What is the Sarbanes-Oxley Act (SOX)?

The Sarbanes-Oxley Act (SOX), enacted July 30, 2002, is a U.S. federal law that establishes standards for public company boards, management, and accounting firms. It was passed in response to major accounting scandals at Enron, WorldCom, and Tyco. It is officially the Public Company Accounting Reform and Investor Protection Act of 2002.

What is SOX Section 404?

SOX Section 404 requires management to annually assess the effectiveness of internal control over financial reporting (ICFR) using a recognized framework (typically COSO). For accelerated and large accelerated filers, the external auditor must also attest to management's assessment. Non-accelerated filers are exempt from the auditor attestation requirement.

What are the penalties for SOX violations?

SOX Section 906 imposes criminal penalties of up to $1M and 10 years imprisonment for certifying a false report; up to $5M and 20 years for willful violations. Document destruction carries up to 20 years under Section 802. The SEC can also seek civil penalties, disgorgement, and officer/director bars.

SOX Attestation & Compliance Guide 2026

Q: What is SOX attestation?

SOX attestation refers to two distinct requirements: (1) Section 302 CEO/CFO certifications, where executives personally attest to the accuracy of financial statements and adequacy of disclosure controls in each 10-K and 10-Q filing; and (2) Section 404(b) external auditor attestation, where the independent auditor separately assesses and opines on management's evaluation of internal controls over financial reporting (ICFR). Section 302 attestation is required for all public companies; Section 404(b) auditor attestation applies only to accelerated and large accelerated filers.

Q: Is AI prohibited in SOX ICFR audits in 2026?

AI is not categorically prohibited in SOX ICFR audits as of 2026. However, the PCAOB has not issued final standards specifically authorizing or governing AI use in ICFR attestation engagements, creating significant uncertainty. PCAOB Staff Spotlight (2023) flagged AI as an area of active monitoring. Key constraints: (1) AI-generated work must be subject to auditor professional skepticism and cannot substitute for auditor judgment; (2) AI tools used by auditors must be evaluated as part of the firm's quality control system; (3) Management use of AI in ICFR processes must be treated as a key control subject to testing. Several Big 4 firms have paused using generative AI for ICFR sign-off pending clearer PCAOB guidance. This is a fast-moving regulatory area — monitor PCAOB and SEC guidance through 2026.

Q: Who must comply with SOX?

All U.S. publicly traded companies (registered under the Securities Exchange Act of 1934), their subsidiaries, and foreign private issuers listed on U.S. exchanges must comply. Accounting firms auditing public companies are subject to PCAOB oversight under SOX. Certain SOX provisions (e.g., criminal penalties for document destruction) also apply to privately held companies.

What Is the Sarbanes-Oxley Act?

The Sarbanes-Oxley Act (SOX) — formally the Public Company Accounting Reform and Investor Protection Act of 2002 — was signed into law on July 30, 2002 by President George W. Bush. It was enacted in response to the Enron, WorldCom, Tyco, and Adelphia accounting scandals that cost investors hundreds of billions of dollars. (Congress.gov)

SOX established sweeping reforms to corporate governance, financial disclosure, and the public accounting profession. It created the PCAOB to oversee auditors of public companies and imposed personal criminal liability on CEOs and CFOs who certify materially false financial statements.

11

Titles (chapters) in SOX

20 yrs

Max imprisonment (Section 802/906)

$5M

Max individual fine (Section 906)

4 days

Form 8-K filing window (Section 409)

1,515

PCAOB inspections conducted (2023)

5 yrs

Audit partner rotation requirement

HIGH ? Data N/A

Who Must Comply with SOX?

SOX applies to all issuers registered with the SEC under the Securities Exchange Act of 1934, including: (SEC.gov)

U.S. publicly traded companies — all domestic public companies regardless of size
Foreign private issuers — non-U.S. companies listed on U.S. exchanges (NYSE, Nasdaq)
Accounting firms — any firm auditing public companies must register with PCAOB
Subsidiaries — material subsidiaries of public companies are typically subject to SOX controls
Private companies (limited): Sections 802 and 1107 (document destruction, whistleblower retaliation) apply to all companies, public and private

Note on Section 404 exemptions: Non-accelerated filers (public float < $75M) are exempt from the external auditor attestation requirement under Section 404(b), though management assessment is still required.

Section 302 — CEO/CFO Certification Requirements

Section 302 requires the principal executive officer (CEO) and principal financial officer (CFO) to personally certify each annual (Form 10-K) and quarterly (Form 10-Q) report filed with the SEC. (SEC Rule 13a-14)

The CEO/CFO must certify that:

They have reviewed the report
The report does not contain any material misstatement or omission
Financial statements and disclosures fairly present the financial condition
They are responsible for establishing and maintaining disclosure controls and procedures (DC&P)
They have evaluated the effectiveness of DC&P within 90 days prior to the report
They have disclosed to auditors and audit committee all significant deficiencies, material weaknesses, and fraud in ICFR

ℹ️

False Section 302 certifications can expose executives to SEC civil enforcement and DOJ criminal prosecution. The SEC has brought enforcement actions solely on 302 certification violations, even when the underlying financial statements were corrected.

Section 404 — Internal Control Over Financial Reporting (ICFR)

Section 404 is the most operationally intensive SOX provision. It requires management to annually assess and report on the effectiveness of internal control over financial reporting (ICFR). (SEC Rule 13a-15)

Section 404(a) — Management Assessment (all accelerated filers + non-accelerated)

Management must use a recognized control framework — most companies use COSO (Committee of Sponsoring Organizations)
Assessment must cover all business processes that affect financial reporting
Any identified material weakness must be disclosed; management cannot conclude ICFR is effective if a material weakness exists
Management's assessment must be included in the annual report

Section 404(b) — External Auditor Attestation (accelerated filers only)

External auditors must independently attest to management's ICFR assessment under PCAOB AS 2201
Required for: Large accelerated filers (public float ≥ $700M) and accelerated filers (public float $75M–$700M)
Exempted: Non-accelerated filers (public float < $75M), smaller reporting companies (SRCs) for 404(b) only

Key ICFR Deficiency Levels

Level	Definition	Required Disclosure
Control Deficiency	Design or operation of a control does not allow management/employees to prevent or detect misstatements	Not required in 10-K (disclosed to audit committee)
Significant Deficiency	Deficiency or combination that is less severe than a material weakness, yet important enough to merit attention	Disclosed to audit committee and auditors
Material Weakness	Deficiency or combination that creates reasonable possibility of material misstatement in financial statements	Must be disclosed in annual report; management cannot conclude ICFR is effective

Criminal Penalties Under SOX

Section	Violation	Penalty
Sec 802	Knowingly destroying, altering, or falsifying records in a federal investigation or bankruptcy	Up to 20 years imprisonment; fines
Sec 906(a)	Certifying a periodic report knowing it does not comply with requirements	Fine up to $1M; up to 10 years imprisonment
Sec 906(b)	Willfully certifying a periodic report knowing it does not comply	Fine up to $5M; up to 20 years imprisonment
Sec 1102	Corruptly altering or destroying documents to impede SEC investigations	Up to 20 years imprisonment
Sec 1107	Retaliating against whistleblowers	Up to 10 years imprisonment

Source: Public Law 107-204, Sections 802, 906, 1102, 1107. congress.gov

SOX Compliance Checklist

CEO and CFO have signed Section 302 certifications for all 10-K and 10-Q filings
Disclosure Controls & Procedures (DC&P) documented and evaluated quarterly
ICFR assessment completed using COSO 2013 framework (or COBIT for IT controls)
All material weaknesses and significant deficiencies identified and disclosed to audit committee
External auditor engaged for Section 404(b) attestation (accelerated filers)
Audit committee composed entirely of independent directors; financial expert designated
Lead and concurring audit partners rotated at least every 5 years
Non-audit services reviewed and pre-approved by audit committee; prohibited services not performed by auditor
Code of ethics for senior financial officers adopted and disclosed
Whistleblower hotline established; anonymous complaints can be submitted to audit committee
Document retention policy in place; litigation hold procedures documented
Form 8-K filed within 4 business days of material events (Section 409)
No personal loans to executives or directors (Section 402)
Insider trading policy and Section 16 reporting procedures current

(PCAOB AS 2201)

PCAOB — Public Company Accounting Oversight Board

SOX Title I created the PCAOB as a non-profit corporation to oversee auditors of public companies. The PCAOB operates under SEC oversight and has authority to set auditing standards, inspect audit firms, and impose sanctions. (PCAOB)

Key PCAOB functions:

Registration: All accounting firms auditing public companies must register (over 1,800 registered globally as of 2024)
Inspection: Annual inspections of firms auditing 100+ issuers; triennial inspections for smaller firms
Standard-setting: Issues auditing standards (e.g., AS 2201 for ICFR, AS 2301 for audit planning)
Enforcement: Can impose sanctions, revoke registration, bar individuals, and impose fines up to $15M per violation (firms) or $750K (individuals)

AI in SOX / ICFR Audits 2026 — What's Allowed?

The question "Is AI prohibited in SOX ICFR audits?" is one of the fastest-growing compliance queries of 2026 — and the answer is nuanced. Here's what public companies and auditors actually need to know:

⚠️

No final PCAOB standard governs AI in ICFR as of April 2026. The PCAOB has flagged AI as an active monitoring area but has not issued definitive rules. Uncertainty is the current state — not prohibition, not permission.

PCAOB Position (2023–2026)

PCAOB Staff Spotlight (2023): AI use in audits flagged for active monitoring; firms must ensure AI tools are subject to their quality control systems
PCAOB Concept Release (2024): Sought comment on AI in audits; final rulemaking expected 2025–2026
Current stance: AI cannot substitute for auditor professional judgment; any AI-generated output in an ICFR engagement must be reviewed, tested, and signed off by a licensed auditor

What Auditors Can Do with AI (Current Guidance)

✅ Use AI for risk assessment support — analyzing large datasets to identify anomalies for auditor review
✅ Use AI for audit documentation drafting — subject to auditor review and sign-off
✅ Use AI for sampling and data analytics — expanding test coverage, not replacing judgment
⚠️ AI-generated ICFR opinions are not permitted — the Section 404(b) attestation must be signed by a licensed CPA applying PCAOB standards
⚠️ Big 4 caution on generative AI in sign-off: Several major audit firms have paused use of generative AI for final ICFR conclusions pending clearer PCAOB guidance

What Management Must Do When AI Is in ICFR Processes

If your company uses AI in financial close or ICFR processes, that AI tool is itself a key internal control — it must be documented, tested, and included in management's Section 404(a) assessment
Change management controls must cover model updates, retraining, and version changes to AI systems in scope
SOC 2 or equivalent reports for AI vendors used in ICFR scope should be obtained and reviewed
Disclose material use of AI in ICFR processes in your annual report where relevant to understanding the control environment

The Bottom Line

AI is not categorically prohibited in SOX ICFR. It is, however, uncharted regulatory territory. Companies and auditors using AI in ICFR must apply heightened professional skepticism, treat AI tools as controls requiring testing, and watch closely for PCAOB rulemaking through late 2026.

Ask our AI below: "What are the PCAOB requirements for AI use in SOX audits?" or "How do I document AI tools in my Section 404 assessment?"

Frequently Asked Questions

What is SOX attestation?

SOX attestation has two components: (1) Section 302 CEO/CFO certifications — executives personally certify each 10-K and 10-Q, attesting to financial statement accuracy and the adequacy of disclosure controls and procedures; (2) Section 404(b) external auditor attestation — the independent auditor separately evaluates and opines on management's ICFR assessment, required only for accelerated and large accelerated filers. Both are signed under penalty of federal criminal prosecution.

Is AI prohibited in SOX ICFR audits in 2026?

Not categorically prohibited — but not clearly authorized either. The PCAOB has been monitoring AI use since 2023 and published a concept release in 2024, but as of April 2026 no final standard governs AI in ICFR attestation engagements. Auditors may use AI for risk assessment, data analytics, and documentation support, but AI cannot substitute for auditor professional judgment or sign the Section 404(b) opinion. Management using AI in financial close processes must treat those AI tools as key ICFR controls subject to documentation and testing.

Does SOX apply to private companies?

Most SOX provisions apply only to public companies. However, Sections 802 (document destruction) and 1107 (whistleblower retaliation) apply to all companies including private ones. Additionally, private companies planning an IPO should implement SOX-compliant controls before going public — it typically takes 12–18 months to build robust ICFR.

What is the cost of SOX compliance?

Initial implementation costs for large companies exceeded $35 billion in total across all public companies in the years following SOX enactment. Ongoing annual compliance costs vary widely: large accelerated filers typically spend $1M–$10M+ annually on SOX compliance including audit fees, internal audit, and control documentation. Smaller reporting companies spend significantly less.

What are the most common SOX violations?

The most common SOX violations include: (1) material weaknesses in ICFR related to financial close processes, (2) inadequate segregation of duties, (3) Section 302 certification based on inadequate review, (4) untimely Form 8-K disclosures, and (5) failure to maintain adequate records. Restatements of financial statements are a major red flag for potential SOX violations.

How does Dodd-Frank affect SOX whistleblower protections?

The Dodd-Frank Act (2010) significantly strengthened SOX whistleblower protections. It created the SEC Whistleblower Program (Section 21F), which awards whistleblowers 10–30% of monetary sanctions exceeding $1M. From 2012–2023, the SEC awarded over $1.9 billion to more than 400 whistleblowers. Source: SEC Whistleblower Program Annual Reports.

Related Tools & Resources

Related Compliance Guides

Deeper compliance coverage: For broader regulatory compliance programs, compliance program design, and enterprise compliance frameworks, see ComplianceStack.ai — a sister site in the StackNetwork.