Does SOX Apply to Private Companies? What CFOs Need to Know
The Sarbanes-Oxley Act was written for public companies, but its principles increasingly affect private businesses. Here is what applies and what does not.
The short answer
The Sarbanes-Oxley Act (SOX) was enacted in 2002 in response to the Enron and WorldCom scandals. It applies primarily to publicly traded companies and their auditors. Private companies are not directly subject to most SOX provisions.
But the short answer is misleading. Several SOX provisions apply to all companies, and many more are effectively imposed on private companies through investors, lenders, customers, and acquirers.
What applies to everyone
Section 802: Document destruction. It is a federal crime to alter, destroy, or conceal documents to obstruct a federal investigation. This applies to all companies, not just public ones. Penalties include fines and up to 20 years imprisonment.
Section 806: Whistleblower protection. Employees who report securities fraud are protected from retaliation. While primarily aimed at public companies, private companies involved in securities transactions (fundraising, for example) may be covered.
Section 1107: Retaliation against informants. Criminal penalties for retaliating against anyone who provides truthful information to law enforcement. Applies to all companies.
What investors expect
Even when SOX does not legally apply, its frameworks are increasingly expected:
- Series B and beyond: Institutional investors routinely require SOX-like internal controls as a condition of investment.
- Pre-IPO preparation: Companies planning to go public typically implement SOX controls 1-2 years before the IPO.
- M&A due diligence: Acquirers assess internal controls as part of due diligence. Weak controls reduce valuation.
- Banking covenants: Some lenders require annual compliance certifications that mirror SOX requirements.
The key SOX sections
| Section | Requirement | Public companies | Private companies |
|---|---|---|---|
| 302 | CEO/CFO certification of financial statements | Mandatory | Increasingly expected by investors |
| 404 | Internal controls over financial reporting | Mandatory (with auditor attestation) | Voluntary but often adopted |
| 409 | Real-time disclosure of material events | Mandatory | Not applicable |
| 802 | Document retention and destruction | Mandatory | Mandatory |
| 906 | Criminal certification of financial reports | Mandatory | Not applicable |
Practical steps for private companies
Even without a legal SOX mandate, implementing basic internal controls is simply good governance:
- Segregation of duties. No single person should control an entire financial process (authorise, record, custody).
- Access controls. Limit system access to what each role requires.
- Documentation. Document key financial processes and controls.
- Review and reconciliation. Regular review of financial statements, bank reconciliations, and intercompany transactions.
- Record retention policy. Define how long you keep financial records (typically 7 years for tax purposes).
The compliance calendar connection
Internal controls include ensuring that external filings are made on time. A missed state filing is a control failure. CompCal automates this aspect of your compliance framework, ensuring every deadline is tracked and nothing slips through.