What is the Sarbanes-Oxley (SOX) Act of 2002?

The U.S. Congress passed the Sarbanes-Oxley Act of 2002 on July 30 of that year to help protect investors from fraudulent financial reporting by corporations. Also known as the SOX Act of 2002 and the Corporate Responsibility Act of 2002, it mandated strict reforms to existing securities regulations and imposed tough new penalties on lawbreakers.

The Sarbanes-Oxley Act of 2002 came in response to financial scandals in the early 2000s involving publicly traded companies such as Enron Corporation, Tyco International plc, and WorldCom. The high-profile frauds shook investor confidence in the trustworthiness of corporate financial statements and led many to demand an overhaul of decades-old regulatory standards.

Key Takeaways

  • The Sarbanes-Oxley (SOX) Act of 2002 came in response to highly publicized corporate financial scandals earlier that decade.
  • The act created strict new rules for accountants, auditors, and corporate officers and imposed more stringent recordkeeping requirements.
  • The act also added new criminal penalties for violating securities laws.


The act took its name from its two sponsors—Sen. Paul S. Sarbanes (D-Md.) and Rep. Michael G. Oxley (R-Ohio).

1:44

Sarbanes-Oxley Act Of 2002 – SOX

Understanding the Sarbanes-Oxley (SOX) Act

The rules and enforcement policies outlined in the Sarbanes-Oxley Act of 2002 amended or supplemented existing laws dealing with security regulation, including the Securities Exchange Act of 1934 and other laws enforced by the Securities and Exchange Commission (SEC). The new law set out reforms and additions in four principal areas:

  1. Corporate responsibility
  2. Increased criminal punishment
  3. Accounting regulation
  4. New protections

Major Provisions of the Sarbanes-Oxley (SOX) Act of 2002

The Sarbanes-Oxley Act of 2002 is a complex and lengthy piece of legislation. Three of its key provisions are commonly referred to by their section numbers: Section 302, Section 404, and Section 802.

Because of the Sarbanes-Oxley Act of 2002, corporate officers who knowingly certify false financial statements can go to prison.

Section 302 of the SOX Act of 2002 mandates that senior corporate officers personally certify in writing that the company's financial statements "comply with SEC disclosure requirements and fairly present in all material aspects the operations and financial condition of the issuer." Officers who sign off on financial statements that they know to be inaccurate are subject to criminal penalties, including prison terms.

Section 404 of the SOX Act of 2002 requires that management and auditors establish internal controls and reporting methods to ensure the adequacy of those controls. Some critics of the law have complained that the requirements in Section 404 can have a negative impact on publicly traded companies because it's often expensive to establish and maintain the necessary internal controls.

Section 802 of the SOX Act of 2002 contains the three rules that affect recordkeeping. The first deals with destruction and falsification of records. The second strictly defines the retention period for storing records. The third rule outlines the specific business records that companies need to store, which includes electronic communications.

Besides the financial side of a business, such as audits, accuracy and controls, the SOX Act of 2002 also outlines requirements for information technology (IT) departments regarding electronic records. The act does not specify a set of business practices in this regard, but instead defines which company records need to be kept on file and for how long. The standards outlined in the SOX Act of 2002 do not specify how a business should store its records, just that it's the company IT department's responsibility to store them.