SOX Compliance: Section 302/404 Guide 2026

Q: SOX FAQs for CFOs and Compliance Officers

Does SOX apply to private companies? Most of SOX does not apply to private companies. Sections 302, 404, and 906 apply only to companies required to file reports under Sections 13(a) or 15(d) of the Exchange Act. However, Sections 802 and 1519 (document destruction), Section 1107 (whistleblower retaliation), and Section 806 (whistleblower protections for contractor employees) apply without regard to public status. Private companies preparing for an IPO should begin building SOX-compliant ICFR no

ComplianceStack

SOX Compliance Guide 2026: Sections 302, 404, and 906 Explained

Last updated: 2026-05-03 — ComplianceStack Editorial Team

The Sarbanes-Oxley Act of 2002 (15 USC §7201 et seq.) remains the most consequential corporate governance law in US history — and its enforcement has sharpened considerably heading into 2026. The SEC launched a dedicated SOX enforcement group in March 2026, PCAOB's QC 1000 quality control standard takes effect December 15, 2026, and officer certification fraud continues to generate nine-figure settlements. This guide covers every major provision — Sections 302, 404, 802, 906 — with the statutory citations, PCAOB standards, and real enforcement cases your compliance team needs to know.

Who Must Comply with SOX

SOX applies to any company required to file reports under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 — meaning every company with equity or debt securities registered with the SEC. Compliance obligations vary by filer category:

Large accelerated filers have a public float of $700 million or more and face the most demanding requirements, including the external auditor attestation under Section 404(b) (15 USC §7262(b)) and the tightest filing deadlines (60 days after fiscal year end for 10-K).

Accelerated filers have a float between $75 million and $700 million and must comply with Section 404(a) management assessment, with the 404(b) external auditor attestation still applying. Filing deadline: 75 days after fiscal year end.

Non-accelerated filers have a float below $75 million. They must perform management's internal control assessment under 404(a), but are exempt from the external auditor attestation under 404(b). Filing deadline: 90 days after fiscal year end.

Smaller Reporting Companies (SRCs) — defined as public float below $250 million (or annual revenues below $100 million with no public float) — also qualify for the 404(b) exemption. This exemption was made permanent by the Dodd-Frank Act. See the SOX Section 404 annual checklist at /checklist/sox-section-404-annual for scope determination guidance.

Emerging Growth Companies (EGCs) — companies with less than $1.235 billion in annual gross revenues in their most recent fiscal year — are exempt from 404(b) for up to five years after their IPO under the JOBS Act.

Private companies are not subject to SOX's financial reporting requirements in Sections 302 and 404. However, the anti-fraud and obstruction provisions in Sections 802 (18 USC §1519) and 1107 apply to any person or entity, including private companies, in the context of federal investigations. Section 806 whistleblower protections extend to employees of private companies that are contractors or subsidiaries of public companies.

IPO readiness: Investment banks and underwriters typically require 18 to 24 months of SOX-ready internal controls before an IPO filing. The first Annual Report on Form 10-K as a public company must include management's assessment under Section 404(a). Companies that go public without documented controls in place consistently find material weaknesses in their first external audit — a result that triggers immediate stock price pressure and SEC scrutiny. The SOX compliance pulse tool at /sox-compliance-pulse can help pre-IPO teams assess readiness.

SOX Section 302: CEO/CFO Quarterly Certifications

Section 302 of SOX (codified at 15 USC §7241) requires the principal executive officer and principal financial officer — typically the CEO and CFO — to personally certify each quarterly report on Form 10-Q and each annual report on Form 10-K filed with the SEC.

What the certification covers: Each signing officer must certify under Section 302 that: (1) they have reviewed the report; (2) to their knowledge it contains no untrue statement of a material fact and no omission of a material fact necessary to make the statements not misleading; (3) to their knowledge the financial statements and other financial information fairly present the financial condition and results of operations; (4) they are responsible for establishing and maintaining disclosure controls and procedures (DC&P) and have designed such controls to ensure material information is made known to them; (5) they have evaluated the effectiveness of DC&P as of the end of the period covered; (6) they have disclosed any significant changes in ICFR, including any corrective actions regarding significant deficiencies and material weaknesses.

Disclosure controls and procedures (DC&P) are broader than ICFR — they encompass all controls designed to ensure that information required to be disclosed in Exchange Act reports is recorded, processed, summarized, and reported within the time periods specified. DC&P failures — where a CEO or CFO certifies effective controls that are not in fact operating — are among the most common grounds for SEC enforcement.

The sub-certification process is standard practice at accelerated and large accelerated filers. The CEO and CFO rely on a cascade of certifications from business unit controllers, division GMs, and functional heads — each attesting to the accuracy of the information they contributed to the consolidated financials. The quarterly Section 302 checklist at /checklist/sox-section-302-quarterly provides a model sub-certification workflow.

Material weakness disclosure: If a material weakness in ICFR exists at fiscal year end, Section 302 requires the CEO and CFO to disclose it in the annual report. Failure to disclose a known material weakness while certifying effective controls is the fact pattern most SEC enforcement actions are built on.

Penalties: Civil penalties under Section 302 enforcement can reach $1 million per violation. The criminal exposure for knowingly false certifications is covered by Section 906. For a full breakdown, see SOX officer certification penalties at /penalties/sox/officer-certification.

SOX Section 404: Internal Controls Over Financial Reporting (ICFR)

Section 404 (15 USC §7262) is the most operationally demanding provision of SOX. It requires management to assess and report on the effectiveness of internal control over financial reporting (ICFR) each fiscal year, and for large accelerated filers, requires the external auditor to separately attest to that assessment under PCAOB AS 2201.

Management's assessment (404(a)): Management must conduct an assessment of ICFR effectiveness using a recognized internal control framework. The dominant framework is the COSO 2013 Internal Control — Integrated Framework, which organizes controls across five components and seventeen principles:

- Control environment: Tone at the top, board oversight, organizational structure, competence and accountability.
- Risk assessment: Identifying and analyzing risks to achievement of financial reporting objectives, including fraud risk.
- Control activities: The policies and procedures that address risks, including authorization controls, physical controls, reconciliations, and IT controls.
- Information and communication: Systems and processes that capture and communicate financial information reliably, both internally and externally.
- Monitoring activities: Ongoing and periodic evaluations of the five components; timely remediation of identified deficiencies.

Management's assessment must conclude whether ICFR is effective as of fiscal year end and disclose any material weaknesses. A single material weakness requires a conclusion that ICFR is not effective.

External auditor attestation (404(b)): Large accelerated filers must have their registered public accounting firm issue an opinion on ICFR under PCAOB AS 2201. AS 2201 requires the auditor to plan and perform the ICFR audit to obtain reasonable assurance that no material weaknesses exist.

Significant deficiency vs. material weakness: A significant deficiency is a control deficiency important enough to merit attention of those responsible for financial oversight but less severe than a material weakness. A material weakness is a deficiency where there is a reasonable possibility that a material misstatement of financial statements will not be prevented or detected on a timely basis. Material weakness disclosure is a serious event — it typically triggers a stock price decline, an auditor downgrade, and regulatory inquiry.

IT General Controls (ITGCs): ITGC failures are among the most common sources of material weaknesses. The four ITGC domains are: (1) Logical access — who has access to financial systems, how it is provisioned, reviewed, and revoked; (2) Change management — how changes to financial applications are tested, approved, and deployed; (3) Computer operations — job scheduling, backup procedures, incident management; (4) Program development — SDLC controls for new applications that affect financial reporting.

Key SOX controls by process area:
- Financial close process: period-end close checklists, journal entry authorization and review, account reconciliation sign-off
- Segregation of duties: no single individual can initiate, approve, and record a financial transaction
- Access controls: role-based provisioning, quarterly user access reviews, privileged access monitoring
- Change management: documented change tickets, peer review, UAT sign-off, segregation between development and production

Use the annual SOX 404 checklist at /checklist/sox-section-404-annual to walk through scoping, control documentation, and testing procedures.

SOX Section 906: Criminal Certification (18 USC §1350)

Section 906 of SOX — codified as a standalone criminal statute at 18 USC §1350, separate from Section 302's civil enforcement framework — imposes personal criminal liability on CEOs and CFOs who certify materially false financial statements.

What the certification requires: Each periodic report filed under Section 13(a) or 15(d) of the Exchange Act that contains financial statements must be accompanied by a written statement from the CEO and CFO certifying that the report fully complies with Exchange Act requirements and fairly presents, in all material respects, the financial condition and results of operations of the company. Unlike Section 302, which is a detailed multi-part attestation, Section 906 is a single-sentence certification with criminal teeth.

Penalty tiers:
- Knowing violation: A CEO or CFO who certifies a statement knowing it does not comply faces a fine of up to $1,000,000 and imprisonment of up to 10 years, or both.
- Willful violation: A CEO or CFO who willfully certifies a false statement faces a fine of up to $5,000,000 and imprisonment of up to 20 years, or both.

Section 302 vs. Section 906: The critical distinction is the enforcement track. Section 302 violations are pursued civilly by the SEC and can result in civil monetary penalties, disgorgement, bars from serving as an officer or director, and injunctive relief. Section 906 violations are pursued criminally by the Department of Justice. In practice, the SEC and DOJ coordinate — SEC enforcement triggers parallel DOJ investigation in significant fraud cases.

2026 enforcement context: The SEC announced the formation of a new dedicated SOX Enforcement Group on March 16, 2026, specifically to increase the pace and sophistication of officer certification enforcement. Separately, PCAOB's enforcement budget was cut 15% in 2026 as part of a 9.4% overall budget reduction, which may reduce audit firm disciplinary actions but does not reduce SEC's direct authority over issuers and officers.

See the SOX certification page at /sox-certification and the officer certification penalty tracker at /penalties/sox/officer-certification for current enforcement data.

SOX Auditor Independence: Section 201

Section 201 of SOX (15 USC §7231) prohibits registered public accounting firms from providing nine categories of non-audit services to their SEC audit clients:

1. Bookkeeping or other services related to the accounting records or financial statements
2. Financial information systems design and implementation
3. Appraisal or valuation services, fairness opinions, or contribution-in-kind reports
4. Actuarial services
5. Internal audit outsourcing
6. Management or human resources functions
7. Broker or dealer, investment adviser, or investment banking services
8. Legal services and expert services unrelated to the audit
9. Any other service that the PCAOB determines is impermissible

The prohibition is absolute for the nine listed categories — there is no waiver or pre-approval path.

Audit committee pre-approval: For all other non-audit services not in the prohibited list — such as tax services, agreed-upon procedures, or due diligence — the audit committee must pre-approve the engagement. This requirement is codified at 15 USC §7231(h).

Partner rotation: Lead audit partners and concurring review partners must rotate off a client after five consecutive years under PCAOB rules. A two-year cooling-off period applies before a rotated partner can return.

Cooling-off period for employment: Under 15 USC §7233, audit firm members who performed an audit engagement cannot be hired by the client into certain senior financial roles (CEO, CFO, CAO, Controller, Chief Compliance Officer, or equivalent) for a period of one year after the audit engagement.

Lead auditor identification (PCAOB AS 3101): PCAOB AS 3101 requires the lead audit engagement partner's name to be publicly disclosed in the auditor's report, effective for audits of fiscal years ending on or after January 31, 2018. This accountability measure allows investors and enforcement agencies to track individual partner performance across engagements.

Real SEC and PCAOB Enforcement Cases (2018–2026)

Understanding how SOX enforcement actually plays out is essential for building a realistic compliance program. These six cases represent the range of conduct — from fabricated revenue to negligent controls to false certifications — that regulators pursue.

Luckin Coffee — $180 million SEC settlement (2020)
Luckin Coffee, a Chinese coffee chain listed on the NASDAQ, agreed to pay $180 million to settle SEC charges that it fabricated approximately $310 million in sales during 2019. The company inflated revenue through fictitious transactions to meet growth targets and sustain its stock price after its April 2019 IPO. The fraud involved coordinated falsification of sales records, purchase orders, and bank statements. Luckin's case illustrates how SOX Section 302 certifications become criminal exposure when officers certify financials they know to be false.

Theranos / Elizabeth Holmes — $500 million+ fraud, 11 years federal prison (2022)
Elizabeth Holmes, CEO of Theranos, was sentenced in November 2022 to 11 years and 3 months in federal prison for wire fraud and conspiracy. Theranos raised over $700 million from investors based on false claims about its blood-testing technology. Holmes's co-defendant and COO Sunny Balwani received a 13-year sentence. The case remains the defining example of how investor fraud tied to false certifications carries maximum federal criminal exposure.

MiMedx Group — $6.5 million SEC settlement (2021)
MiMedx settled SEC charges for $6.5 million in connection with a channel-stuffing and revenue recognition fraud spanning 2013 through 2016. The company's CFO personally falsified Section 302 certifications, attesting to the effectiveness of disclosure controls he knew were failing. Two former executives were also criminally charged by the DOJ.

Cronos Group — $1.35 million SEC settlement (2021)
Cronos Group, a Canadian cannabis company listed on NASDAQ, settled SEC charges for $1.35 million related to PCAOB audit failures and improper revenue recognition. Cronos's external auditor failed to detect red flags around revenue transactions with resellers that did not meet recognition criteria under ASC 606.

Outcome Health — $70 million FTC and $65 million SEC enforcement (2022)
Outcome Health faced parallel FTC and SEC enforcement actions totaling approximately $135 million in 2022. The company sold advertising inventory to pharmaceutical clients that was never delivered, then provided false performance metrics. Senior executives made false representations to investors and falsely certified financial statements.

General Electric — $200 million SEC settlement (2023)
GE agreed to pay $200 million in 2023 to settle SEC charges that it misled investors about the financial condition of its insurance business and power segment between 2015 and 2018. GE failed to disclose that it would need to contribute approximately $15 billion to its legacy long-term care insurance portfolio and understated liabilities in its power segment. CEO and CFO certifications under Section 302 were the basis for investor reliance on the misleading disclosures.

For ongoing enforcement tracking, see the SOX compliance pulse at /sox-compliance-pulse and weekly SOX enforcement digest at /sox-pulse-weekly.

PCAOB Standards and the 2026 Enforcement Landscape

The Public Company Accounting Oversight Board (PCAOB) was established by SOX Section 101 as a nonprofit corporation to oversee audits of public companies and brokers and dealers. Its standards directly govern how external auditors conduct SOX 404(b) integrated audits.

PCAOB AS 2201 — Integrated audit standard: AS 2201 is the operative standard for Section 404(b) engagements. It requires auditors to: (1) plan the ICFR audit in relation to the financial statement audit; (2) use a top-down, risk-based approach to identify controls to test; (3) test the design and operating effectiveness of selected controls; (4) assess the effect of identified deficiencies; and (5) form an opinion on whether ICFR is effective.

PCAOB QC 1000 — Quality control standard (effective December 15, 2026): PCAOB adopted QC 1000 as its first comprehensive quality control standard for registered audit firms. Effective for fiscal years beginning on or after December 15, 2023 (with full implementation by December 15, 2026), QC 1000 requires all registered firms to design, implement, and maintain a risk-based quality control system across eight components: leadership and governance, ethics and independence, acceptance and continuance, engagement performance, human resources, technology and tools, monitoring and remediation, and information and communication.

2026 PCAOB budget reduction: The PCAOB's 2026 budget was cut 9.4% overall, with enforcement-specific funding down approximately 15%. This reduction has raised concerns among investor advocates that inspection frequency and enforcement actions against audit firms may decline.

SEC's dedicated SOX Group (March 2026): On March 16, 2026, the SEC's Division of Enforcement announced the formation of a dedicated SOX Enforcement Group focused specifically on officer certification fraud, ICFR disclosure failures, and audit committee oversight failures. The group is expected to prioritize cases involving repeat violations, intentional circumvention of controls, and failure to remediate disclosed material weaknesses.

Audit committee's oversight role: Under SOX Section 301 (15 USC §78j-1), audit committees of listed companies must be composed entirely of independent directors and are directly responsible for the appointment, compensation, and oversight of the external auditor. Track PCAOB inspection reports and enforcement orders through the SOX frameworks page at /frameworks/sox and the SOX pulse weekly digest at /sox-pulse-weekly.

Building Your SOX Compliance Program

A SOX compliance program is not a project — it is an ongoing operational capability. The following sequence reflects best practice for accelerated and large accelerated filers building or refreshing their programs.

Step 1: Scope determination. Start with a financial statement risk assessment. Identify the significant accounts and disclosures that, if misstated, could result in a material misstatement of the financial statements. Apply quantitative thresholds (typically 5% of pre-tax income or 0.5% of total assets) and qualitative factors (fraud risk, complexity, judgment). Document your scoping rationale — the auditor will challenge it.

Step 2: Control inventory and documentation. For each in-scope process, document the control objectives, risks, and key controls in a Risk and Control Matrix (RACM or RCM). Each control record should identify: control description, control owner, frequency, whether it is preventive or detective, and the documentation that evidences its performance.

Step 3: COSO 2013 framework mapping. Map entity-level controls to the five COSO components and seventeen principles. An absence of entity-level controls — weak tone at the top, inadequate risk assessment, or missing monitoring activities — can aggregate into a material weakness even if all process-level controls are operating.

Step 4: IT general controls. For each financial application in scope, document the four ITGC domains: logical access (provisioning, quarterly user access reviews, privileged access monitoring), change management (change tickets, peer review, segregation of development and production), computer operations (backup and recovery, job scheduling, incident response), and program development (SDLC policies for new systems).

Step 5: Sub-certification process. Design a sub-certification process that flows from business unit controllers and functional owners up to the CFO. Sub-certifiers should attest to the accuracy of their segment's financial data and the effectiveness of the controls within their scope. See the quarterly 302 checklist at /checklist/sox-section-302-quarterly for a model template.

Step 6: Testing. For key controls, perform design effectiveness assessment and operating effectiveness testing. For annual controls, test once per year. For quarterly controls, test four instances. Document exceptions and evaluate their severity.

Step 7: Material weakness remediation workflow. If a material weakness is identified: root cause analysis → remediation plan approved by audit committee → implementation of new controls → re-testing before fiscal year end if timing allows → disclosure in 10-K if not remediated by year-end.

Deadlines for accelerated filers: Management's assessment must be completed and included in the Form 10-K filed within 75 days of fiscal year end. For large accelerated filers, the deadline is 60 days.

The SOX compliance pulse at /sox-compliance-pulse and the financial disclosure checklist at /checklist/sox/financial-disclosure provide ongoing tracking tools for each phase of your program.

SOX Section 802: Document Retention and Destruction (18 USC §1519)

Section 802 of SOX created two new criminal offenses related to document destruction. These provisions apply broadly — not only to public companies but to any person who destroys, alters, conceals, falsifies, or makes a false entry in any record, document, or object with the intent to impede, obstruct, or influence a federal investigation or proceeding.

Audit workpaper retention: Section 802(a), codified at 18 USC §1519, requires registered public accounting firms to retain audit and review workpapers for a period of five years from the end of the fiscal year in which the audit or review was concluded. The SEC extended this to seven years under 17 CFR §210.2-06.

Electronic communications: Related SEC rules under 17 CFR §240.17a-4 establish a five-year retention requirement for electronic communications that are business records.

Criminal penalties for document destruction: Knowing destruction, alteration, or concealment of records in anticipation of or during a federal investigation carries up to 20 years imprisonment under 18 USC §1519. The statute does not require that a formal investigation be underway — anticipatory destruction in contemplation of a foreseeable federal proceeding is sufficient.

Whistleblower procedures under Section 301: SOX Section 301 requires listed companies to establish procedures for the receipt, retention, and treatment of complaints received by the audit committee regarding accounting, internal accounting controls, or auditing matters. The procedures must also allow employees to submit concerns anonymously.

Dodd-Frank whistleblower awards: The Dodd-Frank Act established the SEC Whistleblower Program at 17 CFR Part 240 (Rule 21F). Individuals who voluntarily provide the SEC with original information leading to a successful enforcement action resulting in sanctions exceeding $1 million are entitled to an award between 10 and 30 percent of the sanctions collected. Since the program's inception through fiscal year 2024, the SEC has awarded over $2 billion to whistleblowers. The program is a direct incentive for employees with knowledge of SOX violations — including false certifications, suppressed material weaknesses, and document destruction — to report directly to the SEC. The financial disclosure checklist at /checklist/sox/financial-disclosure includes document retention verification steps.

SOX FAQs for CFOs and Compliance Officers

Does SOX apply to private companies?
Most of SOX does not apply to private companies. Sections 302, 404, and 906 apply only to companies required to file reports under Sections 13(a) or 15(d) of the Exchange Act. However, Sections 802 and 1519 (document destruction), Section 1107 (whistleblower retaliation), and Section 806 (whistleblower protections for contractor employees) apply without regard to public status. Private companies preparing for an IPO should begin building SOX-compliant ICFR no later than 18 to 24 months before the expected filing date. See the SOX frameworks overview at /frameworks/sox.

What is the difference between a significant deficiency and a material weakness?
Both are control deficiencies. A significant deficiency exists when the deficiency is important enough that those charged with governance should be informed, but it does not rise to the level of a material weakness. A material weakness exists when there is a reasonable possibility that a material misstatement of the annual or interim financial statements will not be prevented or detected and corrected on a timely basis. In practice: a significant deficiency is a yellow flag; a material weakness requires disclosure in the 10-K and causes the CEO and CFO to conclude that ICFR is not effective.

Can a company remediate a material weakness before fiscal year end?
Yes. If management identifies a material weakness before fiscal year end and implements effective remediation with sufficient time to test the new control's operating effectiveness before year end, the material weakness may be considered remediated. The SEC and PCAOB expect that the remediated control has operated for a sufficient period — typically a quarter or more. Full disclosure of the remediation timeline, root cause, and testing evidence should be preserved regardless.

What are the Section 302 certification requirements for quarterly versus annual filings?
The certification requirement applies to both. For each Form 10-Q, the CEO and CFO must certify the same six points. For Form 10-K, the same certifications apply, plus management must include its assessment of ICFR effectiveness under Section 404(a) and, for large accelerated filers, the external auditor's 404(b) attestation. The quarterly 302 certification checklist at /checklist/sox-section-302-quarterly outlines each required element by filing type.

How does SOX interact with PCAOB QC 1000 starting in 2026?
QC 1000 does not add new requirements to issuers directly. Its impact on issuers is indirect: all registered audit firms must now document and operate risk-based quality control systems, which means audit procedures for SOX 404(b) engagements will be subject to more rigorous firm-level oversight. Audit committees should ask their external auditors how their firm's QC 1000 implementation affects engagement quality. Monitor developments through the compliance pulse dashboard at /compliance-pulse and SOX pulse weekly at /sox-pulse-weekly.

Track Your SOX Compliance Program in Real Time

ComplianceStack's SOX Pulse monitors your Section 302 and 404 obligations, flags approaching certification deadlines, and surfaces material weakness risk signals before they reach the auditor.

See Your SOX Compliance Pulse