What Are SOX Compliance Requirements, and What Does Best Practice Look Like?

Kezia Farnham
5 min read

SOX compliance requirements are front-of-mind for any public US business today. With stringent requirements and severe penalties — including the threat of jail for non-compliant CEOs and CFOs — it’s no surprise that compliance with SOX is a priority.


What Are SOX Compliance Requirements?

SOX is lengthy legislation with numerous requirements.

Some of the key provisions are often highlighted, therefore. What are Sarbanes-Oxley’s most essential requirements? Generally, the areas that are seen as most crucial for the C-suite, legal and technical staff to familiarize themselves and comply with are:

  • Section 302. This mandates that senior corporate officers must personally certify in writing that the company’s financial statements meet SEC disclosure requirements and are “fairly present in all material aspects the operations and financial condition of the issuer.”
  • Section 401. This two-part section states that disclosures in public financial reports must be prepared in accordance with accounting standards and that companies must keep reports of any off-balance-sheet disclosures to ensure that they are meeting the same standards.
  • Section 404. This requires company management and auditors to establish adequate internal controls and reporting methods that ensure these controls are sufficient.
  • Section 802. This relates to record-keeping, with three rules governing destruction and falsification of records, the retention period for records, and details of the records companies need to store for SOX compliance.


Who Needs to Comply With SOX?

Any company that is listed on the New York Stock Exchange needs to comply with SOX — whether a US or foreign company. Any company planning to go public should therefore make SOX compliance requirements a consideration in their pre-IPO preparation.

And with other jurisdictions such as the UK planning to introduce their own SOX-equivalent legislation, it’s not just companies listed in the US that should be alive to the requirements of Sarbanes-Oxley.

Accounting and auditing firms are also required to meet SOX compliance requirements. Generally, private companies, charities and non-profit organizations do not have to comply with SOX in its entirety. However, several SOX compliance requirements (for instance, the rules around falsifying or destroying financial records) also apply to private companies.


SOX IT Compliance Requirements

SOX compliance requirements do not just affect a business’s financial department, accountants, and auditors within an organization. They are also fundamentally impacting the IT department due to SOX’s requirement that a company’s IT department takes responsibility for storing the business’s electronic records.

It is section 404 above that relates directly to the IT department and is also seen as “the most intensive part of a SOX audit,” covering:

  • Access: The physical and electronic controls that prevent users without the proper credentials from having access to sensitive information
  • Security: Ensuring that proper controls for computers, network hardware and other devices that financial data passes through are in place to prevent breaches
  • Change management: The process for establishing new users and updating software, the records relating to this process and an audit trail of changes made
  • Backup: Ensuring the business has a watertight system with the capacity to restore sensitive data



A key aspect of SOX compliance is the yearly audit. SOX mandates that companies complete an annual audit carried out by an external, independent auditor to verify the organization’s financial statements. The auditor will compare current and past financial statements. Additionally, they will be checking that the business has sufficient compliance controls, which ensure SOX compliance standards are maintained.

Companies can prepare for a SOX compliance audit by ensuring their reporting and internal auditing processes are up to date and working correctly.


SOX Compliance Best Practices

In 2021 SOX compliance saw costs rise for most companies, and the time spent on SOX compliance requirements increased across the board. With SOX compliance a costly and resource-intensive exercise, it’s no wonder organizations are looking to best practices to make SOX compliance more streamlined and efficient.

Implementing these best practices doesn’t just help with your business’s legal obligations around SOX. Instead, increasing the robustness of your financial security controls can help reduce risks relating to areas including data theft or cyberattack, something recognized as one of the critical business risks for 2022.


What Are Best Practices in SOX Compliance?

It’s worth looking at best practices across some of the core elements of SOX compliance. If you want to meet best practice standards, your organization will want to:

  1. Move from manual processes to automation. Capturing data via spreadsheets, shared documents and other ad-hoc methods not only makes your approach more costly and time-consuming, but also reduces its effectiveness and accuracy.
  2. In doing so, integrate your risk and control processes. Creating consistent definitions, assessments and testing approaches make your audit process more consistent and robust. Explore whether there are SOX reporting templates or frameworks that can help to bring consistency and rigor.
  3. Build a SOX compliance requirements checklist. Your SOX compliance checklist should cover all the aspects of:
  • Your annual audit
  • Ensuring that you follow the right processes for appointing an auditor
  • Capturing the data needed
  • Reporting on it in the required way
  • Keeping records in a way that creates a compliant audit trail
    4. Continuously measure and test your processes and outputs to ensure you take the best approach to SOX compliance.


Are There New SOX Compliance Requirements for 2022?

While there are no changes to SOX compliance requirements in 2022, the need for companies to complete an annual audit means that compliance and finance teams must maintain rigor around their financial controls and processes every year.


Ensure a Robust Approach to SOX Compliance Requirements in 2022

Having confidence in your controls, testing and oversight is key to meeting your SOX compliance obligations. Creating a robust control environment not only gives you the assurance that your financial reporting and process are compliant, but it will also smooth your relationship with external auditors by enhancing your ability to deliver the data and evidence they need.

Leveraging technology to make SOX compliance more consistent, efficient and reliable will bring your audit processes up to date, ensuring you follow best practices for SOX compliance.

Find out more about how Diligent can help support modern audit approaches for today’s businesses and help your organization meet its SOX compliance requirements.

Related Insights
Kezia Farnham Diligent
Content Strategy Manager
Kezia Farnham

Kezia Farnham is the Content Strategy Manager at Diligent. She's a University of the Arts London graduate who has enjoyed over seven years working across journalism, public relations and digital marketing, with a special focus on SEO and CRO in the B2B SaaS sector.

Kezia is passionate about helping governance professionals find the right information at the right time.