SOX compliance FAQ: The basics of navigating regulatory demands

Congress passed the SOX Act of 2002 to help protect investors from fraudulent financial reporting by corporations in response to several high-profile financial scandals in the early 2000s. ​

There are several requirements under SOX, however, the major provisions of SOX are Section 302, Section 404, Section 802 and Section 906.

Section 302 of SOX states that the chief executive officer (CEO) and chief financial officer (CFO) are directly responsible for the accuracy, documentation and submission of all financial reports as well as the internal control structure. The CEO and CFO are required to personally attest to the accuracy and completeness of their financial statements and sufficiency of internal controls quarterly.

SOX 404(a) requires management to assess and report on the effectiveness of internal control over financial reporting (ICFR), and 404(b) requires that an independent auditor attest to management’s assessment of the effectiveness of those internal controls.

Section 802 imposes fines or penalties of imprisonment for the destruction or falsification of records. This section also outlines record retention rules and what business records must be maintained or stored.

Section 906 requires a written statement from the CEO and CFO on all periodic financial reports declaring that the financial report fairly presents, in all material respects, the financial condition and results of operations of the issuer. It also establishes criminal penalties associated with knowingly filing periodic reports which do not comport to the requirements of the section.