Compliance & Frameworks
Sarbanes-Oxley Act (SOX)
Also known as: Sarbanes-Oxley, SOX
Definition
U.S. federal law from 2002 that imposes governance, internal-control, and reporting requirements on publicly traded companies to protect investors.
The Sarbanes-Oxley Act of 2002 (SOX) was enacted by the U.S. Congress after the Enron and WorldCom scandals to restore confidence in financial reporting. It applies to publicly listed companies in U.S. markets and their auditors, and imposes governance, certification, and internal-control requirements. Section 302 makes executives personally certify financial statements; Section 404 requires management to assess — and external auditors to attest to — the effectiveness of internal control over financial reporting (ICFR). IT general controls (access management, change management, backup, and logging) underpin SOX compliance, and the law is enforced by the SEC and the Public Company Accounting Oversight Board (PCAOB).
Examples
- A NYSE-listed company performing annual SOX 404 testing of ERP application controls.
- An external auditor issuing an opinion on ICFR for a Fortune 500 issuer.
Related terms
Compliance
The discipline of meeting legal, regulatory, contractual, and internal security requirements through documented controls, evidence collection, and ongoing assessment.
COBIT
COBIT — definition coming soon.
ITIL
ITIL — definition coming soon.
Security Controls
Safeguards or countermeasures — technical, administrative, or physical — used to prevent, detect, or respond to threats against information assets.
ISO/IEC 27001
The international standard specifying requirements for an Information Security Management System (ISMS), against which organizations can be formally certified.