Sarbanes-Oxley Act (SOX)
| Sarbanes-Oxley Act | |
|---|---|
| CITATION | Codified at various sections of 15 U.S.C. and 18 U.S.C. |
| ENACTED | 2002 |
| SUMMARY | The Sarbanes-Oxley Act came into force in 2002 and introduced major changes to the regulation of financial practices and corporate governance. SOX also impacts a public company’s IT department whose job it is to store a corporation’s electronic records. The Act establishes three rules related to IT operations: (1) The first rule deals with destruction, alteration or falsification of records; (2) The second rule defines the retention period for storage of records; and (3) The third rule refers to the type of business records that need to be stored, including all business records and communications, including electronic communications. SOX essentially implements IT best practices and requires adequate controls be put in place. Finally, SOX mandates the involvement of both internal and external auditors as part of the company’s ongoing process to implement reasonable controls. |
| DATA COVERED | General applicability; financial records of companies |
| INDUSTRY | This act applies to all publicly held companies in the U.S. that have more than seventy-five million dollars ($75,000,000) equity market capitalization and that report quarterly to the Securities and Exchange Commission (SEC). It covers financial reporting to the SEC, auditing practices and associated document retention. |
| PENALTIES | SOX expanded the enforcement authority of the Securities and Exchange Commission (SEC) and created new penalties. The SEC can seek injunctions, temporary “freezes” and impose monetary penalties. The Act also provides criminal sanctions where imprisonment can be for as long as 10 years coupled with large monetary fines. Intentional securities fraud can result in monetary fines and up to 25 years in prison. |
