Although the Sarbana-Oxley Act (SOX) is a US regulation, it’s part and parcel of being a publicly traded company, has ramifications the world over, and should be on any company’s roadmap to IPO. SOX compliance has very specific requirements—but it’s also a key part of signalling maturity to the market, and falling short of SOX comes with high individual penalties, but also broader diminished investor confidence. While it’s true SOX’s main focus is financial reporting, what’s often overlooked is how procurement processes fit into the puzzle of SOX compliance. They provide a bedrock for the accurate and timely financial reporting that SOX mandates. But before we get to that, let’s start with the basics.

Why does SOX exist? 

Enron is a household name that’s now synonymous with institutional accounting fraud. But in the 1990s it was known for its high-performance. Fortune Magazine named it “America’s Most Innovative Company” six years in a row. The publicly listed energy company’s stock price increased 87% in 2000. But by October 2001 it had plummeted to just $0.26 from highs of over $90. Enron filed for Chapter 11 bankruptcy just one month later on 2nd December 2001. The business had $63.4bn in assets, and still holds the record for the largest U.S. bankruptcy filing. 

What came to be known as one of the biggest white-collar crimes in history was jam-packed with systematic accounting fraud—revenues were inflated, and billions of dollars of losses hidden using off-balance sheet entities and vehicles. When this came to light as part of a Securities and Exchange Commission (SEC) investigation the business collapsed—20,000 employees lost their pensions, and Enron’s Chairman, CEO, and CFO were brought to trial. 

Enron is the largest and most well known of several accounting scandals that rocked Wall Street in the early 1990s. Tyco International, WorldCom, Adelphia, and Peregrine Systems were all investigated around the same time for fraudulent accounting practices. This is the landscape that SOX was introduced to reshape. In the simplest terms, SOX was designed to stop another Enron and rebuild confidence in listed companies finances. It was introduced and passed into law in July 2002, just seven months after Enon filed for Chapter 11.

When and who does SOX apply to?

Although publicly-traded companies are the primary targets of SOX, the law’s purview is actually slightly wider. SOX applies to:

Publicly traded companies doing business in the US, and their wholly owned subsidiaries.

It’s important to note that SOX applies not just to public companies headquartered or listed in the US, but also to public companies headquartered elsewhere who do business in the US.

Private companies preparing to IPO

Private companies aspiring to IPO are bound by SOX when they file a registration statement with the SEC.

Securities analysts and accounting firms.

SOX applies to those auditing public companies—primarily at accounting firms. 

Any public, private, or non-profit.

SOX’s widest reaching, but perhaps most intuitive and easy to comply with requirement makes it iIllegal to destroy or falsify financial records to obstruct a federal investigation for any public or private business, plus non-profits.

Whistleblowers

SOX also protects whistleblowers at private companies who report misconduct of their public customers. 

What are the key requirements of SOX? 

The Sarbanes-Oxley Act is split into 11 primary titles—each with different objectives. Some of the most important impacts of SOX are:

1. Creating the Public Company Accounting Oversight Board (PCAOB).

Title I: establishes the Public Company Account Oversight Board to “Oversee the audit of public companies that are subject to the securities laws” along with establishing rules and standards for auditing. This is in essence, the regulator—the entity who keeps check on the firms who audit public companies.

2. Strengthening financial reporting requirements.

Title IV: requires “financial reports filed with the SEC to reflect all material correcting adjustments that have been identified by a registered public accounting firm in accordance with SEC rules and generally accepted accounting principles (GAAP).”

Sec. 404 additionally requires that annual reports include an internal control report which:

  • Details the “adequate internal control mechanisms for financial reporting” a business is utilizing.
  • “Evaluates the efficacy of such mechanisms”—including an attestation from the public account firm. 

3. Making executives, including the CEO and CFO personally accountable for failings.

Title III: one of the most well known sections of SOX, Sec.302—requires the CEO and CFO to certify the truthfulness and completeness of financial reporting, along with naming them responsible for the internal controls that make them so.

4. Mandating independence for external auditors and analysts.

Title II: focuses on the concept of “Auditor Independence”—so auditors cannot be engaged with other services with businesses, at the same time as auditing under SOX.

5. Enacting protections for whistleblowers.

Title VIII: protects publicly traded companies from retaliating against employees who report fraud or violations of securities regulations. It grants them the right to file complaints with OSHA, and grants them the right to reinstatement and recompense if retaliation occurs.

How does procurement fit into meeting these requirements?

Teams process thousands of financial transactions every year, and a large proportion of these originate via procurement. This process most notably influences financial reporting via direct integration with a businesses core ERP tooling. POs can be generated directly based on the information determined in the procurement process, affecting reporting of accruals, committed spend, and invoice processing. These in turn directly impact a business’s ability to meet the control requirements of Section 404.

Additionally, without comprehensive procurement systems, organizations lack basic auditability and struggle to explain why particular suppliers were chosen or who approved which contracts. Even when records exist, they are often scattered across email chains, Slack, or Teams threads, making reporting a significant manual burden.

Procurement processes are also instrumental in enabling material changes to be disclosed on a “rapid and current basis” as mandated by Section 409. Unexpected adverse events relating to critical suppliers may constitute material events. Businesses need to detail how such an event would be assessed, and this is where third-party risk management comes in. Businesses are also required to assess suppliers who impact their financial reporting—third-party risk management embedded in procurement can ensure new suppliers are SOX-compliant by evaluating factors such as their SOC 1 certification, and automatically monitoring that their certification stays up to date.

When implemented correctly, procurement processes support key SOX reporting requirements. Without them, assembling accurate reports can be nearly impossible. This places pressure on the CEO and CFO, who must legally certify these reports and face severe consequences for inaccuracies.

How does Omnea help businesses meet SOX requirements? 

We’re proud to be the world’s fastest growing intake and orchestration platform, trusted by businesses listed on the NASDAQ and NYSE, and other international exchanges subject to similar legislation, including LSE (London), SIX (Switzerland), and the FWB (Germany). Our platform allows businesses to build and automate processes that become foundational to SOX-compliant reporting. Here’s some of the key ways how: 

Establishes a foundation of trusted data

Siloed systems create space for missing or inaccurate data. Omnea orchestrates disparate financial, contracting, and risk systems to eliminate manual data processing and ensure data integrity. Audit logs record every time Omnea writes data to ERP systems—so you can easily report exactly how data was handled, where changes were made, and what decisions led to action—versus manually piecing together events from disparate ticketing systems, emails, and other communication channels. Omnea’s orchestration layer ensures data is handled compliantly, is in line with required financial controls, and creates a unified source of truth that can stand up to the scrutiny faced by SOX-regulated businesses.

Build audit-ready workflows with compliant audit trails

Omnea triggers the right automated workflows and approvals based on simple questions asked at intake. That means the right stakeholders review and approve spend requests depending on spend categories or monetary thresholds, complete with a centralized audit-trail and documentation. Auditor ready documentation is only ever a click away, with full export capabilities integrated throughout Omnea.

Embedded third-party risk management 

Managed in a silo, it’s easy for third-party risk management to become inconsistent. Omnea embeds TPRM processes within procurement workflows, and automatically sends suppliers due diligence questionnaires at assessment and periodically throughout the relationship to ensure suppliers are still SOX compliant.

If you’re evaluating your SOX compliance processes, or preparing processes for IPO we’re always happy to talk about specific requirements and use-cases.