1.1 KiB
SOX (Sarbanes-Oxley Act)
US federal law (2002). Mandates internal controls over financial reporting (ICFR) for publicly traded companies. Section 404 requires management to assess and auditors to attest to the effectiveness of internal controls.
Who must comply: All US public companies; foreign issuers trading on US exchanges. ~6,000 public companies + foreign filers.
Penalties: Up to $5M fines and 20 years imprisonment for certifying false financial statements. CEO and CFO personally liable.
Why it matters: Every financial control is a gate rule — who can approve a journal entry, who can release a payment, who can modify a vendor record. The gate stack encodes these as ACL2-verified rules and produces the audit trail that the external auditor needs for Section 404 attestation. First-mover advantage: SOX is mature (24 years old) but the audit market is $4B+ and entirely manual — no competitor has automated the evidence pipeline.