The 2002 US statute reforming corporate governance, auditor independence, and internal control over financial reporting for US-listed issuers and their consolidated subsidiaries.
SOX.
The Sarbanes-Oxley Act of 2002 was enacted July 30, 2002 in response to the Enron, WorldCom, and Tyco corporate accounting scandals. It is codified at 15 U.S.C. 7201 et seq. and made substantial amendments to the Securities Act of 1933, the Securities Exchange Act of 1934, the Investment Company Act of 1940, and the Investment Advisers Act of 1940. The statute created the Public Company Accounting Oversight Board as a nonprofit corporation overseen by the SEC to set audit standards, inspect registered audit firms, and discipline auditors. The PCAOB now sets auditing standards for all auditors of US-listed issuers.
The most operationally consequential provisions cluster in three areas. Officer certifications: Section 302 requires the principal executive officer and principal financial officer to personally certify each periodic report (10-K, 10-Q, 20-F for foreign private issuers, 40-F for Canadian filers) for accuracy, internal controls, and disclosure controls. Section 906 adds a criminal certification with up to 20 years imprisonment for willful violations. Internal control over financial reporting (ICFR): Section 404(a) requires management to annually assess and report on ICFR effectiveness; Section 404(b) requires the external auditor to issue an attestation opinion on ICFR for accelerated filers and large accelerated filers. Auditor independence: Section 201 prohibits the external auditor from providing nine categories of non-audit services to the audit client; Section 203 requires audit-partner rotation every five years.
Document retention and whistleblower protection complete the framework. Section 802 imposes criminal penalties for destruction, alteration, or falsification of records with intent to obstruct a federal investigation. Section 1102 imposes criminal penalties for obstruction of justice through tampering with records or proceedings. Section 806 establishes whistleblower retaliation protections for employees of US-listed issuers, with private right of action and complaint procedure through OSHA. The Dodd-Frank Act of 2010 supplemented SOX whistleblower protection with the SEC Office of the Whistleblower bounty program under Section 922.
For a foreign-headquartered firm with US-listed ADRs (a foreign private issuer or FPI), SOX applies to the FPI and its consolidated subsidiaries worldwide. The 20-F annual report substitutes for the 10-K, but the Sections 302 and 906 certifications still apply, the Section 404 ICFR requirements still apply (subject to phase-in and exemptions for smaller reporting companies and emerging growth companies), and the audit committee, auditor independence, and document-retention provisions still apply. The PCAOB inspects the FPI's registered audit firm, which may be a Big Four global member firm or a local audit firm registered with PCAOB.
For a foreign acquirer of a US-listed issuer, SOX compliance becomes a post-closing obligation at the acquired entity until the listing is withdrawn (which itself triggers deregistration procedure under Exchange Act Rule 12h-6 for FPIs). For a US subsidiary of a foreign parent that is not US-listed, SOX does not apply directly to the subsidiary unless the parent has US-listed ADRs and consolidates the subsidiary. Many foreign multinationals operate SOX-grade controls at non-listed US subsidiaries as a matter of group policy, on the basis that SOX-grade controls are reasonable industrial practice for any sizeable enterprise.
SOX sits across the Investors building in the US book and the Fiduciaries and advisors work on cross-border issuer trajectories. It shapes the diligence posture on M&A involving US-listed targets and frames the governance presentation in the Answers hub. The presentation work covers how the firm names its SOX compliance posture, its audit committee structure, its PCAOB-registered auditor, and its ICFR audit history on US-facing surfaces. The compliance program design, ICFR testing, and audit response belong with the firm's audit committee, internal audit, external auditor, and SEC counsel.
Global Marketing Agency does not provide SOX compliance program design, ICFR testing, audit committee charter drafting, or SEC enforcement defense. Those activities belong to the firm's internal audit, external auditor, and SEC counsel. GMA works on how the firm's SOX posture is presented, sequenced, and read on US-facing surfaces.
Sources cited on this page: US Securities and Exchange Commission, Sarbanes-Oxley Act of 2002 full text, Public Company Accounting Oversight Board, SEC, Foreign Private Issuers Overview, SEC Office of the Whistleblower, US OSHA Whistleblower Protection Programs, Public Law 107-204, Sarbanes-Oxley Act of 2002.