SOX Audit Committee Compliance Checklist

Last updated: 2026-04-25 — ComplianceStack Editorial Team

17 items
🎯

Generate Your Personalized SOX Checklist

Tell us about your organization and we'll tailor this 17-item checklist to your situation — highlighting your gaps, marking what you already have, and calculating your readiness score. Free. Instant. Downloadable.

Free · Instant · No account required
Reference Checklist Progress 0 of 17 reviewed

SOX Section 301 mandates specific independence, composition, and responsibility requirements for audit committees of publicly traded companies. These requirements, implemented through Exchange Act Rule 10A-3, ensure oversight of financial reporting, internal controls, and auditor relationships. Non-compliance can result in delisting and SEC enforcement actions.

Generate Your Personalized Checklist

Tell us about your audit committees and we'll filter this checklist to what applies to you — with a readiness score and priority gaps highlighted.

Checked items will be marked ✅ complete in your personalized checklist.

📄 Reference Checklist

Generic — use the generator above for a personalized version
Priority Legend:
● Critical ● High ● Medium ● Ongoing

SOX Reference Checklist for Audit Committees

SEO Reference

Use the generator above for your personalized checklist. The complete reference checklist is below.

SOX Compliance Checklist for Audit Committees

1

Audit Committee Independence

Critical 3 days

All audit committee members must be independent directors with no material relationship with the company. Members cannot accept consulting, advisory, or compensatory fees beyond board compensation.

SOX §301, Exchange Act Rule 10A-3(b)(1)
2

Financial Expert Requirement

Critical 2 days

Disclose whether at least one audit committee member qualifies as a financial expert with accounting or financial management expertise. If no expert exists, explain why not.

SOX §407, SEC Regulation S-K Item 407(d)(5)
3

Direct Responsibility for External Auditor

Critical 5 days

The audit committee must be directly responsible for appointment, compensation, retention, and oversight of the external auditor. The auditor reports directly to the committee, not management.

SOX §301(2), Exchange Act Rule 10A-3(b)(2)
4

Pre-Approval of Audit Services

Critical 4 days

Establish procedures to pre-approve all audit and permissible non-audit services provided by the external auditor. Pre-approval cannot be delegated to management.

SOX §202, Exchange Act Rule 10A-3(b)(3)
5

Pre-Approval of Non-Audit Services

Critical 3 days

Pre-approve all permissible non-audit services. SOX prohibits nine categories of non-audit services including bookkeeping, financial system design, actuarial services, and internal audit outsourcing.

SOX §201, SOX §202
6

Whistleblower Procedures

Critical 6 days

Establish procedures for receiving, retaining, and treating complaints regarding accounting, internal controls, or auditing matters. Include confidential, anonymous submission mechanisms for employees.

SOX §301(4), Exchange Act Rule 10A-3(b)(4)
7

Authority to Engage Advisors

High 2 days

The audit committee must have authority to engage independent counsel and other advisors as necessary. The company must provide appropriate funding for these advisors.

SOX §301(5), Exchange Act Rule 10A-3(b)(5)
8

Audit Committee Charter

High 5 days

Adopt a formal written charter specifying the committee's purpose, duties, and responsibilities. Review and update the charter annually, and disclose it to shareholders every three years.

NYSE Listed Company Manual §303A.07, NASDAQ Rule 5605(c)(1)
9

Minimum Committee Size

Critical 1 day

The audit committee must have at least three independent members. All members must be financially literate or become financially literate within a reasonable time after appointment.

NYSE Listed Company Manual §303A.07(a), NASDAQ Rule 5605(c)(2)(A)
10

Review of Financial Statements

High 8 days

Review quarterly and annual financial statements with management and the external auditor before filing. Discuss significant judgments, estimates, and accounting policies.

PCAOB AS 1301.03, SEC Regulation S-K Item 407(d)(3)
11

Internal Control Oversight

Critical 10 days

Oversee the effectiveness of internal control over financial reporting. Review management's assessment and the auditor's attestation under SOX §404 before filing.

SOX §404, PCAOB AS 2201
12

Regular Executive Sessions

High 4 days

Meet separately in executive session with the external auditor, internal auditor, and management on a regular basis. Document these sessions and any issues raised.

NYSE Listed Company Manual §303A.07(b)(iii)(D), NASDAQ Rule 5605(c)(2)(E)
13

Minimum Meeting Frequency

High 2 days

Hold at least four meetings per year, with additional meetings as needed. Best practice includes meetings before each quarterly earnings release and annual report filing.

NYSE Listed Company Manual §303A.07, PCAOB AS 1301
14

Audit Committee Report

High 3 days

Prepare an annual audit committee report for inclusion in the proxy statement. The report must state whether the committee reviewed financials, discussed them with auditors, and recommended their inclusion in the 10-K.

SEC Regulation S-K Item 407(d)(3), Exchange Act Rule 14a-3
15

Auditor Independence Assessment

High 3 days

At least annually, obtain and review a formal written statement from the external auditor regarding independence. Discuss relationships that may impact independence and take appropriate action.

PCAOB Rule 3526, SOX §301(2)
16

Related Party Transaction Review

Medium 4 days

Review and approve or ratify all related party transactions. Establish policies and procedures for ongoing monitoring of related party transactions.

SEC Regulation S-K Item 404(a), Exchange Act Rule 10A-3(e)(1)(ii)
17

Funding for Auditors and Advisors

Medium 2 days

Ensure the company provides appropriate funding for payment of compensation to the external auditor and any advisors engaged by the audit committee.

SOX §301(6), Exchange Act Rule 10A-3(b)(6)

See How Your Audit Committee Scores on SOX

Run a free gap analysis to find out which items you have covered and where the risks are.

Gap Analyzer →   Training Tracker →

Common Mistakes That Trigger Enforcement

Failing to properly assess audit committee member independence, particularly overlooking indirect financial relationships or family member employment.
Exchange listing standards violation, potential delisting, and SEC enforcement action. Remedy requires reconstitution of the committee and restatement of prior audit committee reports.
Allowing management to engage the external auditor for non-audit services without prior audit committee approval.
Violation of SOX §202 pre-approval requirements, potential auditor independence impairment requiring auditor change, and civil penalties up to $5 million for willful violations under SOX §1106.
Not establishing adequate whistleblower procedures or failing to investigate complaints received regarding accounting or auditing matters.
Violation of SOX §301(4), potential SEC enforcement for inadequate internal controls under SOX §404, and increased liability exposure. SEC has imposed penalties exceeding $1 million for inadequate whistleblower procedures.
Audit committee rubber-stamping management recommendations without conducting independent review of financial statements and internal control assessments.
Breach of fiduciary duty, personal liability for audit committee members in securities litigation, and potential SEC enforcement. Directors have faced personal settlements exceeding $500,000 in derivative suits.
Appointing audit committee members who lack financial literacy or failing to designate a financial expert when qualified candidates exist.
Violation of SOX §407 disclosure requirements and exchange listing standards. Companies must disclose lack of financial expert and explain why, inviting shareholder and regulatory scrutiny that can impact stock price.

Frequently Asked Questions

What are the penalties for non-compliance with SOX audit committee requirements?

SOX §301 violations can result in delisting from national securities exchanges under Exchange Act Rule 10A-3(c). The SEC can impose cease-and-desist orders, civil penalties up to $775,000 per violation for individuals ($9.25 million for entities), and officer/director bars. Willful violations of SOX can result in criminal penalties up to $5 million in fines and 20 years imprisonment under SOX §1106. Additionally, the SEC has imposed penalties ranging from $100,000 to over $1 million in settled enforcement actions involving deficient audit committees.

Can audit committee members serve on multiple public company audit committees?

Yes, but with limitations. NYSE Listed Company Manual §303A.07(a) requires that if an audit committee member serves on more than three public company audit committees, the board must determine that such service does not impair the member's ability to effectively serve. This determination must be disclosed in the annual proxy statement under SEC Regulation S-K Item 407(d)(5). Best practice limits service to three audit committees total to ensure adequate time commitment, particularly for financial experts handling complex industries.

How does SOX define a 'financial expert' for audit committee purposes?

SOX §407 and SEC Regulation S-K Item 407(d)(5)(ii) define an audit committee financial expert as someone with: (1) understanding of GAAP and financial statements; (2) experience applying GAAP in accounting estimates, accruals, and reserves; (3) experience preparing, auditing, analyzing, or evaluating financial statements of comparable complexity; (4) understanding of internal controls over financial reporting; and (5) understanding of audit committee functions. This expertise must be acquired through education and experience as a principal financial officer, controller, public accountant, auditor, or similar position.

✉ Save This Checklist

Enter your email and we'll send you a clean copy — plus updates when requirements change.

We also offer a free personalized gap analysis for your specific situation.

Related Resources

Assess Risk Now →