Major provision of SOX Act of 2002 are following:
Section 302 of the SOX Act of 2002 mandates that senior corporate officers personally certify in writing that the company's financial statements comply with SEC disclosure requirements and "fairly present in all material respects the financial condition and results of operations of the issuer" at the time of the financial report. Officers who sign off on financial statements that they know to be inaccurate are subject to criminal penalties, including prison terms.
Section 404 of the SOX Act of 2002 requires that management andauditors establish internal controls and reporting methods to ensure the adequacy of those controls. Some critics of the law have complained that the requirements in Section 404 can have a negative impact on publicly traded companies because it's often expensive to establish and maintain the necessary internal controls.
Section 802 of the SOX Act of 2002 contains the three rules that
affect recordkeeping. The first deals with destruction and falsification
of records. The second strictly defines the retention period for storing
records. The third rule outlines the specific business records that
companies need to store, which includes electronic communications.
Besides the financial side of a business, such as audits, accuracy,
and controls, the SOX Act of 2002 also outlines requirements for
information technology (IT) departments regarding electronic records.
The act does not specify a set of business practices in this regard but
instead defines which company records need to be kept on file and
for how long. The standards outlined in the SOX Act of 2002 do not
specify how a business should store its records, just that it's the
company IT department's responsibility to store them.