The Sarbanes-Oxley Act of 2002 was created as a way to protect shareholders and the general public by mandating transparency of companies’ financial disclosures.
SOx came into legislation in 2002 in order to respond to a series of high-profile financial scandals with Enron, WorldCom, and Tyco. The act was drafted by Congressman Paul Sarbanes and Michael Oxley in order to improve corporate governance and accountability. The SOx act affects both the financial and IT side of corporations by setting a standard for how they store electronic records. Although the act is not a set of business practices, it specifies that businesses should store records and electronic records for no less than five year. Failure to meet the guideline laid out on the SOx act could result in fines, imprisonment, or both.
“Effective in 2006 all publicly-traded companies are required to implement and report internal accounting controls to the SEC for compliance. In addition, certain provisions of Sarbanes-Oxley also apply to privately held companies. Executives who approve shoddy or inaccurate documentation face fines up to $5 million and jail time up to 20 years.”
“The Sarbanes-Oxley Act requires all financial reports to include an Internal Controls Report. This shows that a company’s financial data is accurate and adequate controls are in place to safeguard financial data. Year-end financial disclosure reports are also a requirement. A SOx auditor is required to review controls, policies, and procedures during a Section 404 audit.
SOx auditing requires that internal controls and procedures can be audited using a control framework like COBIT. Log collection monitoring systems must provide an audit trail of all access and activity to sensitive business information.
Sarbanes-Oxley also encourages the disclosure of corporate fraud by protecting whistleblower employees of publicly traded companies or their subsidiaries who report illegal activities. Section 806 of Sarbanes Oxley the Act authorizes the U.S. Department of Labor to protect whistleblower complaints against employers who retaliate and further authorizes the Department of Justice to criminally charge those responsible for retaliation.”