What is SOX?
The Sarbanes-Oxley Act (SOX) is a US federal law enacted in July 2002 in response to a series of major corporate accounting scandals — including Enron, WorldCom and Tyco International — that wiped out billions of dollars of investor wealth and shook public confidence in financial markets. SOX established sweeping new requirements for financial reporting, internal controls, auditor independence and corporate accountability for publicly traded companies in the United States.
While SOX is primarily a financial law, it has profound implications for IT and cybersecurity teams. The integrity, availability and confidentiality of financial data depends entirely on the IT systems that store and process it — making IT general controls (ITGCs) a critical component of SOX compliance.
Why Was SOX Created?
In 2001 and 2002, a wave of corporate scandals exposed systemic failures in financial reporting, auditing and corporate governance. Enron — once the seventh-largest company in the United States — collapsed after it was revealed that executives had used accounting loopholes and special purpose entities to hide billions in debt. WorldCom followed with an $11 billion accounting fraud. Arthur Andersen, one of the Big Five accounting firms and Enron’s auditor, was destroyed.
Congress responded with the Sarbanes-Oxley Act, named after Senator Paul Sarbanes and Representative Michael Oxley. The law was passed with overwhelming bipartisan support and signed by President George W. Bush on July 30, 2002. SOX created the Public Company Accounting Oversight Board (PCAOB) to oversee auditors of public companies and introduced criminal penalties for executives who certified fraudulent financial reports.
| Enacted by | US Congress — signed July 30, 2002 |
| Mandatory or Voluntary | Mandatory — US federal law |
| Who must comply | All publicly traded companies on US exchanges + their subsidiaries and foreign private issuers |
| Enforcement agency | Securities and Exchange Commission (SEC) + Public Company Accounting Oversight Board (PCAOB) |
| Criminal penalties | Up to 20 years imprisonment for wilful certification of false financial reports · Up to $5 million in fines |
| Official Resource | sec.gov/spotlight/sarbanes-oxley |
Key SOX Sections for IT and Security Teams
SOX contains 11 titles and dozens of sections. For IT and security professionals, four sections are particularly relevant.
| Section | Name | IT and security relevance |
|---|---|---|
| Section 302 | Corporate responsibility for financial reports | CEO and CFO must personally certify the accuracy of financial reports and the effectiveness of internal controls over financial reporting. They must disclose any significant deficiencies or material weaknesses to auditors and the audit committee. |
| Section 404 | Management assessment of internal controls | The most significant section for IT teams. Management must assess and report on the effectiveness of internal controls over financial reporting (ICFR) annually. External auditors must attest to management’s assessment. IT general controls are a critical component of ICFR. |
| Section 409 | Real-time issuer disclosures | Companies must disclose material changes in financial condition or operations on a rapid and current basis. IT systems must support timely and accurate financial reporting and disclosure processes. |
| Section 802 | Criminal penalties for altering documents | Criminal penalties for altering, destroying or concealing records to obstruct investigations. IT teams must implement records retention and immutability controls for financial data and audit logs. |
IT General Controls (ITGCs) for SOX
IT General Controls are the foundation of SOX IT compliance. They are the controls that underpin the reliability of all automated application controls and financial reporting systems. Auditors test ITGCs as part of every SOX Section 404 audit.
| ITGC domain | Key controls |
|---|---|
| Access to programs and data | User access provisioning and de-provisioning, privileged access management, segregation of duties, periodic access reviews, authentication controls including MFA |
| Program development | System development lifecycle controls, user acceptance testing, approval processes for new systems and significant changes to existing financial systems |
| Program changes | Change management processes for financial applications — including authorisation, testing, approval and emergency change procedures. Separation of development and production environments. |
| Computer operations | Job scheduling and monitoring, data backup and recovery, incident management, system availability and performance monitoring for financial systems |
SOX and the COSO Framework
SOX does not specify a particular internal control framework — instead it requires management to use a “suitable, recognised control framework.” The most widely used is the COSO (Committee of Sponsoring Organisations of the Treadway Commission) Internal Control — Integrated Framework, which organises internal controls into five components.
| COSO component | Description |
|---|---|
| Control environment | The foundation — tone at the top, integrity and ethical values, board oversight, organisational structure and assignment of authority and responsibility |
| Risk assessment | Identification and analysis of risks to achieving financial reporting objectives — including fraud risk assessment |
| Control activities | Policies and procedures that help ensure management directives are carried out — including IT general controls and application controls |
| Information and communication | Relevant information identified, captured and communicated in a timely manner — financial reporting systems must produce accurate, complete and timely information |
| Monitoring activities | Ongoing monitoring of internal controls and separate evaluations — including internal audit function and management’s ongoing monitoring activities |
SOX Deficiency Classifications
When auditors identify weaknesses in internal controls, they classify them into three categories based on severity. Understanding these classifications is critical for prioritising remediation.
| Classification | Definition | Disclosure required? |
|---|---|---|
| Control deficiency | A deficiency exists when the design or operation of a control does not allow management or employees to prevent or detect misstatements on a timely basis | No public disclosure — internal remediation |
| Significant deficiency | A deficiency that is less severe than a material weakness but important enough to merit attention by those responsible for oversight | Must be reported to audit committee and external auditors |
| Material weakness | A deficiency where there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected | Must be publicly disclosed in annual report — significant market impact |
Securitora Assessment
SOX compliance is non-negotiable for any publicly traded company in the United States. For IT and security teams, SOX is primarily about demonstrating that financial data is accurate, protected and auditable — and that the IT systems supporting financial reporting have robust controls over access, change management and operations. The key failure points are inadequate access controls (particularly privileged access and segregation of duties), poor change management processes and insufficient audit logging. Organisations that invest in strong IT general controls for SOX typically find that these controls also significantly improve their overall security posture.
| Recommended for | All publicly traded companies on US exchanges and their subsidiaries |
| Difficulty to implement | High — requires significant coordination between finance, IT, internal audit and external auditors |
| Best used with | COBIT 2019 · NIST CSF 2.0 · ISO 27001 |
| Official resource | sec.gov/spotlight/sarbanes-oxley → |