SOX was originally established to restore investor confidence after a series of high-profile financial scandals, most notably, Enron and WorldCom.

Passed in 2002, the Sarbanes-Oxley Act stands to protect the general public and shareholders from fraud and accounting errors in enterprise. It also improves the accuracy of disclosures. Because of SOX, strict financial reporting and protocols exist within publicly traded companies.

The main areas of the act are focused on increasing criminal punishment, new protections, accounting regulation, and corporate responsibility. SOX primarily seeks to regulate financial reporting, internal audits, and other business practices in publicly traded companies. Some provisions apply to all enterprises, including nonprofits and private companies.

All public enterprise is required to be SOX compliant, and corporate governance is enforced by comprehensive internal checks and balances. Recording standards can be expensive as well as extensive. SOX can also demand steep fines for non-compliance.

How can you comply with SOX?

SOX compliance is a legal obligation and, in general, just a smart business practice. All public companies are mandated to report internal accounting to the Securities and Exchange Commission (SEC). To protect data, companies should already be limiting internal financial system access. Compliance failure would lead to significant fines for senior executives or even jail time. SOX amplifies whistleblower protections to guide illegal reporting activities that might not be discovered in an audit. Whistleblowers are protected from criminal charges in retaliation from employers.

SOX Compliance Checklist

  • NRisk assessment and audit controls should be conducted to find any weaknesses and gaps in efficiency.
  • NCheck constantly to ensure defense systems are working.
  • NPolicies and procedures should support controls, guide employees, and support documentation of governance and sustainability.
  • NMultiple whistleblower reporting methods should be implemented. Violations should be resolved internally, if possible.
  • NDisclose security incidents to auditors for fast response. This protects all parties.
  • NOngoing training in accounting controls and documentation will mitigate violation risk.
  • NDocument activity timelines and encrypt the data.

SOX Essentials

Compliance Policies

All procedures should be clearly detailed. Auditing practices, internal controls, and documentation should remain audit-ready and leave a paper trail for proof of compliance.

Whistleblower Hotline

Public companies are mandated to have a hotline for employees to report violations or misconduct without retaliation.

SOX Compliance Training

Training should be provided for relevant employees and business partners.

Code of Conduct

Zero tolerance for retaliation should be made known in companies’ code of conduct.


Business SOX programs should adapt to meet more complex risks as the company evolves and grows.

This information is not intended to serve as legal advice. Nor is it intended to act as compliance advice specific to the processes of any specific company. Application of compliance laws is a company-specific endeavor. We recommend that you contact compliance counsel to discuss the application of information found herein to your operations.