This article provides an overview of the Sarbanes-Oxley Act.

The United States Sarbanes-Oxley act (SOX) was enacted in 2002 largely as a result of a number of company failures and accounting scandals, the most infamous being Enron. In effect it requires top managers to attest to the efficacy of their internal controls, specifically in relation to the processes and systems involved in generated published financial statements.  Originally, the company’s auditors were required to publish an opinion on management’s assessment of its internal controls, however, this requirement is no longer in place. In fact its original implementation was probably overly strict and in 2007 guidelines were relaxed with the SEC chairman announcing “Congress never intended that the 404 process should become inflexible, burdensome, and wasteful.

The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems, without creating unnecessary compliance burdens or wasting shareholder resources.” Nevertheless SOX remains relevant around the world today as both the preponderance of global US companies and similar legislation enacted by various international regulators means that its impact is remarkably widespread.

SOX 404 covers the IT controls requirements like information security and information integrity – covering all aspects of the IT function. The SOX 404 IT controls originate from the COBIT framework for IT governance and requires organisations to provide annual reporting on policies, processes, procedures and controls with evidence to support effectiveness.

For more information please contact Morland-Austin at