?
The Sarbanes-Oxley (SOX) Act of 2002 is a federal law administered by the Securities and Exchange Commission (SEC) that requires public companies to meet certain criteria and standards regarding internal controls over financial reporting (ICFR). ICFR is a critical component of a company’s overall system of internal controls, and it is designed to prevent, detect and correct errors or fraud that could impact the company’s financial reporting.
SOX applies to all publicly traded companies, and their subsidiaries, and provides crucial oversight and additional lines of defense to corporations. It allows for internal weaknesses to be identified and corrected before the involvement of external auditors, regulators or various other stakeholders, such as lenders or equity investors.
While SOX regulations do not apply directly to non-profits and governmental entities, they are based on the Committee of Sponsoring Organizations (COSO) framework, which provides guidelines to evaluate interconnected areas of internal controls, risk management, governance and fraud. Given that COSO is the most widely accepted internal control framework in the United States, most organizations, whether public or private, would benefit from incorporating SOX principles to minimize their exposure to financial, operational or fraud risks and to optimize the quality of their financial reporting.
Prepare for SOX Compliance and Stay Current on Best Practices
There are two main types of SOX compliance, 404(a) and 404(b):
- SOX 404(a): Requires management to report on the effectiveness of internal controls over financial reporting. This SEC requirement applies to every public company listed on a stock exchange in the United States and requires establishment of a system of internal controls. This often entails performing risk assessments, designing controls, testing their effectiveness and issuing management’s attestation regarding the effectiveness of internal controls.
- SOX 404(b): Requires an external auditor’s attestation regarding the effectiveness of internal controls over financial reporting, in addition to management’s attestation. This applies more to larger or accelerated public companies.
Organizations can refer to the following SOX checklist to prepare for a smooth SOX 404 audit:
Let Us Guide You Forward
Our SOX Risk Advisors can help you design a comprehensive plan and implement strategies around SOX 404 compliance to protect value, power performance, and build financial and operational resilience. For more information on establishing or enhancing your organization’s SOX program, contact Cherry Bekaert’s Risk & Accounting Advisory Services practice or your Cherry Bekaert advisor.
Related Insights
- Article: Six Steps To Creating Efficiencies and a Well-planned SOX Program
- Case Study: Regulatory, Tax and SOX Compliance for Biopharmaceutical Company Expanding U.S. Presence
- Podcast: Examining the Differences Between SOX 404a and 404b
- Podcast: SOX Offshoring: Benefits and Key Considerations From the Service Provider and Client Perspectives