Sarbanes-Oxley, or SOX, refers to a series of securities and financial regulations enacted by the Sarbanes-Oxley Act in 2002. The SOX Act added new layers of criminal penalties for anyone found guilty of breaking securities laws — both those included in SOX as well as other federal financial laws. Rules laid out by SOX required more stringent bookkeeping and added compliance obligations to corporate officers, auditors, and accounting staff.
Sarbanes-Oxley was passed in response to several high-level financial scandals. One of the most notable was the Enron scandal, which involved a huge (and seemingly stable) enterprise failing and the knock-on effects across the nation's economy.
Enron's ventures included companies and investments in sectors such as oil, gas, paper, communications, electricity, and power plants. It was a global business, but it filed bankruptcy suddenly in 2001. During the financial fallout related to Enron, it became clear that earnings reports had been inflated and other fraud and embezzlement had occurred.
Enron and other scandals that involved fraud and tampered-with-reports caused Congress to rethink the necessary reporting processes for corporations and public companies. That led to the Sarbanes-Oxley Act. The goal of the act was to create additional security for investors as well as protect the financial interests of the nation overall.
Like many federal acts, SOX takes its name from its legislative sponsors. It was a bipartisan approach, and the sponsors were Senator Paul S. Sarbanes, a Democrat from Maryland, and Congressman Michael G. Oxley, a Republican from Ohio.
Sarbanes-Oxley is not a small act, making it unwieldy for individuals to understand and consider every facet of the law when creating reports or driving financial decisions. Because of this, many enterprises make SOX compliance the purview of the same departments that manage other types of regulatory compliance, including PCI or HIPAA.
Finance and compliance departments work together to:
Sometimes these departments and procedures fall under the title of Risk Management.
Smaller businesses that don't have the ability to manage SOX compliance via an existing department may need to work with outside business partners, including attorneys, risk-management consultants, or accountants, for this purpose. This is often where the role of a compliant document management system becomes important.
Sarbanes-Oxley provisions are typically referred to by their section numbers. For example, Section 302 holds Chief Operating and Financial Officers responsible for the accuracy of an organization's SEC report filings and internal financial controls. This section requires that a C-suite executive sign SEC filings and other related reports, indicating that he or she read the entire report and believes that everything in it is well-founded and accurate.
Other important provisions of SOX include, but aren't limited to, those below.
The penalties for not complying with Sarbanes-Oxley can be stiff. Section 906 covers the penalties should someone certify (by signing) a fraudulent or misleading financial report. If they are charged with this crime and found guilty, they could face up to 20 years in prison and be on the hook for a fine of up to $5 million. Other sections of the act cover different criminal financial acts, often listing potential penalties that are similar in scope.
Awareness and training are at the forefront of best practices to ensure organizations are compliant with Sarbanes-Oxley. C-suite executives must be aware of their responsibilities under the act, and accounting and financial staff obviously need to know how to remain compliant. But employees across the organization may need to understand what Sarbanes-Oxley is and whether they have any role to play in compliance.
Some other best practices might include: