After major accounting scandals undermined investor trust, the Sarbanes–Oxley Act (SOX) overhauled U.S. public-company governance and auditing oversight. It created the PCAOB (a new audit regulator) and required stronger executive accountability and financial-reporting controls. These requirements applied to many multinational companies listed in U.S. markets, including foreign private issuers.
The SEC adopted final rules requiring principal executive and financial officers to certify quarterly and annual reports. The certifications covered the accuracy of disclosures and required executives to take responsibility for disclosure controls and procedures. For multinational companies, this pushed control documentation and reporting discipline across global subsidiaries feeding U.S. filings.
The SEC adopted rules implementing SOX Section 404, requiring management to report annually on internal control over financial reporting (ICFR). Companies had to name the evaluation framework used and disclose any material weaknesses; auditors had to attest to management’s assessment for covered issuers. For multinationals, ICFR scoping and testing had to extend across major foreign operations and shared service centers.
The PCAOB adopted Auditing Standard No. 2 (AS2) to govern the auditor’s attestation on management’s ICFR assessment. AS2 drove detailed documentation and testing expectations, which often increased compliance effort, especially for complex multinational structures and IT systems. This standard anchored early SOX 404(b) audit practice.
The SEC extended compliance dates for internal control reporting, including for foreign private issuers, citing implementation complexity and resource demands. The release also noted that many foreign issuers were simultaneously transitioning to IFRS in their home markets, complicating systems, controls, and reporting. For multinationals, this extension provided time to build global SOX programs and coordinate with external auditors.
COSO published guidance to help smaller public companies apply the COSO internal control framework to financial reporting. Although targeted to smaller issuers, the guidance also influenced how companies scaled controls and documentation—important for multinational groups with smaller foreign units. The guidance supported a more principles-based approach to designing and evaluating ICFR.
After observing early 404(b) audits, the PCAOB proposed a revised internal control auditing standard to better focus auditors on risk and eliminate requirements viewed as unnecessary. This marked an important turning point from “check-the-box” compliance toward more targeted testing. Multinationals watched closely because changes could reduce audit costs across global processes and locations.
The SEC issued interpretive guidance describing a top-down, risk-based approach for management to evaluate ICFR under Section 404(a). The goal was to improve consistency and help companies focus on controls that address the risk of material misstatement. For multinationals, this encouraged better scoping of significant locations, accounts, and IT systems across borders.
The PCAOB adopted Auditing Standard No. 5 (AS5), replacing AS2 with a more integrated, risk-based approach to auditing ICFR alongside the financial statement audit. AS5 aimed to improve audit efficiency by emphasizing what matters most for material misstatement risk and scaling procedures for different company sizes. This change reshaped multinational SOX testing strategies and auditor expectations worldwide.
The SEC adopted rules allowing foreign private issuers to file financial statements prepared under IFRS as issued by the IASB without reconciling to U.S. GAAP. This reduced a major reporting barrier for cross-border listings and affected multinational reporting strategy, including systems and controls supporting IFRS-based filings. It also increased the importance of consistent global reporting controls and disclosures under SOX-era governance expectations.
The SEC adopted rules requiring many public companies and foreign private issuers to provide financial statements in XBRL (a tagged, machine-readable format). This pushed companies to strengthen reporting processes, data governance, and review controls over tagging—especially challenging for multinationals with multiple ERPs and reporting languages. It also expanded the “global reporting change” side of compliance beyond traditional financial statements.
The Dodd–Frank Act amended SOX to permanently exempt non-accelerated filers from the auditor attestation requirement in Section 404(b). This closed a long-running debate about cost versus benefit for smaller issuers, while keeping management’s ICFR reporting obligations in place. For multinational groups with smaller U.S.-listed entities, the change reshaped compliance planning by separating management testing from auditor attestation in some cases.
Sarbanes–Oxley Compliance for Multinationals and Global Reporting Changes (2002-2010)