Understanding SOX Requirements and Managing Compliance
November 11, 2021

What Is SOX Compliance?

The Sarbanes-Oxley (SOX) Act was passed in 2002. It was established for the purpose of protecting the public from fraudulent and incorrect financial statements. The SOX Act helps increase the transparency of financial reporting.  

SOX compliance requires corporations to establish formalized control over their financial reporting processes. Companies often strive for SOX Compliance due to the legal consequences of failing at audit, but at the same time SOX Compliance enforces good business practices that promote ethical business conduct and can prevent fraud, theft, and improper accounting practices. Additionally, SOX financial security controls include common data security practices  that can help corporations defend against data theft. 

In this article:

The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such.  Information on this website may not constitute the most up-to-date legal or other information.

The information in this article is provided “as is” without any representations or warranties, express or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed.

You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider.

This article may contain links to other third-party websites.  Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.

What Are the Main SOX Requirements?

Each of the Titles of SOX are further broken down into “Sections.” We’ll focus on eight sections that are especially important for SOX compliance.

SOX Act Section 302

Section 302 requires that the principal executive officer and the chief financial officer (CFO) sign and review all annual and quarterly reports that testify to SOX compliance. They are required to certify that all information included in the report is true and represents the financial status of the company—to the best of their knowledge. 

Here are several practices these principals are required to follow:

  • Establish and maintain internal controls—the executives responsible must set up a system in place, designed to protect financial information, determine privileged access, track potential threats, catalogue change history, and identify security weaknesses.
  • Maintain transparency among personnel—the organization is required to set up “such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities.”
  • Regularly assess the controls—the organization must have the ability to prove that they evaluated the effectiveness of controls during the past 90 days.
  • Provide reports—compliance reports must document the evaluation of controls, mention system weaknesses, and accurately assess the overall efficacy.

Section 302 requires senior-level executives and financial officers to ensure the security of all financial data. They must stay informed and honestly represent the state of the company’s finances as well as the state of security systems to SOX auditors.

SOX Act Section 401

Section 401 requires that all financial information in public reports submitted to the SEC will not contain untrue statements or omissions of material facts. This information must comply with Generally Accepted Accounting Principles (GAAP), and include all material off-balance sheet transactions.

SOX Act Section 404

Section 404 requires management to produce a report of internal controls on financial reporting (ICFR), as part of its annual Exchange Act report. External auditors must verify the adequacy of these internal controls. The report must:

  • Declare responsibility by management for establishing a control structure
  • Describe the internal control structure and procedures for accurate financial reporting
  • Assess how effective are the company’s internal controls and procedures

Section 404 is widely considered the most time consuming and expensive of the SOX requirements. It requires an enormous effort by organizations, because they must document and test every one of a large number of controls in place across the organization. Automation of this process is critical, and can reduce manual labor and ensure more reliable and extensive testing.

To make compliance easier, many companies use control frameworks such as COBIT or COSO (described in the following section). In addition, Auditing Standard No. 5 was introduced by the Public Company Accounting Oversight Board (PCAOB)—it describes a process for internal controls assessment, based on a top-down assessment of risk which provides more discretion for managers. 

Controls testing usually involves the following steps:

  • Evaluating design and effectiveness of internal controls (focusing on controls related to significant elements of financial reporting)
  • Understanding how processes and transactions work, and identifying where a financial misstatement could happen
  • Assess the risk of fraud and the adequacy of relevant controls
  • Specifically assess controls that can verify the accuracy of periodic financial reporting
  • Identify the level of competency, risk, and objectivity of management in their treatment of controls
  • Combine all the preceding elements to provide a final evaluation, stating how adequate are controls over financial reporting

Learn more in our detailed guide to SOX internal controls

SOX Act Section 409

Section 409 states: “Issuers are required to disclose to the public, on an urgent basis, information on material changes in their financial condition or operations. These disclosures are to be presented in terms that are easy to understand and supported by trend and qualitative information of graphic presentations as appropriate.” 

This requirement can force corporations to disclose things they might not otherwise wish to publicize. For example, the fact that a data breach or a cyberattack happened, what data was accessed, and how it impacted operations.

SOX Act Section 802

Section 802 of the SOX act focuses primarily on record retention. This especially applies to bookkeeping and accounting records. 

The IT department is responsible for recording all information, including spreadsheets, instant messages, emails, recorded calls, and other data related to financial matters, all financial transactions, and any information about use of company resources. This information must be preserved and made available to SOX auditors for a duration of at least five years. The information should also be backed up and archived in the case of any data loss. 

SOX Act Section 806

Section 806 protects whistleblowers from the company’s retaliation. It defines whistleblower conduct as protected if the employee suspects and reports violations of federal law such as:

  • Fraud relating to federal mail, securities, bank or wire transfers
  • Fraud against shareholders
  • Violation of the Securities and Exchange Commission (SEC) rules or regulations 

These protections apply to contractors and employees of a publicly traded company (or its subsidiary), and to persons that have a nationally recognized statistical ratings organization (NRSRO).

This section stipulates that individuals may be subject to criminal charges if they retaliate against a protected whistleblower.

SOX Act Section 902

Section 902 states: “any person who attempts or conspires to commit any offense under this chapter shall be subject to the same penalties as those prescribed for the offense, the commissions of which was the object of the attempt or conspiracy.” It means that executives who violate SOX requirements in a fraudulent manner are subject to fraud penalties such as fines and jail time.

SOX Act Section 906

Section 906 defines penalties, which may be of interest to the executives of publicly traded companies. The penalties for approving false or misleading financial reports can be up to $5 million in fines and up to 20 years in prison. The company’s CFO and CEO must present a written statement certifying that periodic financial statements are fully compliant with the 1934 Securities Exchange Act (sections 13a and 15d), that they are accurate and adequately reflect the company’s financial state.

Complying with SOX Requirements Using the COBIT and COSO Frameworks

SOX compliance is often organized using a formalized framework, which helps companies manage and oversee controls. The major frameworks used for SOX auditing are the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework and the Control Objectives for Information and Related Technology (COBIT) framework.

Related content: Read our guide to SOX compliance checklist (coming soon)


The COSO Internal Control / Integrated Framework focuses on five internal control components:

  • Environment
  • Risk
  • Activity
  • Information and communication
  • Monitoring

COSO’s document (last updated 2013) defines 17 principles that can help organizations manage the processes by which they set up and maintain internal control, including their design, implementation, monitoring and assessment. 

Though not exclusive to SOX, the COSO framework supports SOX compliance, and helps organizations protect data (such as financial data) from tampering. Auditors commonly map COSO principles to controls to ensure they meet SOX requirements. 

COSO also offers the Enterprise Risk Management / Integrated Framework (last updated in 2017).


The COBIT framework was developed by the Information Systems Audit and Control Association (ISACA). It is a more complex framework, addressing 37 principles focused on achieving governance and compliance, taking a dynamic approach that can address changing business requirements, organizational structures and compliance requirements.

Most organizations have data that moves between various IT systems and groups and ends up in financial reports. According to Section 404 of the SOX Act, CEOs and CFOs are held personally responsible for the content of these reports. This requires executives to be confident in the controls processes relating both to accounting and to databases and IT systems. 

COBIT 2019 (formerly COBIT 5) provides a matrix of general controls to help implement IT governance. Auditors can apply the IT control objectives of COBIT to their SOX compliance audits.

Automating SOX Compliance with Pathlock

Preparing for a SOX audit can be a stressful, expensive, and time consuming process, but it doesn’t have to be. Pathlock provides an automated, real-time solution to proving compliance with your internal controls for SOX. Continuous controls monitoring can ensure that you are always tracking towards compliance, so there are no major surprises when the audit season comes around. 

In today’s modern enterprise, nearly 100% of the financially relevant activity happens in modern applications like SAP, Oracle, Workday, and NetSuite. Furthermore, up to 10 financially relevant applications may be in play just to support the standard order to cash and procure to pay processes.  By connecting directly into your business applications, Pathlock can automatically monitor activity in these applications to surface any violations to controls, and pinpoint and quantify the financial impact of any risks.  Internal and external auditors alike trust Pathlock’s reports to prove control enforcement and compliance with regulations.

Financial Impact Prioritization

Pathlock automatically prioritizes your most critical violations by quantifying access risk by tying violations to real dollar amounts of the out-of-policy transactions

Comprehensive Rulebook

Pathlock’s catalog of over 500+ rules, Pathlock can provide out-of-the-box coverage for controls related to SOX, GDPR, CCPA, HIPAA, NIST, and other leading compliance frameworks. 

Real-time Access Mitigation

Pathlock allows user to quickly investigate and respond to potential risky transactions by reviewing access, deprovisioning users, forcing 2FA, or even allowing Pathlock to respond intelligently in real-time, terminating suspicious sessions and blocking transactions in real time

Out-of-the-Box Integrations

Pathlock’s out of-the-box integrations extend workflows to the provisioning and service desk tools you already have in place such as ServiceNow, SailPoint, Okta, Azure AD, SAP GRC, and more

Lateral SOD Correlation

All entitlements and roles are correlated across a user’s behavior, consolidating activities and translating cross application SOD’s between financially relevant applications

Continuous Control Monitoring

Pathlock identifies the largest risks by monitoring 100% of financial transactions from applications like SAP in real-time, surfacing violations for remediation and investigation

Learn more about Pathlock SOX compliance automation