SOX Compliance Checklist for Public Companies

Both the CEO and CFO must individually certify that they have reviewed the filing, it contains no material misstatements or omissions, financial statements fairly present financial condition, and that they are responsible for establishing and maintaining disclosure controls and procedures (DC&P). Certifications must be filed as Exhibits 31.1 and 31.2. A false certification carries criminal penalties of up to 10 years imprisonment and $1 million in fines.

Section 906 certifications are separate from 302 certifications and carry higher criminal penalties. Each signing officer must certify that the report fully complies with Exchange Act requirements and that information in the report fairly presents financial condition. Filed as Exhibits 32.1 and 32.2. Willful false certification: up to 20 years imprisonment and $5 million fine. These certifications are the most serious personal liability exposure for public company executives.

Management must assess the effectiveness of ICFR as of the fiscal year-end using a recognized control framework — COSO 2013 Internal Control Framework is the standard. The assessment must identify material weaknesses. Accelerated filers and large accelerated filers must also obtain an auditor attestation under Section 404(b). Management's assessment is included in the annual 10-K. Begin the ICFR assessment process at least 6 months before fiscal year-end.

DC&P must be designed to ensure that information required to be disclosed in Exchange Act reports is recorded, processed, summarized, and reported within required timeframes. The CEO and CFO must evaluate DC&P effectiveness within 90 days before each 10-K and 45 days before each 10-Q. Document the evaluation methodology, scope, and conclusions. Any identified material weakness in DC&P must be disclosed in the relevant filing.

Map significant accounts and disclosures to control objectives using the COSO framework. Document control descriptions, control owners, testing frequency, and evidence requirements. Test design effectiveness (walkthroughs) and operating effectiveness (sample testing) for all key controls. Significant deficiencies and material weaknesses discovered during testing require immediate escalation to the audit committee and must be disclosed if material weaknesses remain unremediated at fiscal year-end.

Companies must disclose whether the audit committee includes at least one 'audit committee financial expert' and identify that person by name. The financial expert must have: financial statement preparation or audit experience, understanding of GAAP, experience with internal controls, and understanding of audit committee functions. All audit committee members must be independent directors (no consulting fees, no employment relationship, no affiliates). Failure to disclose or non-independent members requires immediate remediation.

Audit committees must establish procedures for receiving, retaining, and treating complaints about accounting, internal controls, or auditing matters. Employees must be able to submit concerns anonymously and confidentially. Retaliation against whistleblowers is a federal crime under SOX. The audit committee — not management — must oversee the whistleblower system. Maintain records of all complaints received and how they were resolved.

Entity-level controls include the control environment (code of ethics, board oversight), risk assessment process, information and communication systems, and monitoring activities. A formal fraud risk assessment must identify fraud scenarios, assess likelihood and significance, and identify mitigating controls. Document all ELCs in your control inventory with ownership assigned to a specific position. PCAOB and SEC both emphasize the fraud risk assessment as a high-risk area.

The audit committee must pre-approve all audit and non-audit services provided by the independent auditor. Prohibited non-audit services include bookkeeping, financial information systems design, actuarial services, internal audit outsourcing, and management consulting. The audit committee must obtain and review the auditor's annual independence letter confirming all independence requirements are met. Violations can require auditor rotation and restatement.

Companies must adopt a code of ethics for the principal executive officer and senior financial officers (CFO, controller, principal accounting officer) covering honest and ethical conduct, full and fair disclosure, and compliance with applicable laws. The code must be disclosed in Form 10-K or incorporated by reference to a company website posting. Any waiver of the code for an executive officer must be disclosed on Form 8-K within 4 business days.

SOX imposes an absolute prohibition on personal loans by public companies to directors and executive officers. There are very limited exceptions (consumer credit loans by financial institutions in ordinary course at market rates). This prohibition covers all direct and indirect loans, including advances, deferred compensation arrangements structured as loans, and home equity lines where the company is party. Violations are a strict liability offense with no cure period.

Under Dodd-Frank's implementing rules (effective since 2024), all listed companies must adopt and disclose a compensation recovery (clawback) policy requiring recovery of excess incentive-based compensation from current and former executive officers in the event of an accounting restatement. The lookback period is 3 fiscal years. Policies must be filed as Exhibit 97 to the 10-K. SOX §304 also requires CEO/CFO clawback for misconduct-related restatements.

Large accelerated filers (public float ≥$700M): 10-K due 60 days after fiscal year-end, 10-Q due 40 days after quarter-end. Accelerated filers ($75M–$700M public float): 10-K due 75 days, 10-Q due 40 days. Non-accelerated filers: 10-K due 90 days, 10-Q due 45 days. Material events triggering Form 8-K disclosure within 4 business days include: material definitive agreements, departure of directors/officers, financial restatements, material impairments, and unregistered securities sales.

SOX makes it a federal crime to knowingly destroy, alter, conceal, or falsify any document with intent to impede a federal investigation. Document retention policies must address financial records (7 years minimum), audit workpapers (7 years), and electronic communications relevant to financial matters. Legal hold procedures must be immediately activated when litigation, SEC investigation, or regulatory inquiry is reasonably anticipated. Retention policies must be board-approved.

ITGC testing is required for all IT systems that process, store, or transmit financial data. Key ITGC domains: access controls (logical and physical), change management (program changes tested and approved), computer operations (backups, job scheduling, incident response), and segregation of duties in financial systems (no single user can initiate and approve a transaction). ITGC deficiencies are a leading driver of material weaknesses — document testing evidence for all key systems.

Document your financial close process with defined ownership, timelines, and review procedures for each step. Key controls: journal entry approval (no journal entries without supporting documentation and supervisory review), account reconciliation review (all balance sheet accounts reconciled within defined period), financial statement review by senior management, and tie-out of financial statements to underlying schedules. The close process must be controlled, repeatable, and auditable.

Management must formally classify all control deficiencies identified during the year as control deficiencies, significant deficiencies, or material weaknesses per SEC/PCAOB definitions. A material weakness is a deficiency where there is reasonable possibility that a material misstatement would not be prevented or detected. Track all deficiencies in a centralized log with remediation owner, target date, and status updates. Present deficiency summary and remediation status to the audit committee at each meeting.