sox法案基本上于06年塵埃落定，如果不是在美國上市公司工作，可能缺乏practice的經驗，我在課本上畫了個表，總結如下：來源：

1。關于section 404:  ceo  and cfo need to certify the control related to financial reporting are effective and in place. senior management should take personal responsibility on the financial integrity.

這句話就是講了sox是要干什么的。

2。auditor的責任： assess the control and integrity of financial statement.

3.auditor具體要做什么，（圍繞以下四點吹水即可）
事實上偶們公司的sox 項目也是這樣做的：
detailed documentation for financial related process.
full verification on compliance is required annually.
documentation should be reviewed and updated if the system or process are changed.
identify the control point, test, oberservation and control activity.

4. sox對于一個企業的成本：  skilled people + plenty of time (internal control function and management team)+ cost

以上四點對于2。6 和3。6 里面的于內控有關的題目亦有幫助。