SOX Section 302 vs Section 906: What CEOs and CFOs Need to Know

SOX requires both the CEO and CFO to personally certify the accuracy of financial reports. Two sections cover these certifications: Section 302 (civil liability) and Section 906 (criminal liability). Both appear in every 10-K and 10-Q filing.

Dimension

SOX Section 302

SOX Section 906

Purpose	Civil certification of internal controls and financial accuracy	Criminal certification — same content, higher stakes
Filed with	Periodic reports (10-K, 10-Q) under Exchange Act	Periodic reports under Sarbanes-Oxley Act
Who certifies	CEO and CFO	CEO and CFO
What they certify	Reviewed report; no material misstatements; adequate disclosure controls; ICFR evaluation; material changes disclosed	Complies with Exchange Act; fairly presents financial condition and results
Civil penalty	SEC enforcement: disgorgement, fines, officer bars	N/A (criminal only)
Criminal penalty (knowing)	Not applicable (civil framework)	Up to $1M fine and/or 10 years imprisonment
Criminal penalty (willful)	Not applicable	Up to $5M fine and/or 20 years imprisonment
Disclosure controls	Must evaluate and disclose effectiveness	Not separately required
ICFR	Must report on internal control over financial reporting	Not separately required
Relationship	More detailed civil certification	Brief criminal add-on to Section 302 certification

Key Differences

Section 302 is the detailed civil certification — it's what drives the quarterly Disclosure Committee process, ICFR testing, and sub-certifications down the management chain. Section 906 is a brief criminal overlay: if you knowingly certify a false filing, you face up to 10 years; willfully, up to 20 years.

Who Must Comply with Both

CEOs and CFOs of all SEC-registered public companies
Any executive signing periodic SEC filings

Common Questions

Can a CEO delegate the Section 302 certification?

No. The CEO and CFO must personally certify. They can't delegate to a General Counsel or controller. However, they typically receive sub-certifications from business unit leaders to support their certification.

Has anyone been prosecuted under Section 906?

Yes, though prosecutions are rare. The criminal standard (knowingly and willfully) is high. Most SOX enforcement actions are civil, brought by the SEC under Section 302.

What triggers a SOX restatement?

Material misstatements in previously filed financial statements trigger restatements. The SEC may then investigate whether the 302/906 certifications were accurate when made.

Assess Your Compliance → Framework Guides

More Framework Comparisons