SOX Section 302 vs Section 906: What CEOs and CFOs Need to Know
Last updated: 2026-04-05 — ComplianceStack Editorial Team
SOX requires both the CEO and CFO to personally certify the accuracy of financial reports. Two sections cover these certifications: Section 302 (civil liability) and Section 906 (criminal liability). Both appear in every 10-K and 10-Q filing.
SOX Section 302 vs SOX Section 906: Side-by-Side
| Dimension | SOX Section 302 | SOX Section 906 |
|---|---|---|
| Purpose | Civil certification of internal controls and financial accuracy | Criminal certification — same content, higher stakes |
| Filed with | Periodic reports (10-K, 10-Q) under Exchange Act | Periodic reports under Sarbanes-Oxley Act |
| Who certifies | CEO and CFO | CEO and CFO |
| What they certify | Reviewed report; no material misstatements; adequate disclosure controls; ICFR evaluation; material changes disclosed | Complies with Exchange Act; fairly presents financial condition and results |
| Civil penalty | SEC enforcement: disgorgement, fines, officer bars | N/A (criminal only) |
| Criminal penalty (knowing) | Not applicable (civil framework) | Up to $1M fine and/or 10 years imprisonment |
| Criminal penalty (willful) | Not applicable | Up to $5M fine and/or 20 years imprisonment |
| Disclosure controls | Must evaluate and disclose effectiveness | Not separately required |
| ICFR | Must report on internal control over financial reporting | Not separately required |
| Relationship | More detailed civil certification | Brief criminal add-on to Section 302 certification |
Who Needs Both?
- CEOs and CFOs of all SEC-registered public companies
- Any executive signing periodic SEC filings
Key Differences Summarized
Section 302 is the detailed civil certification — it's what drives the quarterly Disclosure Committee process, ICFR testing, and sub-certifications down the management chain. Section 906 is a brief criminal overlay: if you knowingly certify a false filing, you face up to 10 years; willfully, up to 20 years.
Frequently Asked Questions
Can a CEO delegate the Section 302 certification?
No. The CEO and CFO must personally certify. They can't delegate to a General Counsel or controller. However, they typically receive sub-certifications from business unit leaders to support their certification.
Has anyone been prosecuted under Section 906?
Yes, though prosecutions are rare. The criminal standard (knowingly and willfully) is high. Most SOX enforcement actions are civil, brought by the SEC under Section 302.
What triggers a SOX restatement?
Material misstatements in previously filed financial statements trigger restatements. The SEC may then investigate whether the 302/906 certifications were accurate when made.
Try ComplianceStack Free
Free risk calculator, compliance quiz, and deadline tracker. No credit card required.
Start Free Assessment →