as of March 2026
⚠️
Applies to all U.S. public companies. SOX compliance is mandatory for all companies registered under the Securities Exchange Act of 1934 — including foreign private issuers listed on U.S. exchanges. Non-compliance exposes CEOs and CFOs to personal criminal liability. (SEC SOX Overview)
What Is the Sarbanes-Oxley Act?
The Sarbanes-Oxley Act (SOX) — formally the Public Company Accounting Reform and Investor Protection Act of 2002 — was signed into law on July 30, 2002 by President George W. Bush. It was enacted in response to the Enron, WorldCom, Tyco, and Adelphia accounting scandals that cost investors hundreds of billions of dollars. (Congress.gov)
SOX established sweeping reforms to corporate governance, financial disclosure, and the public accounting profession. It created the PCAOB to oversee auditors of public companies and imposed personal criminal liability on CEOs and CFOs who certify materially false financial statements.
11
Titles (chapters) in SOX
20 yrs
Max imprisonment (Section 802/906)
$5M
Max individual fine (Section 906)
4 days
Form 8-K filing window (Section 409)
1,515
PCAOB inspections conducted (2023)
5 yrs
Audit partner rotation requirement
Who Must Comply with SOX?
SOX applies to all issuers registered with the SEC under the Securities Exchange Act of 1934, including: (SEC.gov)
- U.S. publicly traded companies — all domestic public companies regardless of size
- Foreign private issuers — non-U.S. companies listed on U.S. exchanges (NYSE, Nasdaq)
- Accounting firms — any firm auditing public companies must register with PCAOB
- Subsidiaries — material subsidiaries of public companies are typically subject to SOX controls
- Private companies (limited): Sections 802 and 1107 (document destruction, whistleblower retaliation) apply to all companies, public and private
Note on Section 404 exemptions: Non-accelerated filers (public float < $75M) are exempt from the external auditor attestation requirement under Section 404(b), though management assessment is still required.
Section 302 — CEO/CFO Certification Requirements
Section 302 requires the principal executive officer (CEO) and principal financial officer (CFO) to personally certify each annual (Form 10-K) and quarterly (Form 10-Q) report filed with the SEC. (SEC Rule 13a-14)
The CEO/CFO must certify that:
- They have reviewed the report
- The report does not contain any material misstatement or omission
- Financial statements and disclosures fairly present the financial condition
- They are responsible for establishing and maintaining disclosure controls and procedures (DC&P)
- They have evaluated the effectiveness of DC&P within 90 days prior to the report
- They have disclosed to auditors and audit committee all significant deficiencies, material weaknesses, and fraud in ICFR
ℹ️
False Section 302 certifications can expose executives to SEC civil enforcement and DOJ criminal prosecution. The SEC has brought enforcement actions solely on 302 certification violations, even when the underlying financial statements were corrected.
Section 404 — Internal Control Over Financial Reporting (ICFR)
Section 404 is the most operationally intensive SOX provision. It requires management to annually assess and report on the effectiveness of internal control over financial reporting (ICFR). (SEC Rule 13a-15)
Section 404(a) — Management Assessment (all accelerated filers + non-accelerated)
- Management must use a recognized control framework — most companies use COSO (Committee of Sponsoring Organizations)
- Assessment must cover all business processes that affect financial reporting
- Any identified material weakness must be disclosed; management cannot conclude ICFR is effective if a material weakness exists
- Management's assessment must be included in the annual report
Section 404(b) — External Auditor Attestation (accelerated filers only)
- External auditors must independently attest to management's ICFR assessment under PCAOB AS 2201
- Required for: Large accelerated filers (public float ≥ $700M) and accelerated filers (public float $75M–$700M)
- Exempted: Non-accelerated filers (public float < $75M), smaller reporting companies (SRCs) for 404(b) only
Key ICFR Deficiency Levels
| Level | Definition | Required Disclosure |
|---|
| Control Deficiency | Design or operation of a control does not allow management/employees to prevent or detect misstatements | Not required in 10-K (disclosed to audit committee) |
| Significant Deficiency | Deficiency or combination that is less severe than a material weakness, yet important enough to merit attention | Disclosed to audit committee and auditors |
| Material Weakness | Deficiency or combination that creates reasonable possibility of material misstatement in financial statements | Must be disclosed in annual report; management cannot conclude ICFR is effective |
Criminal Penalties Under SOX
| Section | Violation | Penalty |
|---|
| Sec 802 | Knowingly destroying, altering, or falsifying records in a federal investigation or bankruptcy | Up to 20 years imprisonment; fines |
| Sec 906(a) | Certifying a periodic report knowing it does not comply with requirements | Fine up to $1M; up to 10 years imprisonment |
| Sec 906(b) | Willfully certifying a periodic report knowing it does not comply | Fine up to $5M; up to 20 years imprisonment |
| Sec 1102 | Corruptly altering or destroying documents to impede SEC investigations | Up to 20 years imprisonment |
| Sec 1107 | Retaliating against whistleblowers | Up to 10 years imprisonment |
Source: Public Law 107-204, Sections 802, 906, 1102, 1107. congress.gov
SOX Compliance Checklist
- CEO and CFO have signed Section 302 certifications for all 10-K and 10-Q filings
- Disclosure Controls & Procedures (DC&P) documented and evaluated quarterly
- ICFR assessment completed using COSO 2013 framework (or COBIT for IT controls)
- All material weaknesses and significant deficiencies identified and disclosed to audit committee
- External auditor engaged for Section 404(b) attestation (accelerated filers)
- Audit committee composed entirely of independent directors; financial expert designated
- Lead and concurring audit partners rotated at least every 5 years
- Non-audit services reviewed and pre-approved by audit committee; prohibited services not performed by auditor
- Code of ethics for senior financial officers adopted and disclosed
- Whistleblower hotline established; anonymous complaints can be submitted to audit committee
- Document retention policy in place; litigation hold procedures documented
- Form 8-K filed within 4 business days of material events (Section 409)
- No personal loans to executives or directors (Section 402)
- Insider trading policy and Section 16 reporting procedures current
(PCAOB AS 2201)
PCAOB — Public Company Accounting Oversight Board
SOX Title I created the PCAOB as a non-profit corporation to oversee auditors of public companies. The PCAOB operates under SEC oversight and has authority to set auditing standards, inspect audit firms, and impose sanctions. (PCAOB)
Key PCAOB functions:
- Registration: All accounting firms auditing public companies must register (over 1,800 registered globally as of 2024)
- Inspection: Annual inspections of firms auditing 100+ issuers; triennial inspections for smaller firms
- Standard-setting: Issues auditing standards (e.g., AS 2201 for ICFR, AS 2301 for audit planning)
- Enforcement: Can impose sanctions, revoke registration, bar individuals, and impose fines up to $15M per violation (firms) or $750K (individuals)
Frequently Asked Questions
Does SOX apply to private companies?
Most SOX provisions apply only to public companies. However, Sections 802 (document destruction) and 1107 (whistleblower retaliation) apply to all companies including private ones. Additionally, private companies planning an IPO should implement SOX-compliant controls before going public — it typically takes 12–18 months to build robust ICFR.
What is the cost of SOX compliance?
Initial implementation costs for large companies exceeded $35 billion in total across all public companies in the years following SOX enactment. Ongoing annual compliance costs vary widely: large accelerated filers typically spend $1M–$10M+ annually on SOX compliance including audit fees, internal audit, and control documentation. Smaller reporting companies spend significantly less.
What are the most common SOX violations?
The most common SOX violations include: (1) material weaknesses in ICFR related to financial close processes, (2) inadequate segregation of duties, (3) Section 302 certification based on inadequate review, (4) untimely Form 8-K disclosures, and (5) failure to maintain adequate records. Restatements of financial statements are a major red flag for potential SOX violations.
How does Dodd-Frank affect SOX whistleblower protections?
The Dodd-Frank Act (2010) significantly strengthened SOX whistleblower protections. It created the SEC Whistleblower Program (Section 21F), which awards whistleblowers 10–30% of monetary sanctions exceeding $1M. From 2012–2023, the SEC awarded over $1.9 billion to more than 400 whistleblowers. Source: SEC Whistleblower Program Annual Reports.
Related Tools & Resources
Related Compliance Guides
Stay ahead of SEC and PCAOB regulatory changes
Weekly compliance updates, enforcement alerts, and financial insights — free.