SOX
Short for Sarbanes-Oxley Act
US law requiring public companies to document and test internal controls over financial reporting. Applies to any SOP that affects financial data.
Definition
The Sarbanes-Oxley Act of 2002 was passed after the Enron and WorldCom scandals. Section 404 requires public companies (and certain large private companies) to maintain an 'adequate internal control structure' over financial reporting and to have an external auditor attest to management's assessment. PCAOB Auditing Standard 5 defines how external auditors test those controls — which includes testing whether documented procedures are followed consistently (operating effectiveness). SOX-relevant SOPs include month-end close, journal entry approval, revenue recognition, user access reviews, and change management.
Why it matters
A SOX material weakness disclosure wipes market capitalization and can trigger class-action lawsuits. External auditors under PCAOB AS 5 must test whether the key financial controls operate effectively — that requires documented procedures PLUS evidence that the people executing the controls know them. Robust SOX SOPs + documented acknowledgements from the people performing the controls are the foundation of a clean SOX audit.