← Glossary·Frameworks

SOX

Also known as: Sarbanes–Oxley Act · SOX 404
SOX

US federal law on financial reporting; Section 404 mandates internal controls over financial reporting (ICFR).

The Sarbanes–Oxley Act of 2002 governs financial reporting for US public companies. Section 404 requires management (404a) and external auditors (404b) to assess and attest to the effectiveness of internal control over financial reporting (ICFR). IT general controls (ITGCs) are typically in scope for any system that materially affects financial reporting.

Why it matters
Once a company files an S-1, SOX readiness is on the critical path to IPO. Material weaknesses delay or kill offerings outright.

Related terms

IT General Controls (ITGC)
Pervasive IT controls supporting reliable processing — access, change management, operations, development.
Segregation of Duties (SoD)
Splitting critical tasks across multiple individuals so no single person can execute fraud or untraceable error.

Does your program actually cover SOX?

Run a free ComplianceIQ audit against SOX and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free SOX auditBack to glossary