API Marketplace

Solutions

Resources

Our Company

Book a Demo

← Back to Glossary

Sarbanes-Oxley Act Internal Controls Law

United States

2002

Tax & Reporting

Overview

SR 11-7, issued by the Federal Reserve in 2011, provides supervisory guidance on effective model risk management practices for financial institutions. It establishes expectations for identifying, assessing, controlling, and mitigating risks arising from the use of quantitative models in decision-making.

Although not a formal rule, SR 11-7 is applicable to banks, bank holding companies, financial market utilities, and other regulated financial institutions in the United States. It is widely followed as a de facto standard for model governance across risk, compliance, and finance functions, requiring institutions to implement comprehensive governance frameworks that ensure proper validation, documentation, and ongoing monitoring of all quantitative models used in business operations.

Key Obligations

Maintain effective internal controls over financial reporting (ICFR)
Conduct annual management assessments of control effectiveness
Obtain independent auditor attestation on internal controls (for larger filers)
Implement procedures to prevent and detect fraud

Establish whistleblower protections and anonymous reporting mechanisms
Enforce personal accountability for CEOs and CFOs on financial disclosures
Retain key financial documents and emails for defined time periods

Stay ahead of risk with Signzy

Explore tools that help you onboard, monitor, and verify with confidence

Identity Verification

Use facial match and liveness checks paired with government ID verification to validate users while onboarding.

Bank Account Verification

Instantly verify bank account details to confirm account ownership and validity for secure financial transactions.

Related Regulations

SEC Rule 17a-4 Records Retention

GLBA Safeguards Rule Compliance

SEC Reg SCI Systems Compliance

FAQ

Who does SOX apply to?

All U.S. publicly traded companies, their subsidiaries, accounting firms, and executive officers.

What is the main purpose of SOX Section 404?

To ensure that companies have robust internal controls over financial reporting and disclose their effectiveness.

Are private companies affected by SOX?

Not directly, but vendors and financial partners of public companies may be expected to follow SOX-compliant processes.

What are the penalties for non-compliance?

Penalties include fines, delisting from exchanges, reputational damage, and criminal charges for executives in cases of willful misconduct.