SOX Compliance: The Sarbanes-Oxley Act explained

What is SOX compliance?

The Sarbanes-Oxley Act (SOX) is a United States federal law enacted in 2002 in response to major corporate accounting scandals, including Enron and WorldCom. It establishes standards for financial reporting, internal controls, and corporate governance for publicly traded companies and their auditors. SOX compliance means meeting the requirements set out in the Act, which covers everything from financial disclosure obligations to the protection of employees who report fraud.

While SOX is US law, its reach extends beyond American borders. Any company listed on a US stock exchange — regardless of where it is headquartered — must comply. This makes SOX a significant compliance obligation for European organisations with US listings, as well as subsidiaries of US-listed parent companies operating in the EU.

Who does SOX apply to?

SOX applies to all companies publicly traded on US stock exchanges, including non-US companies with American Depositary Receipts (ADRs) listed in the US. It also applies to the accounting firms that audit these companies. Private companies are generally exempt, though they may choose to align with SOX principles as a governance best practice, particularly if they are considering a future IPO.

Key parties covered include the company's board of directors and senior management, chief executive officers and chief financial officers (who must personally certify financial statements), internal and external auditors, and any employee who handles financial reporting or has access to material non-public information.

Key requirements of the Sarbanes-Oxley Act

Section 302 — Corporate responsibility for financial reports

CEOs and CFOs must personally certify the accuracy of financial statements filed with the SEC. They are required to confirm that they have reviewed the reports, that the reports do not contain materially misleading statements, and that the financial statements fairly represent the company's financial condition. Personal liability attaches to this certification — knowingly signing a false certification carries criminal penalties.

Section 404 — Internal controls over financial reporting

This is the most operationally demanding provision of SOX. Companies must establish, document, test, and report on their internal controls over financial reporting (ICFR). An independent auditor must also attest to the effectiveness of those controls. For most organisations, Section 404 compliance requires significant investment in internal audit infrastructure and process documentation.

Section 806 — Whistleblower protections

Section 806 prohibits publicly traded companies from retaliating against employees who report suspected violations of securities laws, SEC rules, or any provision of federal law relating to fraud against shareholders. Protected disclosures include reports made to a supervisor, to a member of the board, or to a federal regulatory authority.

Employees who experience retaliation can file a complaint with the Occupational Safety and Health Administration (OSHA). If OSHA does not act within 180 days, the employee may bring an action in federal district court. Remedies include reinstatement, back pay, and compensation for legal fees. The statute of limitations for filing a complaint is 180 days from the date of the retaliatory act.

To support whistleblowing under Section 806, SOX requires companies to establish confidential, anonymous mechanisms for employees to submit concerns regarding accounting, internal controls, or auditing matters. This requirement is typically fulfilled through an ethics hotline or a dedicated whistleblowing software platform.

Section 1107 — Criminal penalties for retaliation

Section 1107 makes it a federal crime to knowingly take any retaliatory action against a person who provides truthful information to law enforcement relating to a possible federal offence. Penalties include fines and imprisonment of up to ten years.

SOX and the EU: what European organisations need to know

For organisations operating in both the EU and the US, SOX compliance intersects with the EU Whistleblowing Directive in important ways. Both frameworks require confidential internal reporting channels and prohibit retaliation against reporters. However, there are meaningful differences in scope, process requirements, and the categories of conduct that trigger protection.

SOX is focused specifically on financial fraud and securities violations, while the EU directive covers a much broader range of EU law breaches. SOX applies only to publicly traded companies and their subsidiaries; the EU directive applies to any organisation with 50 or more employees. SOX requires audit committee oversight of the reporting channel; the EU directive requires designated follow-up persons and documented timelines for acknowledgment and feedback.

Organisations subject to both regimes will generally find that a single robust whistleblowing infrastructure can satisfy the core requirements of each, provided it is properly configured and documented. The key is ensuring the system supports anonymous reporting, maintains strict confidentiality, documents every step of the case lifecycle, and prevents any form of retaliation.

SOX whistleblowing requirements: what your reporting channel must support

To comply with SOX Section 806, your internal reporting channel must meet the following minimum standards:

• Confidentiality: Employees must be able to submit concerns without their identity being disclosed to anyone not involved in the investigation.
• Anonymity: The system must allow for anonymous submissions where employees choose not to identify themselves.
• Audit committee oversight: Reports relating to accounting, internal controls, and auditing must be routable to the audit committee, not just line management.
• Non-retaliation commitment: Your whistleblowing policy must explicitly prohibit retaliation and communicate this commitment clearly to all employees.
• Accessible to all employees: The channel must be accessible to all employees, including those at international subsidiaries subject to the Act.

For a broader view of what a compliant reporting program looks like in practice, read our guide to the 5 conditions of effective whistleblowing and our guide to building a whistleblowing policy.

Penalties for non-compliance

The consequences of SOX non-compliance are severe. Criminal penalties for executives who certify false financial statements include fines of up to USD 5 million and imprisonment of up to 20 years. Companies that wilfully fail to maintain required records face fines and potential delisting from US exchanges. Retaliation against whistleblowers carries both civil liability and criminal penalties under Sections 806 and 1107 respectively.

Beyond legal risk, non-compliance damages trust with investors, auditors, and regulators — the very stakeholders whose confidence underpins a public company's market position.

How SpeakUp supports SOX compliance

SpeakUp's whistleblowing platform is designed to help organisations meet the internal reporting channel requirements of both SOX and the EU Whistleblowing Directive. The platform provides fully anonymous reporting across web, app, and phone channels; end-to-end encryption and strict access controls to protect reporter identity; a documented case management workflow that creates an auditable record of every report and action taken; configurable routing so that financial fraud and audit concerns can be directed to the appropriate oversight body; and 75+ language support to cover multinational workforces.

SpeakUp is audited quarterly to ISAE 3000 Type II standards, providing the independent assurance that SOX's audit committee oversight requirements demand.

Frequently asked questions

Does SOX apply to non-US companies?

Yes. Any company listed on a US stock exchange must comply with SOX, regardless of where it is incorporated or headquartered. This includes European companies with US listings and subsidiaries of US-listed parent companies.

What is the difference between SOX and the EU Whistleblowing Directive?

SOX is US law focused on financial fraud and securities violations, applying specifically to publicly traded companies. The EU Whistleblowing Directive is broader in scope, covering a wide range of EU law breaches, and applies to all organisations with 50 or more employees operating in EU member states. Both require confidential internal reporting channels and prohibit retaliation.

What does a SOX-compliant reporting channel look like?

A SOX-compliant reporting channel allows employees to report concerns confidentially and anonymously, routes audit-related concerns to the audit committee, prohibits retaliation, and is accessible to all employees including those at international subsidiaries. It should be supported by a clear whistleblowing policy and regular employee communication.

Can one whistleblowing platform satisfy both SOX and EU directive requirements?

In most cases, yes. A robust whistleblowing platform that supports anonymous reporting, maintains strict confidentiality, provides documented case management, and allows configurable routing can satisfy the core requirements of both frameworks. Organisations should review their specific obligations with legal counsel to confirm alignment with any national-level implementation requirements.