What is SOX compliance? Complete guide

Key Takeaway: SOX compliance requires public companies to maintain certified internal controls over financial reporting under Sections 302 and 404, with COSO 2013 as the de facto framework. New PCAOB standards (AS 1000, AS 1105) and the SEC's 2026 SOX enforcement group have raised evidence thresholds and audit firm scrutiny. Roughly 20-25% of U.S. public companies still report at least one material weakness annually.

In 2002, Congress passed the Sarbanes-Oxley Act (SOX) in response to fraud events and financial scandals at companies including WorldCom and Enron. The act introduced sweeping reforms to financial disclosure and corporate governance with the goal of restoring public confidence in auditing and financial reporting. It was named after its main architects, Senator Paul Sarbanes and Representative Michael Oxley, and is also known as the "Public Company Accounting Reform and Investor Protection Act."

SOX compliance covers financial reporting, information security, and auditing requirements designed to prevent corporate fraud. The new or expanded requirements apply to all U.S. public company boards, management, and accounting firms. Private companies contemplating an IPO or preparing for a merger or acquisition should also review their SOX internal controls. Among other provisions, SOX mandates:

• All companies' financial reports include an internal controls report.
• Accurate financial data and controls in place to safeguard financial data.
• The issuance of year-end financial disclosure reports.
• Disclosure of corporate fraud, with protections for whistleblower employees.

Sarbanes-Oxley also added accountability requirements for leaders and management, making them liable for the accuracy of their organization's financial statements. Executive misconduct played a major role in the Enron, WorldCom, and Tyco scandals, among others, and continues to shape organizations' attitudes toward financial disclosure and accounting practices. SOX opened the door for holding executives directly responsible for fraud in financial reporting.

This article breaks down SOX compliance requirements, common challenges, the benefits of compliance, and what to expect during the SOX audit process.

Image: Enron Stock Price Collapse

Source: Fall out from Enron

SOX compliance requirements

Compliance with SOX is enforced by the Securities and Exchange Commission (SEC). As the primary federal agency responsible for protecting investors and maintaining fair and efficient markets, the SEC ensures companies adhere to the requirements set forth by the Sarbanes-Oxley Act. The Public Company Accounting Oversight Board (PCAOB), established by SOX, oversees public accounting firms and the quality of their public company audits. The Sarbanes-Oxley Act of 2002 consists of 11 titles, but two key provisions drive compliance work: Sections 302 and 404.

On March 31, 2026, the SEC announced a dedicated SOX enforcement group targeting audit firm misconduct, signaling materially heightened scrutiny of firm-level quality controls. Practitioners should expect tighter penalties and lower tolerance for ICFR failures in upcoming audit cycles.

Section 302: Corporate responsibility for financial reports

SOX Section 302 makes Chief Executive Officers (CEOs) and Chief Financial Officers (CFOs) directly responsible for the accuracy of financial reports. Signing officers must review and certify the accuracy of financial statements, establish and maintain internal controls, and disclose all significant deficiencies, fraud, and material changes in internal controls.

This mandate allows CEOs and CFOs to be held accountable for inaccuracies in their organization's financial statements, up to and including criminal penalties. Non-compliance with Section 302 can result in significant civil and criminal penalties, including fines up to $5 million and imprisonment for up to 20 years for executives who knowingly certify false financial reports.

Section 404: Management assessment of internal controls

Section 404 requires all annual reports to include an internal control report outlining management's responsibility to maintain an adequate internal control structure, an assessment of its effectiveness, and any shortcomings. Independent external auditors must also attest to the accuracy of the company's statement that internal controls are in place and effective. Section 404 includes additional requirements such as auditor review and provides exemptions for certain smaller companies. Optro's review of SOX 404 offers more detailed information.

To limit conflicts of interest, the external 404 audit must be performed by independent auditors who exercise professional skepticism and judgment when examining internal controls at publicly traded companies.

Other key SOX sections at a glance

Practitioners briefing executives should also know the sections that extend beyond 302 and 404:

• Section 301 – Audit committee independence and whistleblower complaint procedures.
• Section 409 – Real-time disclosure of material changes in financial condition.
• Section 802 – Record retention. Companies and auditors must retain audit work papers, financial records, and relevant electronic communications for a minimum of seven years. Willful destruction or falsification carries up to 20 years' imprisonment.
• Section 906 – Criminal penalties for willful certification of false financial reports: up to $5 million in fines and 20 years' imprisonment.

The 5 COSO components underlying SOX

The COSO framework is the de facto standard cited in nearly every Section 404 attestation. Practitioners should be able to map every key control to one of these five interrelated components:

1. Control environment – Tone at the top, organizational structure, and ethical values.
2. Risk assessment – Identification and analysis of risks to achieving financial reporting objectives.
3. Control activities – Policies and procedures (approvals, reconciliations, segregation of duties) that mitigate identified risks.
4. Information and communication – Capture and flow of information needed to operate controls.
5. Monitoring activities – Ongoing and separate evaluations to confirm controls function as designed.

These five components are operationalized through 17 underlying principles, all of which must be present and functioning for management to conclude ICFR is effective. The 2023 COSO ICSR supplement extends the same components to sustainability reporting, an area increasingly in scope following the SEC climate disclosures rule.

The 4 pillars of a high-performing SOX program

Mature SOX programs organize their work around four pillars:

1. Risk-based scoping – Top-down identification of material accounts, processes, and systems.
2. Process and control documentation – Narratives, flowcharts, and RCMs that capture control design.
3. Consistent control testing – Design and operating effectiveness testing executed across the full reporting period.
4. Strong control environment (tone at the top) – Leadership behavior, ethics, and governance that reinforce the other three pillars.

The KPMG 2025 SOX survey notes that leading programs reinforce all four pillars through continuous control monitoring (CCM) and automation rather than annual checkpoints. Weakness in any single pillar — particularly tone at the top — correlates with material weakness recurrence.

The benefits of SOX 404 compliance

One of the critical outcomes of Sarbanes-Oxley was the end of self-regulation and the establishment of independent oversight of the auditing process through the Public Company Accounting Oversight Board (PCAOB). The PCAOB sets industry standards, investigates fraud allegations, and regulates audit firms. It also performs regular audits of the auditors to ensure quality remains high and best practices are followed.

Image: PCAOB Logo

Source: About PCAOB

While companies initially contended with the cost and resource burden of compliance, the investment in SOX compliance has paid off in several significant ways.

1. Improved corporate governance: SOX strengthened corporate governance through greater regulation of audit committees. Before SOX, 51% of public companies had audit committees fully independent of management. SOX mandated that all listed companies have an audit committee whose members are independent of management and that includes at least one financial expert. As a result, audit committees today are better equipped to oversee accurate and truthful financial reports.

2. Increased accountability: Executives are now required to personally certify financial reports, with significant penalties for fraudulent activities. Auditors, too, carry a heightened responsibility to maintain integrity and independence. The fraud scandals that fueled Sarbanes-Oxley also led to the downfall of Arthur Andersen, one of the largest accounting firms at the time.

3. Improved auditor independence and quality: SOX prohibits audit firms from providing bookkeeping, actuarial, or management functions to the companies they audit. External auditors must maintain independence in appearance and in fact, supported by PCAOB quality control standards that govern firm-level governance.

4. Fewer financial restatements: Post-SOX, financial restatements have declined year over year, dropping from 1,784 in 2006 to 738 in 2012.

5. Improved risk management and cybersecurity posture: Many of the best practices implemented as part of SOX compliance, especially IT general controls, overlap with guidance from cybersecurity frameworks like the NIST CSF. One example: most SOX 404 audits require strong, restricted access control for financially material information systems, which the NIST CSF also highlights as part of its "Protect" pillar.

In summary, the major benefits of maintaining and iterating on SOX compliance, beyond simply remaining compliant, are: (1) improved corporate governance, (2) increased accountability, (3) improved auditor independence and quality, (4) fewer financial restatements, and (5) improved risk management and cybersecurity posture.

The 8 steps of the SOX audit process

SOX audits can be broken into many steps, from risk assessment through audit committee reporting. We've narrowed the process to the following eight steps:

1. Defining the audit scope using a risk assessment approach
2. Determining materiality and risks – accounts, statements, locations, processes, systems, and major transactions
3. Identifying SOX controls – IT general controls (ITGCs), application controls, entity-level controls (ELCs), etc.
4. Performing a fraud risk assessment
5. Managing process and control documentation
6. Testing key controls
7. Assessing deficiencies
8. Delivering management's report on controls

1) Defining the SOX audit scope using a risk assessment approach

For performing a risk assessment, PCAOB Auditing Standard No. 5 states: "A top-down approach begins at the financial statement level and with the auditor's understanding of the overall risks to internal controls over financial reporting. The auditor then focuses on entity-level controls and works down to significant accounts, disclosures, and their relevant assertions." In short, the PCAOB recommends starting at the highest level and becoming more granular. The audit scope should focus on the assets, people, systems, and processes that affect the financial disclosure process — which means not everything in the organization will be in scope. The scope should consider all risks to internal controls over financial reporting in a risk-first approach to SOX compliance.

This step in a SOX compliance audit should not produce a list of compliance procedures. Instead, it should help the auditor identify potential risks and their sources, how they might impact the business, and whether internal controls provide reasonable assurance that a material error will be prevented or detected.

2) Determining materiality in SOX – accounts, statements, locations, processes, and major transactions

Step 1 – Determine what is considered material to the P&L and balance sheet. Financial statement items are considered "material" if they could influence the economic decisions of users. Auditors typically determine materiality by calculating a percentage of key financial statement accounts — for example, 5% of total assets, 3-5% of operating income, or some combination of key P&L and balance sheet accounts.

Step 2 – Determine all locations with material account balances. Analyze the financials for every location you do business in. If account balances at those locations exceed the materiality threshold from Step 1, they will likely be considered material and in scope for SOX in the coming year.

Step 3 – Identify transactions populating material account balances. Meet with your controller and the specific process owners to determine the transactions (debits and credits) that cause the account to increase or decrease. How these transactions occur and how they're recorded should be documented in a narrative, a flowchart, or both.

Step 4 – Identify financial reporting risks for material accounts. Seek to understand what could prevent the transaction from being correctly recorded — the risk event. Then document the effect the risk event could have on the account balance and the related financial statement assertion.

3) Identifying SOX controls – key and non-key controls, ITGCs, and entity-level controls (ELCs)

During materiality analysis, auditors identify and document SOX controls that may prevent or detect transactions from being incorrectly recorded. They look for the checks and balances in the financial reporting process that ensure transactions are recorded correctly and account balances are calculated accurately. Examples of preventative or detective SOX controls include:

• Separating conflicting and incompatible duties (e.g., the ability to post and approve invoices)
• Reviews of individual or multiple transactions recorded in the period
• Account reconciliations

Material accounts often need multiple controls to prevent a material misstatement. You'll analyze the controls to determine which ones best provide assurance, factoring in the people, process, and technology in place.

Audit teams should avoid a brute-force approach that creates a new SOX control whenever a new risk is identified. Each new control is often classified as "key" without a true risk assessment, contributing to ever-increasing control counts. By understanding the differences between key and non-key controls, internal audit teams can manage rising control counts and "scope creep."

The quickest way to differentiate a non-key from a key control is to refer to the level of risk being addressed. Is the control mitigating a low or high risk? By understanding the risks affecting the SOX compliance process, audit teams can prioritize and focus their efforts on key controls.

Finally, to plan an effective system of internal controls, your audit team must identify manual and automated controls. For each automated control, evaluate whether the underlying system is in scope for IT general controls (ITGC) testing, which will impact your testing strategy. With ITGC comfort over the underlying system, you can substantially reduce the amount of control testing needed. Operating strong ITGCs and cybersecurity-related controls is another benefit of SOX compliance.

4) Performing a fraud risk assessment

An effective system of internal controls includes an assessment of possible fraudulent activity. Prevention and early detection are crucial to reducing fraud. Internal controls play a key role in reducing the opportunities to commit fraud and limiting the material impact if fraud occurs, including a manual override of internal controls.

Below are examples of anti-fraud internal controls and practices organizations can implement to reduce losses due to fraud.

Segregation of duties: The Institute of Internal Auditors (IIA) describes the basic idea as "no employee or group of employees should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties." The work of one individual should either be independent of, or serve as a check on, the work of another. Examples:

• Custody of assets
• Authorization/approval of related transactions affecting those assets
• Recording and reporting of related transactions

Expense reimbursements: According to ACFE's 2014 report, a significant portion of asset misappropriation schemes involve employees claiming reimbursement for fictitious or inflated business expenses. Management should ensure expense reimbursement policies are communicated to employees and updated whenever necessary. Approval flows should include the direct supervisor and other key stakeholders, such as affected business team members, payroll, or internal audit.

Whistleblower hotline: Despite federal regulations, the ultimate responsibility for a strong whistleblower program lies with management. Internal employee tip-offs have historically provided the best means of fraud detection. Management cannot afford to neglect an internal whistleblower mechanism.

Periodic reconciliation of bank accounts: Bank reconciliations highlight differences between the cash per balance sheet and the bank statement, while confirming the accuracy of the data recorded in the organization's cash ledger. The core duty is not just to identify unexpected differences but also to prevent future occurrences such as accounting delays or unauthorized auto-debits to vendors. Depending on the size of the organization, bank reconciliations should be performed daily, weekly, or monthly.

Ultimately, management's proactive approach to fraud detection and prevention, coupled with strong internal controls, decreases opportunities to commit fraud and instills an ethical culture across the organization.

5) Managing process and SOX controls documentation

Control narratives and documentation establish details on the operation of key controls, including control descriptions, frequency, test procedures, associated risk, population, and evidence. Risk and control mapping often has a many-to-many relationship, making manual documentation difficult. Examples include risks appearing across multiple processes or business units, audit issues impacting multiple controls or processes, and COSO principles mapping to many controls.

As any audit manager can attest, if one team member misses a timely edit or forgets to update all test sheets, the downstream ripple effect can cost hours of cleanup. The solution is to use a relational database as the central repository and foundation of the audit program. SOX software constructed on purpose-built database structures lets auditors push and pull information quickly, with results cascading across the entire SOX program instantly. Documentation no longer requires edits across standalone spreadsheet files. For annual audit results to be reused year over year, a spreadsheet cannot handle the data volume. The speed, accuracy, and scalability of a database solution will exceed the benefits of "spreadsheet familiarity."

6) Testing key controls

The objective of SOX control testing is threefold: (1) confirm the process or test procedures are an effective method for testing the control, (2) verify the control is performed throughout the entire period by the assigned process owner, and (3) confirm the control has been successful in preventing or detecting material misstatements. In short, control testing validates the design and operating effectiveness of controls.

The actual SOX controls testing process may combine multiple procedures including ongoing evaluation, observation, inquiry with process owners, walkthroughs of the transaction, inspection of the documentation trail, and re-performance of the process.

PCAOB AS 1105 (effective for fiscal years ending on or after December 15, 2024) raised the bar on the sufficiency and appropriateness of audit evidence, including evidence produced by company information systems. Expect external auditors to demand stronger walkthroughs, independent corroboration, and additional evidence over IPE (information produced by the entity) reports used in control execution.

7) Assessing deficiencies in SOX

Ongoing investment in a SOX program naturally results in improved actions, policies, and procedures. As the control environment improves, businesses also see increased automation and a corresponding decrease in manual testing. Over time, this means less time managing fewer overall issues. Deficiencies should be reduced to an acceptable and predictable level, with few surprises.

During SOX control testing, the auditor may identify an exemption, deficiency, or gap in a tested sample. When that happens, an "issue" is created. Beyond remediating the issue, the audit team assesses whether it was a design failure in the control or an operating failure where training, responsibilities, or process needs adjustment. Management and the audit team then assess whether the issue is a material weakness or a less severe significant deficiency.

Material weakness vs. significant deficiency: A material weakness is a deficiency, or combination of deficiencies, in ICFR such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis — and it must be disclosed in 10-K/10-Q filings. A significant deficiency is less severe but still important enough to merit attention from those charged with governance, and is reported to the audit committee rather than publicly disclosed. Roughly 20-25% of U.S. public companies report at least one material weakness annually (Protiviti), with revenue recognition and ITGCs being the most common drivers.

8) Delivering management's report on controls

The end product of SOX control testing is management's report on controls over financial reporting, delivered to the audit committee. While substantial documentation is collected during the process, the report should include:

• Summary of management's opinion and support for those conclusions
• Review of the framework used, evidence collected, and summary of results
• Results from each test – entity-level, IT, and key controls
• Identification of control failures, gaps, and corresponding root causes
• Assessment made by the company's independent, external auditor

SOX ITGCs and security controls

With the technology landscape evolving rapidly, companies' reliance on information technology and systems for managing financial information significantly affects how they compile and deliver SEC reports. Most companies have moved financially significant functions — accounting, financial reporting, and even retail/e-commerce — to information systems, so the impact of a successful cyberattack can be severe. Even without affecting SOX compliance activities, security incidents can lead to data breaches and data loss, creating additional challenges.

Some of the foundational ITGCs tested as part of SOX can help avert security breaches and tampering with financially material information. By establishing effective controls around data protection, change management, and sensitive data, IT departments can better detect, prevent, and remediate any potential security incidents.

Third-party and supply chain risk is now a direct ICFR concern. 97% of organizations experienced at least one supply chain breach in 2025, up from 81% in 2024. Companies that heavily use cloud services and do not operate their own data centers should review third-party vendor SOC 1 and SOC 2 reports annually — not just at onboarding — to validate that vendor data security standards align with their own. Non-compliance by a vendor can still represent considerable risk to that vendor's customers.

Common SOX compliance challenges

Spreadsheet and end-user issues

The lowly spreadsheet has evolved into more than a bookkeeping tool. Over time, it has become a SOX workflow staple, partly due to its ability to link data across documents and automate basic tasks. At the same time, modern audit projects require more attributes and details about each control. Whether you're documenting completeness and accuracy of evidence or validating the integrity of a key report, testing procedures have evolved beyond attribute ticking and tying. The modern spreadsheet can handle this testing but lacks speed, efficiency, and consistency.

There are also specific risks tied to using spreadsheets for your SOX program, including:

• Version control — an out-of-date download
• Partial or incomplete download
• Miskey by a user or deleted data
• Analysis of an inconsistent data set (incorrect population)
• Process owners left in the dark

Process owners who own day-to-day control activities are often left in the dark about their own controls. Internal audit teams rely on spreadsheets and shared folders to manage controls, so documentation often stays on the desktop of internal audit — far from process owners.

When control documentation lives with internal audit, process owners get visibility into their controls only once a quarter and end up creating day-to-day activities driven by their own version of tasks, not necessarily within the context of their own controls.

Rising costs and resources

While SOX has positively impacted financial reporting, concerns remain over the rising cost of SOX compliance and the resource burden. SOX costs continue to climb year over year, according to Protiviti's annual Sarbanes-Oxley Survey. Drivers include new frameworks like COSO, evolving external auditor requirements for Section 404, and now PCAOB AS 1000 and AS 1105 evidence demands. Companies today spend an average of $1 million to $2 million and up to 10,000 hours on SOX programs annually.

AI in SOX control testing — opportunity and new risk

GRC teams are increasingly using AI and continuous control monitoring (CCM) to automate evidence collection, sample testing, journal entry analytics, and control narrative drafting. KPMG's 2025 SOX Survey identifies automation as the primary lever for resolving recurring ICFR issues, with mature programs targeting a 20-30% reduction in manual testing hours after two cycles of investment.

AI itself is now a SOX-relevant risk. If AI tools influence financially material processes — revenue forecasting, journal entries, reconciliations — they must be scoped into ITGC and application control testing, with controls over model inputs, outputs, change management, and human review. Protiviti's 2025 Top Risks survey lists AI among the top 10 near-term risks for chief audit executives.

Simplify SOX compliance with purpose-built technology

One key to decreasing the cost and time burden of SOX compliance is using automation tools to reduce administrative hours and effort. Forward-thinking SOX teams are adopting SOX automation tools to free up time for higher-value audits, increase the quality of internal controls, and improve real-time visibility into SOX environments. SOX management software strengthens external auditor collaboration and helps organizations avoid financial restatements.

Frequently asked questions

Who must comply with SOX?

SOX applies to all U.S. publicly traded companies, their wholly owned subsidiaries, and foreign private issuers listed on U.S. exchanges, as well as the public accounting firms that audit them. Private companies are not directly bound by SOX, but those preparing for an IPO, M&A transaction, or public-company debt should adopt SOX-aligned ICFR early. Section 806 whistleblower protections and Section 802 record-retention rules also extend to private companies that contract with or audit public registrants.

What are the 5 COSO components that underpin a SOX internal control framework?

The COSO 2013 Internal Control–Integrated Framework defines five interrelated components: (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring activities. These are operationalized through 17 underlying principles, all of which must be present and functioning for management to conclude ICFR is effective. The 2023 COSO ICSR supplement extends these components to sustainability reporting.

What are the 4 pillars of a high-performing SOX program?

The four pillars are risk-based scoping, process and control documentation, consistent control testing, and a strong control environment (tone at the top). Practitioners should treat these as continuously monitored health metrics rather than annual checkpoints. KPMG's 2025 SOX Survey shows leading programs reinforce all four through continuous control monitoring and automation, and weakness in any single pillar — particularly tone at the top — correlates with material weakness recurrence.

What does SOX Section 802 require for record retention?

Section 802 requires companies and their auditors to retain all audit work papers, financial records, and relevant electronic communications (including emails) for a minimum of seven years from the conclusion of the audit or review. Willful destruction, alteration, or falsification carries criminal penalties up to 20 years' imprisonment. Practitioners should map retention policies, legal-hold workflows, and email archive systems to Section 802 and test them as part of ITGC.

What's the difference between a material weakness and a significant deficiency?

A material weakness is a deficiency in ICFR such that there is a reasonable possibility a material misstatement will not be prevented or detected on a timely basis — and it must be disclosed in 10-K/10-Q filings. A significant deficiency is less severe but important enough to merit attention from those charged with governance, and is reported to the audit committee rather than publicly disclosed. Roughly 20-25% of U.S. public companies report at least one material weakness annually, with revenue recognition and ITGCs the most common drivers.

How are PCAOB AS 1000 and AS 1105 changing SOX audit evidence requirements?

AS 1000 (effective December 17, 2024) consolidates the auditor's general responsibilities and reinforces professional skepticism and engagement quality reviews. AS 1105 (effective for fiscal years ending on or after December 15, 2024) raises the bar on the sufficiency and appropriateness of audit evidence, including evidence produced by company information systems. Expect external auditors to demand stronger walkthroughs, independent corroboration, and additional evidence over IPE reports. QC 1000, effective December 15, 2026, will further require firms to file Form QC reports by November 30, 2027.

How should SOX programs integrate cybersecurity and third-party risk?

SOX programs should treat cybersecurity as an ICFR risk by extending ITGC scope to cover access management, change management, and security monitoring for any system processing financially material data. With 97% of organizations experiencing at least one supply chain breach in 2025 (up from 81% in 2024), vendor ITGC reliance must be validated annually, not just at onboarding. Mapping SOX ITGCs to NIST CSF 2.0 and integrating COBIT for IT governance closes the "cyber-SOX blind spot" that Protiviti and others have flagged.

About the authors

Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.