Contributor:
Yani Diaz
| Senior Manager, Risk & Accounting Advisory

What Is Sarbanes-Oxley?

The Sarbanes-Oxley (SOX) Act of 2002 is a federal law administered by the Securities and Exchange Commission (SEC) that requires public companies to meet certain criteria and standards regarding internal controls over financial reporting (ICFR). ICFR is a critical component of a company’s overall system of internal controls, and it is designed to prevent, detect and correct errors or fraud that could impact the company’s financial reporting.

SOX applies to all publicly traded companies, and their subsidiaries, and provides crucial oversight and additional lines of defense to corporations. It allows for internal weaknesses to be identified and corrected before the involvement of external auditors, regulators or various other stakeholders, such as lenders or equity investors.

While SOX regulations do not apply directly to non-profits and governmental entities, they are based on the Committee of Sponsoring Organizations (COSO) framework, which provides guidelines to evaluate interconnected areas of internal controls, risk management, governance and fraud. Given that COSO is the most widely accepted internal control framework in the United States, most organizations, whether public or private, would benefit from incorporating SOX principles to minimize their exposure to financial, operational or fraud risks and to optimize the quality of their financial reporting.

Prepare for SOX Compliance and Stay Current on Best Practices

There are two main types of SOX compliance, 404(a) and 404(b):

  • SOX 404(a): Requires management to report on the effectiveness of internal controls over financial reporting. This SEC requirement applies to every public company listed on a stock exchange in the United States and requires establishment of a system of internal controls. This often entails performing risk assessments, designing controls, testing their effectiveness and issuing management’s attestation regarding the effectiveness of internal controls.
  • SOX 404(b): Requires an external auditor’s attestation regarding the effectiveness of internal controls over financial reporting, in addition to management’s attestation. This applies more to larger or accelerated public companies.

Organizations can refer to the following SOX checklist to prepare for a smooth SOX 404 audit:

Let Us Guide You Forward

Our SOX Risk Advisors can help you design a comprehensive plan and implement strategies around SOX 404 compliance to protect value, power performance, and build financial and operational resilience. For more information on establishing or enhancing your organization’s SOX program, contact Cherry Bekaert’s Risk & Accounting Advisory Services practice or your Cherry Bekaert advisor.

Download the Checklist

Related Insights

Neal W. Beggan

Risk Advisory Services

Partner, Cherry Bekaert Advisory LLC

Scott Peyton

Risk Advisory Leader

Partner, Cherry Bekaert Advisory LLC

Contributors

Connect With Us

Neal W. Beggan

Risk Advisory Services

Partner, Cherry Bekaert Advisory LLC

Scott Peyton

Risk Advisory Leader

Partner, Cherry Bekaert Advisory LLC