:max_bytes(150000):strip_icc()/Sarbanes-Oxley-V3-38f2829eee11440289b7ffeed192f342.jpg)
Will Kenton is an expert on the economy and investing laws and regulations. He previously held senior editorial roles at Investopedia and Kapitall Wire and holds a MA in Economics from The New School for Social Research and Doctor of Philosophy in English literature from NYU.
Updated June 27, 2024 Fact checked by Fact checked by Ryan EichlerRyan Eichler holds a B.S.B.A with a concentration in Finance from Boston University. He has held positions in, and has deep experience with, expense auditing, personal finance, real estate, as well as fact checking & editing.
The Sarbanes-Oxley Act of 2002 is a law the U.S. Congress passed on July 30 of that year to help protect investors from fraudulent financial reporting by corporations. Also known as the SOX Act of 2002, it mandated strict reforms to existing securities regulations and imposed tough new penalties on lawbreakers.
The Sarbanes-Oxley Act of 2002 came in response to financial scandals in the early 2000s involving publicly traded companies such as Enron Corporation, Tyco International plc, and WorldCom. The high-profile frauds shook investor confidence in the trustworthiness of corporate financial statements and led many to demand an overhaul of decades-old regulatory standards.
The act took its name from its two sponsors—Sen. Paul S. Sarbanes (D-Md.) and Rep. Michael G. Oxley (R-Ohio).
The rules and enforcement policies outlined in the Sarbanes-Oxley Act of 2002 amended or supplemented existing laws dealing with security regulation, including the Securities Exchange Act of 1934 and other laws enforced by the Securities and Exchange Commission (SEC). The new law set out reforms and additions in four principal areas:
The Sarbanes-Oxley Act of 2002 is a complex and lengthy piece of legislation. Three of its key provisions are commonly referred to by their section numbers: Section 302, Section 404, and Section 802.
Because of the Sarbanes-Oxley Act of 2002, corporate officers who knowingly certify false financial statements can go to prison.
Section 302 of the SOX Act of 2002 mandates that senior corporate officers personally certify in writing that the company's financial statements comply with SEC disclosure requirements and "fairly present in all material respects the financial condition and results of operations of the issuer" at the time of the financial report. Officers who sign off on financial statements that they know to be inaccurate are subject to criminal penalties, including prison terms.
Section 404 of the SOX Act of 2002 requires that management and auditors establish internal controls and reporting methods to ensure the adequacy of those controls. Some critics of the law have complained that the requirements in Section 404 can have a negative impact on publicly traded companies because it's often expensive to establish and maintain the necessary internal controls.
Section 802 of the SOX Act of 2002 contains the three rules that affect recordkeeping. The first deals with destruction and falsification of records. The second strictly defines the retention period for storing records. The third rule outlines the specific business records that companies need to store, which includes electronic communications.
Besides the financial side of a business, such as audits, accuracy, and controls, the SOX Act of 2002 also outlines requirements for information technology (IT) departments regarding electronic records. The act does not specify a set of business practices in this regard but instead defines which company records need to be kept on file and for how long. The standards outlined in the SOX Act of 2002 do not specify how a business should store its records, just that it's the company IT department's responsibility to store them.
