In 2002, to reduce the number of corporate scandals that were prevalent during this time, the Sarbanes-Oxley Act was formed. These scams left large companies like Enron and WorldCom to be exposed, which resulted in their demise. Still, 20 years later, this act has kept businesses and CEOs personally accountable for any wrongdoing done by those they hire under them with regard to accounting audits. 

Now, these individuals are required by SOX rules to serve jail time if found guilty of criminal fraud against a company or its investors even after retiring from the position without knowledge of what went wrong on his watch. Since this law went into place, countless organizations believe that their compliance work has massively improved all internal controls. If you are someone who must undergo a SOX audit, here is what you can expect throughout this process. 

Does Your Company Need a SOX Audit? 

If you and your company are debating on whether or not a SOX audit is needed, here are some of the businesses that are required to complete one, according to the Sarbanes-Oxley act. 

  • All traded companies in the United States
  • All private companies that are beginning to prepare for their initial public offering, also known as an IPO
  • All publicly-traded companies that aren’t in the United States, but are still working with businesses in the United States
  •  All wholly-owned subsidiary companies 

A SOX compliance audit is most likely applicable for all companies, private and public, large and small. This type of audit is now required by federal law and will analyze and verify all areas of the business in question. 

Before a SOX Audit Begins

Before an audit such as this can be started, a company must take responsibility and hire an independent auditor. This means that the auditor must have no internal links to the company, and must be entirely separate. This must be done to ensure that there is no bias and that the audit about to take place will be impartial. Companies can do extensive research into finding the perfect firm to work with of course, but in the end, they must choose an unbiased candidate. 

What Does a SOX Audit Entail? 

After an organization or business has hired an unbiased and independent auditor, there will be a planned meeting. Business management and the auditing firm will get together and talk about the specifics of the audit when it will take place, what will be looked into and what results are expected to be found. An auditor may also go around and interview randomly selected staff to investigate if their daily duties match their job descriptions. 

An Audit for Internal Controls 

Section 404 of a SOX compliance audit is the largest and most important section that is always looked at. This section deals with the assessment of internal controls and covers four major categories that encompass all of a company’s IT assets. Listed below are the four major categories. 

  1. Access- This category focuses on the physical and electronic controls that can prevent employees and administration without the proper credentials to get denied access to high-quality information. Serves and data centers for a business are most likely kept in secure locations with strong passwords and lengthy log-in screens, keeping all those who don’t have access, away. 
  2. Security- In a company, security means that all computers, network hardware, and all other devices that financial data can go through, might be put in place to protect against a breach. If a breach does occur, these devices need to get to the start of the issues and find who was the one trying to access the information. 
  3. Change Management- This focuses on the process for new users and any type of company-wide software updates that are needed. When new software is added or database changes occur, they must be recorded. 
  4. Backup Procedure- All backup of sensitive data, even that from third parties and off-site data, must be properly secured and backed up in case of an emergency. 

 Sections That Should be Highlighted 

The Sarbanes-Oxley Act incorporates countless different portions, from business finances to corporate responsibility. In all, the SOX act is around 66 pages, but those who are scheduled to undergo this audit should look and familiarize themselves with these few important sections. 

Section 302

This section deals with the corporate responsibility for financial reports. Meaning, the CEO and CFO must be able to provide accurate documentation of a business’s financial reports. This section will look at the disclosure control and procedures needed for a CEO and CFO to certify that they are fully, and personally, responsible for establishing and maintaining disclosure controls within a company. 

Section 401

Section 401 is a two-part section that touches on the disclosures in public records and financial reports that need to be prepared in accordance with accounting standards. The next part of this section affirms that all companies are required to keep a report of any off-balance sheet disclosures. This is done to ensure that the business is meeting all the required accounting standards. 

Section 404

As the most costly section, 404 requires management, as well as the auditor, to report the accuracy and adequacy of the company in question’s internal controls on financial reporting. This section states that each company must have internal control reports as part of their exchange act report. 


The many businesses that have undergone a SOX audit have said that it was worth it in the long run. Since 2002, this act has affected all companies, as well as accounting industries, and will continue to do so. For businesses that are heading towards their SOX audits, knowing what to expect and what to begin to prepare is very important. More information about the Sarbanes-Oxley Act, including the full act, can be found online.