Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act (SOX) is a 2002 federal law (Pub. L. 107-204) that established financial reporting, internal control, and corporate governance requirements for public companies following the Enron, WorldCom, and Tyco accounting scandals. Section 404 requires management and auditor attestation of internal control over financial reporting (ICFR).

SOX was enacted on July 30, 2002, following a wave of high-profile corporate accounting frauds. Its key provisions: Title I — Public Company Accounting Oversight Board (PCAOB): SOX established the PCAOB (pcaobus.org) as the nonprofit regulator for public company audit firms, funded by issuer fees, with SEC oversight. The PCAOB sets auditing standards (replacing prior self-regulatory standards) and conducts inspection of registered audit firms. Section 302 — CEO/CFO Certifications: Requires principal executive and financial officers of SEC registrants to personally certify quarterly and annual reports, attesting that the financial statements fairly present the company's financial condition and that they have evaluated and disclosed all material weaknesses in disclosure controls. Criminal penalties: $1M-$5M fine and up to 20 years imprisonment for knowing violations. Section 404 — Internal Control Over Financial Reporting (ICFR): The most compliance-intensive SOX provision. Requires management to assess the effectiveness of ICFR annually (Section 404(a)) and, for accelerated filers and large accelerated filers, requires the external auditor to independently attest to management's assessment (Section 404(b)). Smaller reporting companies are exempt from 404(b) auditor attestation. The SEC and PCAOB define ICFR frameworks (COSO framework is most common). Section 409 — Real-Time Disclosure: Requires public companies to disclose material events that may affect the company's financial condition 'on a rapid and current basis' — leading to expanded Form 8-K requirements. SOX applies to SEC-registered companies (NYSE, Nasdaq, OTC). Private companies are not subject to SOX requirements — but SOX standards have influenced best practices for private company governance, especially companies preparing for an IPO. Many PE-backed companies and large private companies implement SOX-equivalent controls voluntarily. See SEC.gov for SOX rules and PCAOB at pcaobus.org.

Examples

Frequently asked questions

Does SOX apply to private companies?

No — SOX applies only to SEC-registered issuers (public companies) and their auditors. Private companies have no SOX obligation. However, companies planning to go public, those with PE sponsors requiring lender compliance, or those bidding for public company contracts may implement SOX-equivalent controls voluntarily. The PCAOB only regulates auditors of SEC-registered issuers.

What is Section 404 and why is it important?

Section 404 requires public company management to annually assess and report on the effectiveness of internal controls over financial reporting (ICFR). For larger companies, the external auditor must independently attest to that assessment. A material weakness in ICFR — a deficiency so significant that there is a reasonable possibility that a material misstatement would not be prevented or detected — triggers restatement risk and stock price impact. Section 404 compliance is the most expensive part of SOX for public companies.

Does SOX affect how lenders evaluate businesses?

Not directly for private companies. For public company borrowers, lenders review SEC filings (10-K, 10-Q) including Section 302/404 certifications and any disclosed material weaknesses. A public company borrower with a material weakness in ICFR may trigger additional financial covenants or enhanced reporting requirements in the credit agreement.

Related terms

Further reading