What Is the Sarbanes-Oxley Act? Key Provisions Explained

What Is the Sarbanes-Oxley Act?

Enacted on 30 July 2002, the Sarbanes-Oxley Act is a US federal statute for companies listed on American stock exchanges, including foreign private issuers with US listings. Its purpose was to repair a reporting chain that had allowed senior executives to sign off misleading financial statements while audit firms maintained conflicted commercial relationships with the same companies they audited.

The legislation therefore did more than tighten disclosure rules. It reallocated responsibility across management, the board, the audit committee, the external auditor, and the Public Company Accounting Oversight Board, or PCAOB, so that public company reporting would be supported by documented controls, independent challenge, and enforceable accountability.

How the Sarbanes-Oxley Act Works

SOX works through a set of linked provisions that close different points of failure in the reporting process. Section 302 requires the CEO and CFO to certify quarterly and annual filings personally, which turns the fairness of published accounts into a direct executive responsibility rather than a delegated technical matter. Section 906 reinforces that obligation by attaching criminal penalties to wilfully misleading certifications.

Section 404 is the provision that most clearly changed corporate practice because it requires management to assess internal control over financial reporting each year against a recognised framework, usually COSO. For large accelerated filers, the external auditor must also attest to management’s assessment, which adds an independent layer of assurance around the controls that support reported numbers.

The law also altered information flow to the market. Section 409 requires material changes in financial condition to be disclosed on a rapid and current basis, now reflected in the Form 8-K reporting timetable. At board level, SOX strengthened the role of the audit committee by making it directly responsible for the appointment, compensation, and oversight of the external auditor, which reduces management’s control over the assurance function.

Real-World Example

WorldCom’s accounting fraud, later revised to roughly $11 billion of earnings overstatement, illustrates why SOX was designed as a structural reform rather than a disclosure update. Internal audit reported into the finance hierarchy, board scrutiny was weak, and the auditor lacked a framework that forced a rigorous examination of internal control over financial reporting.

Under the post-SOX model, each of those weak points is addressed by a specific countermeasure. Executive certification creates personal exposure for misleading filings, Section 404 requires formal control assessment, and audit committee authority reduces the chance that management can dominate the audit relationship. That does not mean SOX eliminates fraud, though it does make responsibility clearer and failure harder to conceal.

Key Considerations and Limitations

SOX is demanding by design, and the cost of compliance has historically weighed more heavily on smaller issuers than on large companies with mature finance functions. That is why the SEC retained management’s control assessment requirement for smaller reporting companies while easing the external auditor attestation burden in that part of the market.

The deeper limitation is conceptual. SOX governs whether the reporting process is documented, tested, supervised, and certified, but governance quality also depends on board judgement, willingness to challenge management, and the ability to interpret economic substance rather than technical form. A company can therefore satisfy SOX requirements while still presenting performance in a way that is formally defensible yet strategically misleading.

For non-US readers, this matters because SOX should be treated as a legally enforced floor for reporting integrity, not as a complete theory of governance. Broader questions about board culture, accountability, and explanation remain central, which is why comparison with the UK Corporate Governance Code is often useful.

Sarbanes-Oxley Act vs the UK Corporate Governance Code

SOX and the UK Corporate Governance Code both address board accountability and reporting integrity, though they do so through very different regulatory philosophies. SOX is rules-based and backed by statute, while the UK Code is principles-based and enforced mainly through investor scrutiny and public explanation.

The practical difference is that a SOX failure is primarily a statutory problem with regulatory and potentially criminal consequences, while a UK Code departure is primarily a governance problem that must be justified to shareholders. Each model can support strong governance, though they assign accountability along different parts of the reporting chain.

In Practice

For executives, finance leaders, and board members, the enduring importance of SOX lies in the discipline it imposes around evidence, responsibility, and challenge. It requires management to prove that financial reporting is supported by functioning controls, and it gives the audit committee a stronger platform from which to test whether assurance is genuinely independent.

That makes SOX highly relevant to decision-making even outside the United States. The real lesson is that reporting credibility depends on who owns the control environment, who can challenge it, and who carries legal responsibility when it fails. Boards that understand that distinction are better placed to judge whether compliance is merely documented or truly embedded.