标准简介
《萨班斯-奥克斯利法案》(SOX)是 2002 年 7 月 30 日由美国国会通过的联邦法律,全称为《2002 年上市公司会计改革和投资者保护法案》。该法案是在安然和世通等重大公司财务欺诈丑闻后制定的,旨在加强上市公司的财务报告透明度和问责制。SOX 由美国证券交易委员会(SEC)监管,适用于所有在美国证券交易所上市的公司(包括外国发行人),以及为上市公司提供审计服务的注册会计师事务所。
SOX 最关键的条款包括:第 302 条(CEO 和 CFO 必须亲自认证财务报告的准确性和完整性)、第 404 条(管理层必须评估和报告财务报告内部控制的有效性,加速申报公司需要外部审计师出具内控审计意见)、第 409 条(实时披露重大财务状况变化)以及第 802 条(故意销毁或篡改审计记录可处以最高 20 年监禁)。SOX 合规对 IT 系统有重大影响,要求实施访问控制、变更管理、数据备份和审计追踪。大型企业的年度 SOX 合规成本通常在 100 万至 500 万美元之间。上市公司会计监督委员会(PCAOB)负责监督审计标准和检查会计师事务所。
Internal Controls (Section 404)
Requires management to establish and maintain an adequate internal control structure for financial reporting, with external auditor attestation for large accelerated filers.
CEO/CFO Certification (Section 302)
CEO and CFO must personally certify the accuracy and completeness of financial reports. False certification carries criminal penalties including fines and imprisonment.
Whistleblower Protection (Section 806)
Provides robust legal protections for employees who report corporate fraud, including protection against retaliation, reinstatement, and compensation for damages.
list_alt Key Sections
- Section 302 — CEO/CFO certification of financial reports
- Section 404 — internal control assessment and auditor attestation
- Section 409 — real-time disclosure of material changes
- Section 802 — criminal penalties for document destruction
- Section 806 — whistleblower protections
- Section 906 — criminal penalties for false certification
- PCAOB oversight of public accounting firms
- Audit committee independence requirements
Who Needs to Comply?
All publicly traded companies in the United States and foreign companies listed on U.S. stock exchanges. Also applies to their wholly-owned subsidiaries and public accounting firms that audit them. Private companies pursuing IPO must prepare for SOX compliance.
Key Requirements
Internal Controls Over Financial Reporting (ICFR)
Management must assess and report on the effectiveness of internal controls over financial reporting annually. Large accelerated filers require external auditor attestation under PCAOB AS 2201.
Officer Certifications
CEO and CFO must sign certifications with each annual and quarterly report attesting that financial statements fairly present the company's financial condition, with no material misstatements or omissions.
Audit Committee Independence
Audit committees must consist of independent board members with at least one financial expert. The committee oversees the external audit, internal controls, and whistleblower procedures.
Records Retention
Maintain audit work papers and relevant records for at least 7 years. Knowingly destroying or falsifying documents to obstruct investigations carries criminal penalties.
Real-Time Disclosure
Disclose material changes in financial condition or operations on a rapid and current basis (Section 409). This includes filing current reports (8-K) for significant events.
Penalties & Enforcement
Executives who certify fraudulent financial reports face fines up to $5 million and up to 20 years imprisonment (Section 906). Organizations face corporate fines up to $25 million. Document destruction carries penalties up to $5 million and 20 years imprisonment (Section 802). Companies may be delisted from stock exchanges.