The SOX Compliance Requirements You Need To Know in 2021

2021 is well underway and it’s the best time to stop and review how SOX compliance will affect you and your organization this year. The SOX goal has been defined as a means to protect investors by improving the accuracy and reliability of corporate disclosures.  When reviewing what SOX means for businesses, there exists an intersection of these requirements with the principles of data security. With such a vast range of expertise involved in compliance, here are a few of the top 2021 SOX requirements to analyze:

Section 302: Corporate Responsibility for Financial Reports
Every public company must file periodic financial statements and the internal control structure with the SEC. Section 302 states that the Chief Executive Officer (CEO) and Chief Financial Officer (CFO) are directly responsible for the accuracy, documentation, and submission of all financial reports and the internal control structure to the SEC. In addition, they are responsible for establishing and maintaining internal SOX controls and must validate those controls within 90 days prior to issuing the report.

Section 404: Management Assessment of Internal Controls
Section 404 is the most complicated, most contested, and most expensive part of all the SOX compliance requirements. It requires that all annual financial reports include an Internal Control Report stating that management is responsible for an “adequate” internal control structure, and an assessment by management of the effectiveness of the control structure.

Any shortcomings must also be reported. In addition, a registered independent auditor must attest to the accuracy of the company management assertion that internal accounting controls and internal control framework are in place, operational, and effective.

Both management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base the scope of its assessment and evidence gathered on risk.

Section 409: Real Time Issuer Disclosures
The essence of Section 409 is that companies are required to disclose, on an almost real-time basis, any material changes in the financial condition or operations. This is designed to protect the interests of investors and the public.

Section 802: Criminal Penalties for Altering Documents
Section 802 imposes penalties of up to 20 years imprisonment for altering, destroying, mutilating, concealing, falsifying financial records, documents, or tangible objects with the intent to obstruct, impede, or influence legal investigations. Additionally, it imposes penalties of up to 10 years on any accountant, auditor, or other who knowingly and willfully violates the requirements of maintenance of all audit or review papers for a period of 5 years.

Section 806: Sarbanes Oxley Whistleblower
Section 806 encourages the disclosure of corporate fraud by protecting employees of publicly traded companies or their subsidiaries who report illegal activities. It authorizes the U.S. Department of Labor to protect whistleblower complaints against employers who retaliate and further authorizes the Department of Justice to criminally charge those responsible for the retaliation.

Section 906: Corporate Responsibility for Financial Reports
The criminal penalty for certifying a misleading or fraudulent financial report can be upwards of $5 million in fines and 20 years in prison.

Our team of qualified and client-geared staff at FPV & Galindez can work with any entity to evaluate and improve their internal controls and procedures, including data security and SOX compliance. Learn more by contacting us directly here.