It’s hard to believe that July 2025 marks the 23-year anniversary of the Sarbanes-Oxley Act (SOX).
On the heels of the dot-com boom in the early 2000s, companies changed the way they operated and incentivized senior leaders: Financial fraud became rampant.
Flagship financial fraud cases of the era included Enron (overstated revenue and concealed debt obligations), WorldCom (inflated earnings by $11 billion), and Tyco (inflated company income). These events helped catalyze more rigorous financial reporting and internal control requirements created under SOX.
The bipartisan law, sponsored by U.S. Senator Paul Sarbanes and U.S. Congressperson Michael Oxley, has had lasting impacts on public companies of all sizes, helping to create strong control environments, standardize processes, and mitigate financial reporting risks.
SOX Milestones
Below is a timeline of some of the biggest milestones related to the evolution of SOX over the past 23 years:
While many organizations and their auditors have grown accustomed to annual compliance requirements, they must still remain vigilant toward further rule changes and emerging trends. SOX programs must adequately provide insight to stakeholders and regulators as the market and regulatory landscape continue to evolve.
SOX Today and Tomorrow
As organizations consider going public and seek to establish a SOX program of their own, numerous, more recent trends are influencing the design, scope, and urgency of reporting standards and control environments.
Some of the most prominent emerging factors include:
Innovation: AI, Automation, and Data Analytics
In tight labor markets, organizations are increasingly leveraging innovative technologies to enhance efficiency and focus on value-added activities. Automation, data analytics, and, more recently, AI transform how companies and auditors manage processes and controls. For example, financial reporting tools and governance, risk, and compliance (GRC) platforms use robotic process automation (RPA), data analytics, and AI-driven solutions to reduce manual errors, streamline evidence collection, and proactively detect fraud and anomalies.
These technologies enable SOX teams to analyze larger volumes of structured and unstructured data, improve real-time monitoring, and optimize the efficacy of SOX testing programs. By reducing the overall cost of compliance and minimizing the burden of audit seasons, these advancements empower professionals to concentrate on tasks that require expert judgment and strategic insight.
Environmental, Social, and Governance (ESG)
More public companies than ever are disclosing sustainability data, both voluntarily and for regulatory purposes. This enhanced reporting requires companies to design and implement relevant financial reporting controls over ESG data, much of which is non-financial data outside of the general ledger. As companies incorporate testing of their ESG-related data into their overall SOX program, these new disclosures must stand up to regulatory scrutiny.
Cybersecurity Requirements
The rapid evolution of technology continues to shape the scope and rigor of SOX compliance. In 2024, the SEC adopted enhanced cybersecurity disclosure rules that are now fully in effect for public companies. These rules require:
- Disclosure of material cybersecurity incidents within four business days via Form 8-K.
- Annual reporting on cybersecurity risk management, strategy, and governance under Regulation S-K Item 106.
- Clear articulation of the board’s oversight and management’s role in assessing and mitigating cyber risks.
As a result, cybersecurity controls are now being evaluated alongside traditional IT general controls (ITGC) during SOX testing. Companies must ensure their incident response protocols, data governance frameworks, and cyber risk assessments are operationally sound and aligned with financial reporting requirements. The SEC’s enforcement actions underscore the importance of accurate and timely cyber disclosures, making cybersecurity a central pillar of modern SOX compliance.
For SOX cybersecurity compliance best practices, start here:
- Continuous monitoring of controls and risks.
- Automated identity and access governance.
- Zero-trust architectures for sensitive systems.
- Active incident response drills (e.g., red team exercises focused on financial systems).
- Ongoing vendor risk reviews and robust documentation of security controls and incidents.
A Profitable, Compliant Future
Twenty-three years later, the legacy of SOX stands as a powerful testament to the enduring value of transparency, accuracy, and accountability in financial reporting. While regulatory requirements will continue to evolve, the core principles that safeguard trust in our capital markets remain as vital and unshakeable as ever.
For expert SOX advisory support, contact CrossCountry Consulting.