Sarbanes-Oxley: Protecting Stocks and Stopping Scandals

Leave a comment

by John Kulas, Bridge360 Software Security Analyst

In my previous blog, we began a discussion on technology-related compliance standards, why we have them, how they work and the specific ways in which they protect us. I introduced the Payment Card Industry Data Security Standard (PCI-DSS) as one of the most well-known and widely applied standards in the U.S. economy.

Another major standard that many larger companies must comply with is the Sarbanes–Oxley Act of 2002, more commonly known as “SOX” (pronounced “socks”). Let’s talk more about SOX, because it has made some pretty big news over the last decade.

The Sarbanes-Oxley Act: Fighting Fraud

Congress enacted Sarbanes-Oxley, or SOX, on July 29, 2002. SOX bears the names of its sponsors at the time: U.S. Senator Paul Sarbanes and U.S. Representative Michael G. Oxley. SOX was written in response to the ENRON financial scandal in which the ENRON stock price was artificially inflated based on fraudulent financial reports published by ENRON, then the 7th largest corporation in the country. ENRON reported increases in earnings quarter after quarter, yet by the end of 2001, it was declared bankrupt. There were other similar scandals around the same time, involving companies named Tyco International, Adelphia, Peregrine Systems and WorldCom.

In an interview with InsideCounsel, former Senator Paul Sarbanes said, “The U.S. capital markets are an important asset, but they rely very much on this worldwide reputation for fairness, honesty and integrity.”

Characterized by former President Bush as “the most far reaching reforms of American business practices since the time of Franklin Delano Roosevelt,” SOX introduced major changes to the financial practices and governance of organizations large and small. It also set deadlines for compliance. Of SOX’s 11 titles, the most important sections as far as compliance is concerned are often considered to be 302, 401, 404, 409, 802, and 906.

In order to restore some faith in the stock market, SOX was written to provide assurances that published financial reports would be accurate. The “assurance” came with two enforcement mechanisms:

1)     Failure to obtain SOX certification by a 3rd party audit firm meant the company’s stock would be delisted from the stock exchanges.

  • This would cause huge damage to the public reputation of the company and probably impede its business actions
  • Companies often sell stock in order to raise money to expand their business, so being unable to sell stock may impede business actions

2)     A fraudulent SOX certification can bring criminal penalties for the chief executive officer (“CEO”) and chief financial officer (“CFO”). The responsibility for these criminal penalties cannot be delegated or handed off to subordinates, particularly the jail time penalty. The CEO and CFO each can be

  • personally fined up to one million dollars ($1,000,000) and/or
  • personally imprisoned for up to ten (10) years

So we need SOX to protect the stock market and hopefully prevent ENRON-like scandals. Even if you personally do not buy or sell stock, your 401(k) retirement plan(s) most likely are involved in the stock market. If you have a pension plan, it is most likely involved in the stock market. For more information on the Sarbanes-Oxley Compliance, visit

This is the second of a three-part series on compliance presented by John Kulas, a software security analyst for Bridge360John is a Certified Information Systems Auditor with over a dozen years experience across at least a dozen companies. His technical background includes 23 years at IBM. Today, he assists Bridge360 client Xerox/ACS in meeting compliance standards, and enjoys helping non-technical business people understand compliance requirements.

Author: bridge360blog

Software Changes Everything.... Bridge360 improves and develops custom application software. We specialize in solving complex problems at every phase of the software development lifecycle, removing roadblocks to help our clients’ software and applications reach their full potential in any market. The Bridge360 customer base includes software companies and world technology leaders, leading system integrators, federal and state government agencies, and small to enterprise businesses across the globe. Clients spanning industries from legal to healthcare, automotive to energy, and high tech to high fashion count on us to clear a path for success. Bridge360 was founded in 2001 (as Austin Test) and is headquartered in Austin, Texas with offices in Beijing, China.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s