Final answer:
SOX mandates that the external auditor be employed by and report to the audit committee instead of management, ensuring auditor independence and accountability in financial oversight.
Step-by-step explanation:
The question asks which entity SOX (Sarbanes-Oxley Act) requires an external auditor to be hired by and to whom they must report. The correct answer to the question is: SOX requires the external auditor to be hired by and report to the audit committee; instead of management. This requirement is designed to enhance the independence of the auditor and ensure that there is a clear line of accountability to the part of the company responsible for oversight of the financial reporting and disclosure process.
The role of the board of directors, as the first line of corporate governance, is crucial since they are elected by the shareholders to provide oversight for top executives. Furthermore, the auditing firm acts as a second institution of governance, reviewing financial records, and the third institution comprises outside investors and large shareholders who have a vested interest in the company's accurate reporting, as in the case of Lehman Brothers where corporate governance failed to provide truthful financial information.