SOX applies only to publicly held US company boards and accounting firm, but it can be useful to private and non-US-based companies.


Concerns financial auditing, governance, and disclosures. Also known as the Public Company Accounting Reform and Investor Protection Act (in the Senate) and the Corporate and Auditing Accountability and Responsibility Act (in the House).


Enacted in 2002 in the wake of several major US corporate and accounting scandals.

Penalties for noncompliance

They vary, depending on which section of the law is violated, but they range from fines of up to $1 million to 20 years in prison.


SOX does not mandate specific information security requirements. No single set of standards can guarantee compliance. But it does clearly state that management and independent auditors are responsible for establishing effective internal controls, including IT systems controls.

Key sections

  • 302: Corporate responsibility for financial reports. CFOs and CEOs must personally certify and be accountable for their firm’s financial records and accounting.
  • 303: Improper influence on conduct of audits. An officer or director must not fraudulently influence, coerce, manipulate, or mislead any auditor.
  • 404: Management assessment of internal controls. Auditors must certify the underlying controls and processes they use to compile financial results.
  • 409: Real-time issuer disclosures.  Companies must disclose events that may affect their stock price or financial performance within 48 hours.
  • 802: Criminal penalties for altering documents. Fines and prison time for CPAs of public companies who alter, destroy, or mutilate any record or document with the intent to impede an investigation.