The Sarbanes-Oxley Act of 2002, also known as the Public Company Accounting Reform and Investor Protection Act of 2002, and commonly called "SOX" or "Sarbox," is a United States federal law enacted on July 30, 2002, in response to a number of major corporate and accounting scandals. As of 2006, all public companies are required to submit an annual assessment of the effectiveness of their internal financial auditing controls to the U.S. Securities and Exchange Commission (SEC). Additionally, each company's
external auditors are required to audit and report on the internal control reports of management, in addition to the company's financial statements.
Organizations, and their IT departments in particular, are challenged to meet the requirements of SOX Sections 302 and 404 for any number of systems, applications and data sources that are involved in the accurate reporting of company finances. Data moving on IT systems between personnel and departments, from initial creation to the reports that the CEO and CFO are required to approve, require a set of repeatable and measurable controls to achieve SOX Compliance.
These controls consist of globally recognized frameworks such as the COSO and COBIT frameworks that provide step-by-step guidelines for SOX Compliance implementation, as well as technology like the Varonis Data Governance