The Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act of 2002 (SOX), passed by Congress and enforced by the Security Exchange Commission (SEC), is designed to protect shareholders and the general public from accounting errors and fraudulent practices used by businesses and to improve the accuracy of corporate disclosures. IT compliance and IT security professionals need to pay close attention to SOX because the regulation has clear implications for data management, reporting, and security. 

Person holding SOX shield

Hyperproof’s compliance operation software helps organizations reduce SOX audit costs and can reduce time needed to prepare for a SOX compliance audit by 50%. Sign up for a personalized demo to see how we can help you with your SOX compliance effort:

  • Utilize the pre-built SOX framework to make it easier to to manage the entire process -- from documentation to testing and certification

  • Keep SOX documentation accurate, consistent, and easily accessible

  • Automate the collection of evidence for walkthroughs & testing

  • Collaborate easily with your SOX auditor and ensure a seamless handoff

  • Assign controls to program participants and keep team members on track

  • Monitor your entire SOX environment in real time and stay on track with dashboards

SOX shield on top of paper

What Is SOX?

The Sarbanes-Oxley Act , passed by Congress and enforced by the Security Exchange Commission (SEC), is designed to protect shareholders and the general public from accounting errors and fraudulent practices used by businesses and to improve the accuracy of corporate disclosures. Commonly called SOX, it is really a comprehensive set of regulations called the Public Company Accounting Reform and Investor Protection Act of 2002. It was enacted in response to a number of major corporate and accounting scandals.

Who needs to comply with SOX?

All provisions of SOX apply to publicly traded companies headquartered in the United States, as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States. SOX also applies to any third parties that a publicly traded company outsource financial work to.

In general, private companies, charities, and nonprofits are not required to comply with all SOX provisions. However, certain provisions of SOX also affect privately held companies and nonprofits. For instance, intentionally destroying, altering, or falsifying documents with the intention of impeding or influencing a federal agency investigation or a federal bankruptcy proceeding carries fines and up to twenty years imprisonment. In addition, whistleblower protection applies to these companies, which means that retaliating against someone who provides a law enforcement officer with information relating to a possible federal offense is punishable by up to 10 years imprisonment.

Image with USA outline with building on top

SOX also affects accounting firms; the rule builds a firewall between the auditing function and other services available from accounting firms. Thus, the firm that audits the books of a publicly held company may no longer do the company’s bookkeeping, non-financial audits, or business evaluations, and is also prohibited from designing or implementing an information system, providing investment advisory and banking services, or consulting on other management issues.

SOX also affects HR departments within publicly traded companies. It requires a firm to establish payroll system controls. A company’s workforce, salaries, benefits, incentives, paid time off, and training costs must all be accounted for under Section 404 of SOX.

Although SOX isn’t required for privately held companies, if your company aspires to go through an IPO in the next two to three years, it is beneficial to start planning for SOX compliance sooner rather than later, because it will take a while for your company to set up all necessary processes to fulfill SOX requirements.

What are the Compliance Requirements of SOX?

SOX is arranged into 11 sections, also called titles. Two sections of particular importance are Section 302 and Section 404.

Open book with 11 text overlay section titles
  • Section 302 pertains to "Corporate Responsibility for Financial Reports". It establishes, in part, that CEOs and CFOs must review all financial reports and that the reports are "fairly presented" and don't contain misrepresentations. This section also establishes that CEOs and CFOs are responsible for the internal accounting controls.

  • Section 404 deals with "Management Assessment of Internal Controls" and requires companies to monitor and maintain internal controls related to the company’s accounting and financials. Internal controls include any computer, network hardware, and other electronic infrastructure that financial data passes through. It requires businesses to have an annual audit of these controls conducted by an external CPA firm. This audit assesses the effectiveness of all internal controls and reports its findings back directly to the Security Exchange Commission (SEC).

Other key provisions under SOX include:

  • Required disclosure of transactions and relationships that are off the balance sheet and could impact financial status;

  • Prohibition of personal loans from a corporation to executives;

  • Establishment of fines and terms of imprisonment for tampering with or destroying documents in the event of investigations or court action; and

  • Requirements for attorneys who represent public companies before the SEC to report security violations to the CEO.

SOX also encourages disclosure of corporate fraud by protecting whistleblower employees of publicly traded companies or their subsidiaries who report illegal activities against retaliation, including dismissal and discrimination.

SOX shield

SOX Enforcement and Penalties for Non-Compliance

The Securities and Exchange Commission (SEC) enforces SOX. SOX imposes criminal penalties for certifying a misleading or fraudulent financial report, which can be upwards of $5 million in fines and 20 years in prison when someone willfully certifies misleading or fraudulent financial statements. SOX also makes it a crime for a person to knowingly retaliate against a whistleblower for disclosing truthful information to a law enforcement officer regarding an alleged federal crime. This type of retaliation is punishable by up to 10 years imprisonment.

What Resources Can I Use to Develop and Assess Internal
Controls Related to Information Technology?

There are several useful resources you can turn to when setting control objectives and preparing for a SOX compliance audit:



The Public Company Accounting Oversight Board was created to develop auditing standards and train auditors on the best practices for assessing a company’s internal controls. You can visit the PCAOB website to find specific SOX requirements for information security they’ve prepared for auditors. PCAOB publishes updates and changes to the auditing processes when they see fit, so you’ll need to refer to these as you’re preparing for an audit.



Control Objectives for Information and Related Technology is a framework published by ISACA, a leading organization in the production of guidelines for developing and assessing internal controls for IT systems. COBIT outlines best practices for 34 IT processes.


The Committee of Sponsoring Organizations is a joint organization consisting of representatives from the Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), and Financial Executives International (FEI). Since 1992, COSO has published periodic updates to their internal control framework recommendations. This document outlines guidelines for creating and implementing internal controls and serves as the basis for the auditing standards developing by PCAOB.


The Information Technology Governance Institute is dedicated to helping businesses meet their objectives without compromising information security. ITGI has independently published its own framework for SOX compliance, using both COBIT and COSO as guides. Unlike COBIT, however, the ITGI framework deals only with security issues.

Preparing for a SOX Compliance Audit

A SOX compliance audit of a company’s internal controls takes place once a year and must be performed by an independent auditor. It is your company’s responsibility to hire the auditor. Keep in mind that SOX audits must be separate from other internal audits to avoid a conflict of interest. Companies often choose to schedule the audit so that results are available for inclusion in their annual report (to satisfy the requirement that audit findings must be accessible to stockholders).

The first step to an audit is to have your management team meet the accounting firm to discuss the specifics of the audit, including when it will take place, what it will cover, what its purposes are, and what results management expects to see.

Magnifying glass with person

SOX Audit of Internal Controls

The biggest portion of a SOX audit is a review of internal controls, including computers, network hardware and other electronic infrastructure that financial data passes through. From an IT perspective, a typical audit will look like this:

SOX Internal Controls


Access Icon

Access controls can be physical or electronic; their purpose is to prevent unauthorized users from viewing sensitive information. This includes ensuring that cloud resources and physical servers are secure, effective password controls are being used, and lockout screens and other measures are in place. Implementing the principle of least privilege is considered one of the best methods of access control.


Security Lock

A SOX audit will examine the technology, policies, and procedures your organization has put in place to prevent breaches and promptly remediate incidents as they occur.

Change management process

Person exchange

Change management involves your internal processes for adding new users or workstations, updating and installing new software, and making any changes to Active Directory databases or other information architecture components. Having a record of what was changed, when it was changed, and who changed it is necessary for a SOX IT audit, and these records will make it much easier to correct problems when they emerge.

Segregation of duties in the software development cycle

Workflow Icon

Backup procedures


The auditor will expect to see backup systems in place to protect your sensitive data.

SOX Compliance Checklist

While each audit will be tailored to the organization, there are a few general questions each organization should consider before an audit:

  1. CheckmarkAm I working from an accepted framework such as COBIT, ITGI, or COSO?
  2. CheckmarkDo we have policies that outline how to create, modify, and maintain accounting systems, including software that handles financial data?
  3. CheckmarkWhat safeguards do we have to prevent data tampering? Have they been tested and found functional?
  4. CheckmarkIs there a protocol for dealing with security breaches?
  5. CheckmarkIs access to sensitive data being monitored and recorded?
  6. CheckmarkHave previous breaches and failures of security safeguards been disclosed to auditors?
  7. CheckmarkHave we provided SOX auditors with access needed to do their job?
  8. CheckmarkDo we use data classification to make it easier to monitor and enforce corporate policies for data handling?
Pad with Checklist

SOX Compliance and Data Security

Although SOX does support good IT control hygiene, not all of your data security risks are fully addressed by SOX. The SOX audit will only cover the internal controls related to a company’s accounting and financials -- not other types of sensitive data. These days, many organizations are running their business in the cloud and have put various types of sensitive data in many  third-party SaaS applications. The actual scope of a SOX audit leaves out certain key security principles that are imperative for ensuring your cloud environment is secure. While the typical IT scope of SOX covers Access, Security, Change Management, and Backup procedures, there are other important control categories, such as Governance, Change Control, and Identity and Access Management.

If you want to ensure that sufficient security across all of your environments (cloud and on-premises) and all types of data, you may want to follow guidelines from other security and cloud security frameworks in addition to SOX, such as Cloud Security Alliance’s Cloud Controls Matrix and NIST SP 800-53.

Can I Use Compliance Operations Software to Become SOX Certified Faster?

Hyperproof is a compliance operations software solution that helps organizations get through their SOX compliance audits faster and more cost-effectively. Here are just a few of the ways Hyperproof can be used to make SOX compliance audits more manageable and less stressful:

People with HP logo

Hit the ground running

Hyperproof comes with a SOX starter compliance template designed to help organizations accelerate their journey to compliance. The template comes with all SOX requirements and access to COSO and COBIT controls you can use as a starting point to develop your SOX controls. Once you’ve implemented the template, you can upload your existing evidence files, link them to the right controls and requirements, and iterate from there (e.g., tailor certain controls or collect additional pieces of evidence). For organizations who already have existing controls in place, it’s quite simple to edit the provided controls, add new controls, and remove superfluous ones.

Streamline the evidence collection and management processes

Instead of developing your own file system and using spreadsheets to track updates, you can store all of your evidence in Hyperproof and link each piece of evidence to the right control and requirement. Hyperproof provides the ability to link one evidence file to multiple requirements/controls, so you don’t have to pull the same evidence files again and again if you’re preparing for multiple audits.

Hyperproof also makes it easy for compliance professionals to collect evidence from business stakeholders. A compliance project owner can assign tasks to business stakeholders (e.g. submit this type of evidence) and remind people to complete their tasks on a cadence. Business stakeholders do not need to learn the language of compliance or any new tools. They can receive notifications to complete tasks through the tools they are already using (e.g., Outlook, Slack, Gmail), complete the tasks in those tools, and have information routed back and reflected in Hyperproof in near real-time.

Know exactly where you stand with an audit

Hyperproof provides real-time feedback on your audit preparedness and control evaluation efforts. It comes with dashboards to help you identify what controls are already in place and what’s missing in real-time so you can put solutions in place to close those gaps well ahead of an auditor’s visit.

When you’re ready to share your work with your auditor, you can invite your auditor to review your work in Hyperproof, so no one has to spend their precious time uploading/downloading files and sending emails back and forth. Additionally, Hyperproof provides a central place for compliance process owners and auditors to communicate with one another.

Hyperproof App on Screen

Sign Up for a Personalized Demo

Let’s go