Sarbanes-Oxley Act

    North America

    Sarbanes-Oxley Act

    The Sarbanes-Oxley Act of 2002 (the SOX Act‘) aims to, among other things, protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to US securities laws, reduce the instances of corporate fraud and strengthen the independence and financial literacy of corporate boards. Furthermore, the SOX Act established the Public Company Accounting Oversight Board (‘PCAOB’) to oversee the accounting industry and allows a company’s Chief Executive Officer (‘CEO’) to be held personally responsible for the security, accuracy and reliability of all IT systems used in reporting financial information. In addition, the SOX Act outlines the deadlines for compliance and published rules on requirements for companies. 

    Last Updated: July 30, 2019

  • Requirements

    Section 206 of the SOX Act relates to conflicts of interest. In particular, it is unlawful for a registered public accounting firm to perform for an issuer any audit service, if a CEO, controller, chief  financial officer, chief accounting officer, or any person serving in an equivalent position for the issuer, was employed by that registered independent public accounting firm and participated in any capacity in the audit of that issuer during the one year period preceding the date of the initiation of the audit.  

    Furthermore, according to Section 404 of the SOX Act, companies are requireto have an annual audit of their internal monitoring and maintenance controls related to the company’s accounting and financials, performed externally, which assesses the effectiveness of all internal controls and reports its findings back directly to the Securities Exchange Commission (‘SEC’). 

    Section 802 of the SOX Act, provides for the penalties for companies regarding the management of electronic records, regarding the destruction, alteration, or falsification of records in federal investigations and bankruptcy: 

    • Whoever knowingly alters, destroys, mutilates, conceals, covers  up, falsifies, or makes a false entry in any record, document, or  tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the  jurisdiction of any department or agency of the United States or any case filed under Title 11 of the SOX Act, or in relation to or contemplation of any such matter or case, shall be subjected to a fine under the SOX Act or, imprisoned for not more than 20 years, or both.

    The PCAOB has issued the following guidance: 

    The Committee of Sponsoring Organisations of the Treadway Commission (‘COSO’) has issued the below guidance, for publicly registered companies in the US that must comply with the SOX Act, the SEC rules require a company’s management to base its evaluation of the effectiveness of its internal control over financial reporting on the following framework, which addresses several risk considerations relevant to working with third parties and is relevant when management begins to outline and implement a plan to identify, assess, respond to, and monitor risk. 

  • How OneTrust Helps

    OneTrust Vendorpedia simplifies third-party risk management by combining automation with aggregated vendor research to streamline the vendor engagement lifecycle, from onboarding to offboarding. The platform helps organizations conduct faster and more in-depth security and privacy reviews. 

    Vendorpedia is backed by the world’s largest and most up-to-date database of privacy and security laws, frameworks, and standards, which directly power and enrich OneTrust Vendorpedia. Research is generated by 30 in-house security and privacy experts and a network of 500 lawyers across 300 jurisdictions.  

    For additional details on Vendorpedia, read more here. 

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.