What SOX is all about is “Power” (or authority) and the delegation thereof.
The concept is inherited from COSO (Committee of Sponsoring Organizations of the Treadway Commission).
As widely known, what they call “COSO Framework” is the conceptual framework to sustain the integrity of a public organization, which is trusted, funded, and empowered by (oftentimes) numerous benefactors, fund-providers, investors, and other stakeholders, including citizens/taxpayers in case of the organization being a governmental body. Because the management/administration of such an organization is typically composed of elected/appointed/entrusted (board of) directors (as usually seen in the case of a public company), one of the primary concerns of the fund-providers and/or taxpayers would be corruption: i.e., the abuse of power.
Take the Watergate scandal for example. President Nixon abused his presidential power, or authority, by spending taxpayers’ money to benefit his personal gain; i.e., committing a burglary of the Democratic Party headquarters.
The scandal led to many other corporate illegal and corrupt activities, which were essentially a similar abuse of corporate management’s power, or authority, delegated by the corporate board of directors, or the representative body of the corporate shareholders.
The series of events prompted the U.S. Congress to enact the FCPA (Foreign Corrupt Practice Act) of 1977 and the COSO.
The COSO Framework consequently provides corporate governance with the conceptual framework of internal controls to mitigate the risks of the corporate management’s abusing their authority delegated by the board of directors.
The SOX Act 2002, in conjunction with correspondingly updated COSO Framework 2013, specifically deals with the financial information aspects of the public companies that are regulated by PCAOB (Public Company Accounting Oversight Board), part of SEC (Securities Exchange Commissions).
That is, the SOX Act (302) requires the corporate governance (of SEC listed companies), specifically CEO and CFO, to hold themselves accountable for reporting the financial statements (and footnote information thereof) that are fairly stated and disclosed (without a material misstatement in accordance with US GAAP) by establishing an effective system (of internal controls over financial reporting, or ICFR) – “based on criteria established in the” COSO Framework 2013 (as in a management’s ICFR effectiveness report in their 10-K) – to adequately mitigating the risks of misstatement due to fraud (as a result of abusing the authority/power: e.g., Management Override, Collusion, etc.) and/or due to unintentional error (as a result of lacking adequate accountability/competence).
Therefore, the objective of ICFR under the SOX and COSO Framework (2013) is for a public company management to “hold themselves accountable to their shareholders (to the extent of their authority delegated by the shareholders: i.e., the corporate owners) in their reporting/disclosing the fairly-stated financial statements (under US GAAP and SEC regulations), by controlling (to mitigate) the risk of (material) misstatements due to fraud and errors.“