SOX is Security Exchange Commission requirement which prescribes very specific steps to be followed. It is like an US law for the US stock – listed companies, asking them to certify that their internal system of control is in place, is appropriate for the purpose and did not allow any material errors to occur in the financial statements. In a sense, it is like a compulsory external audit – it is prescribed by certain steps and follows a certain logic. SOX is designed to protect the investors in public listed companies and has even legal consequences for the senior officers of those companies (liable in front of the US law).
An operational audit is a comprehensive form of an internal audit. This type of audit is trying to improve the efficiency and the effectiveness of the internal operations. Its objectives vary a lot and are determined by the management of the company, based on their own scope (and not imposed by law like in SOX). The operational audit has only internal consequences and usually looks at all company’s operations, but from a totally different angle compared to SOX . It does not focus on internal controls (although SOX and internal audits can and often do overlap). It tries to increase customer satisfaction, improve the company’s products or even prevent stealing. Even stealing from petty cash cannot be material for SOX purposes (it does not affect probably the values in the financial statements, but it can bother the management by the culture change it creates within the organisation). So an operational audit is quite different from SOX audits.
Operational audits are usually conducted by internal auditors who are members of an internal department of the company. SOX is conducted from outside by external companies, since the organisation will easily certify it has done the things in the right way just to avoid any legal consequences.
For more refferences: