The Sarbanes-Oxley Act: A practitioner's guide to SOX compliance

Key Takeaway: The Sarbanes-Oxley Act remains the foundational accountability framework for U.S. public company financial reporting, and its scope is still expanding. Per the 2025 KPMG SOX Survey, the average program cost hit $2.3M in FY24, up from $1.6M in FY22. PCAOB QC 1000 and amended AS 2101/AS 2201 take effect December 15, 2026, raising the bar for integrated audits.

The Sarbanes-Oxley Act ("SOX") was a major overhaul of corporate financial reporting for public companies, implemented in 2002 in response to the Enron, WorldCom, and Tyco accounting scandals. Through stricter reporting requirements, enhanced civil penalties, and new criminal penalties, the act reduced corporate fraud and improved the accuracy of financial information provided to investors. In plain terms, SOX is a U.S. federal law that requires public companies to follow strict financial reporting and internal control standards to protect investors from accounting fraud.

A brief history and impact of the Sarbanes-Oxley Act

Future-proof your SOX program from day one

Explore the system of action

The Sarbanes-Oxley Act was passed into law on July 30, 2002. Its official full name is the Public Company Accounting Reform and Investor Protection Act of 2002 (Pub. L. 107-204), and its primary goal is to protect investors by improving the accuracy and reliability of financial reporting and corporate disclosures. The sections within the SOX Act regulate corporate governance, risk management, auditing, and public company financial reporting with the goal of reducing accounting fraud and corporate corruption. Sarbanes-Oxley was named after the U.S. senators who sponsored the bill — Senator Paul Sarbanes (D-MD) and U.S. Representative Michael G. Oxley (R-OH). The bill was in response to several corporate and accounting scandals in the early 2000s including Enron, Tyco International, WorldCom, Adelphia, and Peregrine Systems. SOX also created a new quasi-government agency, the Public Company Accounting Oversight Board (PCAOB), to oversee and regulate public accounting firms auditing public companies. Highlights of the most notable accounting scandals are described below.

The Sarbanes-Oxley Act delivered comprehensive reform to public company corporate accounting practices and public accounting firms' audit procedures. The initial impact of SOX was clearly evident by looking at the number of restatements in 2005 and 2006. Restatements rose 66% in 2005 to 1,600 and peaked at 1,784 in 2006 soon after the implementation of internal control over financial reporting requirements. After 2006, restatements steadily declined, reaching a low of 711 in 2009. Note that 4.02 restatements are more serious than non-4.02 restatements: 4.02 restatements denote that the previously filed financial statements contain errors determined to be material and therefore the financial statements are deemed unreliable.

Unlock your automation potential

BOOK A DEMO

While many proponents of the bill claim SOX was necessary to remediate the corporate accounting scandals, opponents have argued SOX has done more harm than good. Leading the charge were Congressman Paul Ryan and Arkansas Governor Mike Huckabee, who argued that SOX was not necessary and placed U.S. companies at a competitive disadvantage with foreign competitors due to the excessive costs required to comply with SOX regulations. To support their claims, they cited that the number of public companies deregistered from public exchanges tripled in the year after SOX was enacted.

In response to these criticisms, the JOBS Act was enacted in April 2012 to provide relief for newly listed public companies by creating a new class of companies called emerging growth companies (EGC). An EGC is exempt from SOX 404(b) for a period of five years unless its gross revenues exceed $1.235 billion, it has issued over $1 billion in non-convertible debt over a three-year period, or it becomes a large-accelerated filer. The purpose of the EGC class was to lower the cost of SOX compliance by reducing the number of required financial disclosures in annual reporting and exempting EGCs from the internal control attestation requirement from external auditors.

The 11 titles of the Sarbanes-Oxley Act

The primary components of the Sarbanes-Oxley Act are the following 11 titles:

1. Title I: Public Company Accounting Oversight Board (PCAOB). Title I established the PCAOB, a nonprofit organization whose goal is to provide oversight of public accounting firms providing audit services to public companies. The PCAOB enhanced the quality of audits being performed by public accounting firms through inspections of audit workpapers and overseeing compliance with specific components of SOX.
2. Title II: Auditor Independence. Title II established the standard of external auditor independence and helped reduce potential conflicts of interest with audit clients. Highlights include required rotation of audit partners and limitation of certain non-audit services provided to audit clients.
3. Title III: Corporate Responsibility. Title III is a civil provision that requires senior executives to take responsibility for the accuracy and completeness of their company's financial reporting.
4. Title IV: Enhanced Financial Disclosures. Title IV provides enhanced reporting requirements for financial transactions, including off-balance sheet transactions, pro forma figures, and corporate officer stock transactions. It also requires the implementation of an internal control framework to further improve a company's financial reporting process.
5. Title V: Analysis of Conflicts of Interest. Title V provides a code of conduct for security analysts and requires the disclosure of any known conflict of interest. The goal of Title V is to restore investor confidence in the reporting function of the securities industry.
6. Title VI: Commission Resources and Authority. Title VI provides the U.S. Securities and Exchange Commission (SEC) authority over professionals and allows it to censure or bar professionals from practicing as a broker, advisor, or dealer. The goal of Title VI is to restore investor confidence in the securities industry.
7. Title VII: Studies and Reports. Title VII charged the Comptroller General and SEC to generate studies on the impact of (1) the consolidation of public accounting firms, (2) the role of credit reporting agencies, (3) securities violations, and (4) enforcement actions. The goal of these studies was to decide if investment banks had any involvement with the early 2000s accounting scandals.
8. Title VIII: Corporation and Criminal Fraud Accountability. Title VIII provides employees with whistleblower protections and specific criminal penalties for individuals who manipulate, alter, or destroy accounting reports in an attempt to interfere with an investigation into a company's financial records.
9. Title IX: White Collar Crime Penalty Enhancement. Title IX is a criminal provision that enhances criminal penalties for white-collar financial crimes to include higher monetary fines and increased prison terms.
10. Title X: Corporate Tax Returns. Title X recommends the Chief Executive Officer (CEO) sign the company's corporate tax return.
11. Title XI: Corporate Fraud Accountability. Title XI upgrades the penalties for corporate fraud, tampering with corporate accounting records, and obstructing official proceedings to criminal offenses. It also allows the SEC to freeze corporate transactions or payments identified as large or unusual.

The following table assigns each title to a category of either Auditor, Corporate, Financial Reporting, or Regulator to better help understand how the act is structured.

Each section of the Sarbanes-Oxley Act has multiple subsections that outline the act's specific regulations. Listed below are the seven critical sections for corporate officers and auditors to understand. This article reviews each of these seven sections in detail and highlights their critical components.

1. Section 302: Corporate Responsibility for Financial Reports
2. Section 401: Disclosures in Periodic Reports
3. Section 404: Management Assessment of Internal Controls
4. Section 409: Real-Time Issuer Disclosures
5. Section 802: Criminal Penalties for Altering Documents
6. Section 806: Sarbanes-Oxley Whistleblower
7. Section 906: Corporate Responsibility for Financial Reports

A comprehensive summary of all sections and subsections is provided later in this article.

Section 302: Corporate responsibility for financial reports

This section requires the Chief Executive Officer (CEO) and Chief Financial Officer (CFO) to certify the company's financial report and the effectiveness of the company's internal controls. The certification confirms the officer has reviewed the report and that the report does not contain any untrue statement of material fact. Also, based on the officer's knowledge of the financial statements, they fairly represent all aspects of the financial condition of the issuer for the periods represented in the report.

Section 302 also charges the officers with the responsibility for establishing and maintaining an effective internal controls environment. Company officers must have evaluated the effectiveness of the issuer's internal controls within 90 days of the report. Officers must disclose any significant deficiencies in the design and operation of the company's internal controls that could adversely affect the issuer's ability to record, process, summarize, and report the financial data to their external auditors and audit committee. Officers must also inform the auditors of any material weaknesses in the company's internal control framework and disclose any fraud, material or not, that involves the company's management or employees who have a critical role in the operation of the company's internal controls.

Section 401: Disclosures in periodic reports

This section enhances the financial disclosures required by Section 13 of the Securities Exchange Act of 1934. All material correcting adjustments identified by the public accounting firm shall be disclosed. Additionally, material off-balance sheet transactions, arrangements, obligations, contingent obligations, and other relationships of the issuer with unconsolidated entities that may have a material impact on the current or future effect of the company's financial condition, results of operations, liquidity, capital expenditures, capital resources, or any significant components of the issuer's revenue or expenses must be disclosed. Additionally, pro forma figures may not contain any untrue statements, nor omit any material facts necessary to make pro forma information non-misleading to investors.

Section 404: Management assessment of internal controls

Section 404 of SOX consists of Section (a), Section (b), and Section (c). The primary purpose of Section 404 requires management to assess the effectiveness of their company's ICFR to improve the accuracy of a company's financial reporting. Because nearly all financial data is processed and stored in IT systems, Section 404 effectively requires testing of IT general controls (ITGCs) — access management, change management, computer operations, and program development — over any system that supports a material financial reporting process.

Section 404(a) applies to all public issuers — there are no exemptions. This section requires management to conduct an evaluation of the operational effectiveness of the company's internal controls over financial reporting. The company's internal control structure must be documented and evaluated annually. The results of management's annual assessment of internal controls are then reported in the company's Form 10-K.

Section 404(b) requires public issuers to obtain an external auditor to attest to, and report on, management's assessment of its internal controls. Section 404(a) mandates that management perform an internal assessment, while Section 404(b) requires an independent auditor to evaluate whether management's assessment of the company's internal controls is accurate. The auditor's opinion on the company's internal controls is reported in the audit report section of Form 10-K. The Public Company Accounting Oversight Board (PCAOB) establishes standards that independent auditors must follow regarding their report on the company's internal controls. The current standard governing the integrated audit is PCAOB AS 2201. SOX testing: How to build a well-rounded testing program provides additional information about building a comprehensive SOX testing program.

Section 404(c) exempts certain organizations from Section 404(b). Specifically, organizations that are not an accelerated filer, or not a large-accelerated filer, are exempt. This group of companies is also referred to as non-accelerated filers. Emerging growth companies (EGC) are also exempt. To qualify as a non-accelerated filer, an organization must have less than $75 million in public float, otherwise known as the value of shares held by the public. The SEC provides EGC status to companies for the first five years after their IPO if they do not exceed certain thresholds.

Section 409: Real-time issuer disclosures

This section requires issuers to disclose on a near real-time basis any material changes in their financial conditions or operations that are necessary or useful to protect investors.

Section 802: Criminal penalties for altering documents

This section enhanced the penalties for both the company and its auditors. Any person found to have altered, destroyed, mutilated, concealed, or falsified documents or tangible objects with the goal of obstructing, impeding, or influencing any legal investigation into the issuer now faces a fine and maximum prison time of no more than 20 years.

For auditors, this section increased the retention period for any audit or review workpapers. The initial rules stated that any accountant who performs an audit of an issuer must maintain its audit or review workpapers for a minimum period of five years from the end of the fiscal period in which the audit or review was completed. However, the final rule increased the retention period to seven years. The penalty for violating the record retention rules is a fine and prison time for no more than 10 years.

Workpapers are considered any documents used to form the basis of the audit or review of the issuer's financial statements. The criteria for a document to be considered a workpaper are:

1. Materials created, sent, or received in connection with the audit or review.
2. Any documents that have conclusions, opinions, analyses, or financial data related to the audit or review.

Section 806: Sarbanes-Oxley whistleblower protections

Section 806 provides additional protection for employees of publicly traded companies who provide evidence of fraud or assist in an investigation of fraud against the company's shareholders conducted by a federal regulatory agency, law enforcement agency, a member of Congress, a committee of Congress, or a person with supervisory authority over the employee. Section 806 also expanded the prohibitions against retaliation against employees.

Codified at 18 U.S.C. §1514A, Section 806 requires employees to file a retaliation complaint with OSHA within 180 days of the alleged retaliation. Available remedies include reinstatement, back pay with interest, and compensatory damages including attorney fees. This section also allows the SEC to take legal action against employers who retaliate against whistleblowers. To further strengthen this section, Commission Rule 21F-17(a) prohibits a person or entity from taking any action to impede another individual from contacting the SEC directly to report a possible securities violation. Non-disclosure agreements (NDAs) and severance agreements may violate federal law if they specifically prevent an employee from reporting concerns directly to the SEC.

Section 906: Corporate responsibility for financial reports

Section 906 of the Sarbanes-Oxley Act requires public companies to include specific certifications by the Chief Executive Officer (CEO) and Chief Financial Officer (CFO) in each periodic report containing financial statements. The certification states that the information contained in the financial report fairly represents, in all material respects, the company's financial condition and results of operations. The penalties for making false claims in these certifications include a fine of up to $1 million and up to 10 years in prison. If an officer willfully certifies the financial report knowing the report is false, they may face penalties of up to $5 million and 20 years in prison.

The CEO and CFO should conduct a reasonable level of due diligence to determine whether the financial statements fairly represent the company's financial condition. The actions the officers should take include performing a careful review of the financial report and interviewing company personnel who prepared the report. The Chief Accounting Officer (CAO), general counsel, risk management officer (RMO), and Chief Investor Relations Officer should be included among individuals who are consulted regarding how the financials were prepared. Additionally, the company's primary audit partner or personnel from the external audit team may be consulted.

The CEO and CFO should discuss any significant financial reporting issues the company is facing, the Management Discussion and Analysis (MD&A) section of the financial report, any critical accounting policies, known financial trends, the status of the company's internal controls, and any key internal audit procedures. Another best practice is to review sub-certifications from key individuals involved in the company's financial reporting process. The company should also document the procedures undertaken by the CEO and CFO to review the company's financial report.

While Section 302 and Section 906 may appear to be very similar in nature, the distinction between the two is that Section 302 is a civil provision and Section 906 is a criminal provision. In practice, most issuers file both certifications as separate exhibits (Exhibits 31 and 32) to each 10-K and 10-Q.

How SOX strengthens corporate governance

One of SOX's primary mandates was improving corporate governance by increasing the responsibility of executives at public companies with regard to financial reporting. Titles III, IV, IX, X, and XI placed numerous new requirements on company executives to hold them accountable for poor financial reporting. New and stricter penalties for executives who act in bad faith, or knowingly commit fraud, further help motivate company executives to closely monitor their company's financial reporting and ensure accurate, reliable information is being provided to investors.

Title III, and specifically Section 302, made it mandatory for the CEO and CFO to certify the company's financial reports and the effectiveness of the company's internal controls. Passing SOX made company executives directly responsible for fraudulent financial reporting, and they could no longer ignore problems in their company's financial reporting framework. If a company's financials were inaccurate, fraudulent, or misleading to investors, executives were now held directly accountable and liable for civil penalties. This section also requires the formation of an independent audit committee to further evaluate the company's internal control performance, appoint external auditors, and ensure the financial reporting is accurate and free from material errors.

Title IV, Enhanced Financial Disclosures, also enhanced corporate governance by mandating company executives certify the effectiveness of their company's internal control framework. It does not allow for any exceptions, including EGCs or smaller reporting companies. All issuers are required to comply with Section 404(a) of Title IV, and this forces company executives to fully understand and actively participate in their company's internal controls over financial reporting.

Title IX, White Collar Penalty Enhancement, carried some of the most significant changes. Section 906, similar to Section 302, requires the CEO and CFO to include specific certifications about the company's financial statements. The most important point to understand is that Section 906 added criminal penalties for any false claims associated with these certifications. The penalties include a fine of up to $1 million and up to 10 years in prison. If an officer willfully certifies the financial report knowing the report is false, they may face penalties of up to $5 million and 20 years in prison.

Title XI, Corporate Fraud Accountability, continued with the theme of criminal offenses and expanded criminal penalties to any individuals who act in bad faith. This section extends beyond just the CEO and CFO and makes any person involved with corporate fraud, tampering with corporate accounting records, and obstructing official proceedings liable for criminal penalties of fines, imprisonment up to 20 years, or both.

Combined, Titles III, IV, IX, and XI make a collaborative effort to enhance financial reporting through improved corporate governance. Using a combination of required certifications, increased civil penalties, and new criminal penalties, these rules all play a part in helping improve financial reporting.

Key benefits of Sarbanes-Oxley (SOX)

The implementation of SOX in 2004 resulted in many added benefits for investors. Public company financial reporting became more accurate, reliable, and transparent for investors and the general public. The driving force behind the improved financial reporting was an enhanced emphasis on implementing and assessing internal control frameworks, improved corporate governance, and expanded oversight from regulators. What are SOX controls? Best practices for defining your scope provides additional information on identifying relevant controls within a company's internal control framework.

Section 404 of SOX is considered the backbone of SOX because of its focus on improving audit standards, implementing an effective internal control framework, and attestation of that framework by external auditors. Internal control over financial reporting was not a new concept when SOX was passed in 2002. The idea of using internal controls to monitor and improve financial reporting has been around since the early 1980s, and is most well known for the work performed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Founded in 1985, COSO sponsored the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative that studied the leading factors that contributed to fraudulent financial reporting. Fundamentals of the COSO framework: Building blocks for integrated internal controls provides additional background on the COSO framework and internal controls.

By requiring company executives, CEO and CFO, to annually evaluate and assess their company's internal control framework, SOX forced companies to spend time and resources on establishing an effective and functional internal control framework. To help executives evaluate the internal control environment, more robust internal audit departments were created to perform year-round monitoring and testing of internal controls. Internal audit 101: Everything you need to know provides additional insight into internal audit departments and their scope of work. Furthermore, this section mandates, with some exceptions for smaller issuers, that external auditors assess the effectiveness of a company's internal control framework. A failure would result in a qualified audit opinion on internal controls (meaning the financial statements contain misstatements or omissions) and considerable fallout for the company executives and its board of directors.

As discussed earlier, corporate governance improved as a result of SOX due to the requirement of executives certifying financial reports, increased civil penalties, and new criminal penalties. This prevented company executives from ignoring or dismissing their company's financial reporting process. If a company's financial statements were inaccurate, either due to incompetence or a willful act of fraud, its company executives were now held both civilly and criminally liable.

Increased regulatory oversight and expanded federal powers also improved overall financial reporting. Title XI allows the SEC to freeze corporate transactions or payments identified as large or unusual, and Title VIII provides employees with additional whistleblower protections. Many of the accounting scandals prior to SOX, and even after SOX, came to light because of an internal whistleblower. Expanded federal protections for these whistleblowers make it increasingly more difficult for companies to keep fraud hidden from the general public and investors.

The 2026 SOX regulatory horizon: PCAOB QC 1000, AS 2101, and AS 2201

The most significant near-term change for SOX programs is the December 15, 2026 effective date for three PCAOB standards. PCAOB QC 1000 imposes a risk-based firm-wide system of quality control on registered audit firms, and amended AS 2101 (Audit Planning) and AS 2201 (ICFR-integrated audit) tighten how auditors scope, plan, and execute the integrated SOX audit. The PCAOB delayed the original effective date after acknowledging firms faced "insurmountable" implementation challenges.

Issuer-side SOX teams should expect more rigorous auditor requests around risk assessment documentation, system-of-record evidence, and ITGCs during 2026 walkthroughs. The SEC XBRL requirements for cybersecurity disclosures (Item 1.05 of Form 8-K and Item 106 of Regulation S-K) are already in effect. The March 2024 climate disclosure rule was stayed on April 4, 2024, pending judicial review, so its structured-data tagging requirements are not currently enforceable.

According to the 2025 KPMG Survey, the FY24 average SOX program cost reached $2.3 million versus $1.6 million in FY22, with average hours rising 32% to 15,580. The primary driver is scope expansion: the average number of in-scope systems more than doubled over two years, while the percentage of automated controls did not increase. To offset this, leading programs are deploying Continuous Control Monitoring (CCM) — often supported by purpose-built SOX management platforms for internal audit and compliance teams — to automate testing of high-frequency or rules-based controls, particularly configurable application controls and ITGCs, rather than relying on periodic manual sampling.

Comprehensive review of the Sarbanes-Oxley Act

Below is a full list of all sections and subsections of the Sarbanes-Oxley Act to help provide a better understanding of the full scope provided by SOX.

Title I: Public Company Accounting Oversight Board (PCAOB)

Title I established the Public Company Accounting Oversight Board (PCAOB). The PCAOB is a nonprofit organization that oversees the audits of public companies that are subject to securities laws. The PCAOB has four primary responsibilities:

1. Registration of accounting firms that audit public companies in the U.S. securities market.
2. Inspection of registered accounting firms.
3. Establishing standards for auditing, quality controls, and ethics standards for registered accounting firms.
4. Investigating and disciplining registered accounting firms for violations of professional standards.

The subsections of Title I are the following:

• Sec. 101. Establishment; administrative provisions.
• Sec. 102. Registration with the Board.
• Sec. 103. Auditing, quality control, and independence standards and rules.
• Sec. 104. Inspections of registered public accounting firms.
• Sec. 105. Investigations and disciplinary proceedings.
• Sec. 106. Foreign public accounting firms.
• Sec. 107. Commission oversight of the Board.
• Sec. 108. Accounting standards.
• Sec. 109. Funding.

Title II: Auditor Independence

Title II focuses on and regulates auditor independence. Title II prohibits an external auditor from performing non-audit services for its public company audit clients. It also outlines the specific communication needed between an auditor and the public company's audit committee, or board of directors. Finally, Title II requires audit partners to rotate from their public company audit clients on a periodic basis.

• Sec. 201. Services outside the scope of practice of auditors.
• Sec. 202. Pre-approval requirements.
• Sec. 203. Audit partner rotation.
• Sec. 204. Auditor reports to audit committees.
• Sec. 205. Conforming amendments.
• Sec. 206. Conflicts of interest.
• Sec. 207. Study of mandatory rotation of registered public accounting firms.
• Sec. 208. Commission authority.
• Sec. 209. Considerations by appropriate State regulatory authorities.

Title III: Corporate Responsibility

Title III focuses on corporate responsibility and enhanced financial reporting disclosures. It mandates that corporate officers certify their public company's annual and quarterly reports.

• Sec. 301. Public company audit committees.
• Sec. 302. Corporate responsibility for financial reports.
• Sec. 303. Improper influence on conduct of audits.
• Sec. 304. Forfeiture of certain bonuses and profits.
• Sec. 305. Officer and director bars and penalties.
• Sec. 306. Insider trades during pension fund blackout periods.
• Sec. 307. Rules of professional responsibility for attorneys.
• Sec. 308. Fair funds for investors.

Title IV: Enhanced Financial Disclosures

Title IV outlines financial reporting disclosures involving management and principal stockholders, and other items such as internal controls over financial reporting. This is probably the most well-known section of the act because it includes Section 404. Please refer to the detailed section above about Section 404 for additional information.

• Sec. 401. Disclosures in periodic reports.
• Sec. 402. Enhanced conflict of interest provisions.
• Sec. 403. Disclosures of transactions involving management and principal stockholders.
• Sec. 404. Management assessment of internal controls.
• Sec. 405. Exemption.
• Sec. 406. Code of ethics for senior financial officers.
• Sec. 407. Disclosure of audit committee financial expert.
• Sec. 408. Enhanced review of periodic disclosures by issuers.
• Sec. 409. Real-time issuer disclosures.

Title V: Analyst conflicts of interest

Title V analyzes the conflicts of interest regarding securities analysts employed by registered securities associations and national security exchanges. This section adds language to Section 15 of the Securities Exchange Act of 1934 to improve objectivity and independence of security analysts. The essence of this section is to prohibit people employed by a broker or dealer engaged in investment banking activities from publishing research reports. It also provides protection for security analysts who publish an unfavorable report against retaliation.

A security analyst is defined as any associated person of a registered broker or dealer that is principally responsible for the preparation of a research report. A research report is considered any written or electronic communication that analyzes equity securities of an individual company or industry and provides sufficient information to develop an investment decision.

• Sec. 501. Treatment of securities analysts by registered securities associations and national securities exchanges.

Title VI: Commission Resources and Authority

This section amends sections of both the Securities Exchange Act of 1934 and the Securities Act of 1933. Some of the revisions include amending the amount of funds authorized to be appropriated to the SEC for oversight activities and enhancing the commission's ability to censure individuals who lack required qualifications or have engaged in unethical or improper professional conduct.

• Sec. 601. Authorization of appropriations.
• Sec. 602. Appearance and practice before the Commission.
• Sec. 603. Federal court authority to impose penny stock bars.
• Sec. 604. Qualifications of associated persons of brokers and dealers.

Title VII: Studies and Reports

Title VII stipulated that the Comptroller General of the United States and the SEC perform a study to find the factors that caused the consolidation of public accounting firms starting in the late 1980s that resulted in an overall reduction of the number of firms providing audit services. It also commissioned a study of credit rating agencies to determine their role and function in the operation of securities markets. A study was also commissioned to determine the number of securities professionals — defined as public accountants, public accounting firms, investment bankers, investment advisors, brokers, dealers, attorneys, and others in the securities industry — that have been found in violation of federal securities laws. It also commissioned a study of enforcement actions for violations of reporting requirements and a study of investment banks.

• Sec. 701. Government Accountability Office (GAO) study and report regarding consolidation of public accounting firms.
• Sec. 702. Commission study and report regarding credit rating agencies.
• Sec. 703. Study and report on violators and violations.
• Sec. 704. Study of enforcement actions.
• Sec. 705. Study of investment banks.

Title VIII: Corporation and Criminal Fraud Accountability

Title VIII enhanced the criminal penalties for altering documents, specifically the destruction, alteration, or falsification of records in federal investigations and bankruptcy, as well as the destruction of corporate audit records. It also amended the statute of limitations for securities fraud (Sec. 804) and enhanced the federal sentencing guidelines for the obstruction of justice and extensive criminal fraud (Sec. 805). It provided enhanced protection for public company employees who provide evidence of fraud from retaliation (Sec. 806) and amended the criminal penalties for defrauding shareholders of publicly traded companies (Sec. 807).

• Sec. 801. Short title.
• Sec. 802. Criminal penalties for altering documents.
• Sec. 803. Debts nondischargeable if incurred in violation of securities fraud laws.
• Sec. 804. Statute of limitations for securities fraud.
• Sec. 805. Review of Federal Sentencing Guidelines for obstruction of justice and extensive criminal fraud.
• Sec. 806. Protection for employees of publicly traded companies who provide evidence of fraud.
• Sec. 807. Criminal penalties for defrauding shareholders of publicly traded companies.

Title IX: White Collar Criminal Penalty Enhancements

Title IX worked to enhance the penalty for white-collar financial crimes and is also referred to as the "White-Collar Crime Penalty Enhancement Act of 2002." Sec. 902 amended Chapter 63 of Title 18, United States Code, by broadening the scope to include any person attempting or conspiring to commit an offense, who will be subject to the same penalties as those prescribed for the offense. Sec. 903 amended the language for the Employee Retirement Income Security Act of 1974 and increased the penalties for violations of this act. Sec. 905 amended the sentencing guidelines for white-collar offenses.

• Sec. 901. Short title.
• Sec. 902. Attempts and conspiracies to commit criminal fraud offenses.
• Sec. 903. Criminal penalties for mail and wire fraud.
• Sec. 904. Criminal penalties for violations of the Employee Retirement Income Security Act of 1974.
• Sec. 905. Amendment to sentencing guidelines relating to certain white-collar offenses.
• Sec. 906. Corporate responsibility for financial reports.

Key point – Section 906 added penalties to Chapter 63 of Title 18, United States Code, for corporate officers who fail to certify financial reports. The criminal penalties are:

• $1,000,000 fine and imprisonment of not more than 10 years for certifying any statement that does not follow the requirement in Section 13(a) or 15(d) of the Securities Exchange Act of 1934 that the information contained in the periodic report fairly represents the results of operations of the issuer.
• $5,000,000 fine and imprisonment of not more than 20 years, or both, for willfully certifying any statement that does not follow the requirement in Section 13(a) or 15(d) of the Securities Exchange Act of 1934.

Title X: Corporate Tax Returns

Title X is straightforward and the shortest section of SOX. It states that a public company's federal income tax return should be signed by the Chief Executive Officer of the company.

• Sec. 1001. Sense of the Senate regarding the signing of corporate tax returns by chief executive officers.

Title XI: Corporate and Fraud Accountability

Title XI provides added authority to the SEC and enhances penalties for individuals who interfere with any part of an investigation into corporate corruption or fraud. Section 1102 amends Section 1512 of Title 18, United States Code, to increase the penalties for individuals who tamper with records or otherwise impede an official proceeding to include a fine and imprisonment for not more than 20 years, or both. Section 1103 grants the SEC the ability to temporarily freeze assets of an issuer in certain situations where an issuer is likely to make an extraordinary payment for an officer, director, partner, agent, controlling parties, or employees of the company. Section 1104 amends the federal sentencing guidelines for securities and accounting fraud related offenses. Section 1105 amends the Securities Exchange Act of 1934 and sets guidelines that allow the SEC to restrict certain persons from serving as officers or directors of a public company if they are identified as unfit or having engaged in unethical behavior. Section 1106 increases the criminal penalties under the Securities Exchange Act of 1934 from $1,000,000 to $5,000,000 and from $2,500,000 to $25,000,000 in Section 32(a). Section 1107 amended Section 1513 of Title 18 of the United States Code to provide added protection for informants.

• Sec. 1101. Short title.
• Sec. 1102. Tampering with a record or otherwise impeding an official proceeding.
• Sec. 1103. Temporary freeze authority for the Securities and Exchange Commission.
• Sec. 1104. Amendment to the Federal Sentencing Guidelines.
• Sec. 1105. Authority of the Commission to prohibit persons from serving as officers or directors.
• Sec. 1106. Increased criminal penalties under Securities Exchange Act of 1934.
• Sec. 1107. Retaliation against informants.

Unlock your SOX automation potential

BOOK A DEMO

Frequently asked questions

Is SOX still relevant today?

Yes — SOX remains the foundational accountability framework for U.S. public company financial reporting, and its scope is expanding rather than contracting. Per the 2025 KPMG SOX Survey, average program costs rose from $1.6 million (FY22) to $2.3 million (FY24), with 45% of organizations reporting rising costs driven largely by the doubling of in-scope systems and adjacent mandates like SEC Inline XBRL tagging for cybersecurity disclosures. The CEO/CFO certification model also remains the anchor for executive accountability and is being extended into sustainability reporting (via COSO's 2023 ICSR guidance) and AI governance (via COBIT 2019).

What are the four SOX controls?

SOX itself does not enumerate "four controls," but SOX 404 ICFR programs are built on the COSO Internal Control – Integrated Framework, which is operationalized across four implementation areas: control activities, risk assessment, information and communication, and monitoring activities (anchored by an overarching control environment). Practitioners typically classify the underlying control activities as preventive vs. detective, and manual vs. automated, with IT general controls (ITGCs) supporting application-level financial controls.

What is changing under PCAOB QC 1000, AS 2101, and AS 2201 in 2026?

Effective December 15, 2026, PCAOB QC 1000 imposes a risk-based firm-wide system of quality control on registered audit firms, and amended AS 2101 (Audit Planning) and AS 2201 (ICFR-integrated audit) tighten how auditors scope, plan, and execute the integrated SOX audit. The PCAOB delayed the original effective date after acknowledging firms faced "insurmountable" implementation challenges. Issuer-side SOX teams should expect more rigorous auditor requests around risk assessment, system-of-record evidence, and ITGC documentation during 2026 walkthroughs.

How expensive is SOX compliance?

Per the 2025 KPMG SOX Survey, the FY24 average SOX program cost was $2.3 million versus $1.6 million in FY22, with average hours rising 32% to 15,580. The primary driver is scope expansion — the average number of in-scope systems more than doubled over two years — while the percentage of automated controls did not increase, forcing manual testing hours to scale linearly with the IT footprint. Only 28% of organizations are using offshore resources despite 42% citing cost reduction as a strategic priority.

How do SOX requirements apply to IT systems and information security?

Because nearly all financial data is processed and stored in IT systems, SOX 404 effectively requires testing of IT general controls (ITGCs) — access management, change management, computer operations, and program development — over any system that supports a material financial reporting process. Many programs map ITGCs to COBIT 2019 and integrate cybersecurity expectations using the NIST Cybersecurity Framework. Cybersecurity disclosure has also converged with SOX-adjacent reporting: SEC rules now require Item 1.05 (material cyber incidents on Form 8-K) and Item 106 of Regulation S-K to be tagged in Inline XBRL.

What protections does Section 806 provide to whistleblowers?

Section 806 (codified at 18 U.S.C. §1514A) prohibits publicly traded companies from retaliating against employees who provide information about conduct they reasonably believe violates federal securities laws, SEC rules, or any federal fraud statute. Employees must file a complaint with OSHA within 180 days of the alleged retaliation. Available remedies include reinstatement, back pay with interest, and compensatory damages including attorney fees. Commission Rule 21F-17(a) separately prohibits NDAs, severance agreements, or other actions that impede direct reporting to the SEC.

What is the difference between Section 302 and Section 906 certifications in practice?

Section 302 is a civil provision under SEC rules requiring CEO/CFO quarterly and annual certifications covering financial statement fair presentation, disclosure controls, and ICFR; violations are pursued through SEC enforcement actions. Section 906 is a criminal provision under 18 U.S.C. §1350 requiring a separate certification with each periodic report — knowing false certification carries up to $1 million and 10 years imprisonment, and willful false certification up to $5 million and 20 years. In practice, most issuers file both certifications as separate exhibits (Exhibits 31 and 32) to each 10-K and 10-Q.

Who must comply with SOX?

All publicly traded companies, wholly-owned subsidiaries, and foreign companies that are publicly traded and do business in the United States must comply with SOX. EU companies looking to enter the United States capital markets must comply with SOX requirements and are not shielded from compliance because they physically reside outside the United States. Accounting firms that perform audits of public companies must be registered with the PCAOB and also comply with SOX.

About the authors

Brandi Anastasiades, CISA, is a Commercial Account Executive at Optro. As an experienced information technology auditor, SOX/ICFR compliance professional, & Deloitte alumna, she has served various multinational corporations throughout the Tri-State & New England areas. Connect with Brandi on LinkedIn.

William Fritchie began his career at Ernst & Young, accumulating over eight years of experience in audit, accounting advisory, and capital markets, with a focus on SEC reporting and SOX compliance. He now collaborates with early-stage technology start-ups, providing expertise in business development and capital raising. Connect with William on LinkedIn.