Step-by-step workflows for every certification section. Interactive checklists with CFR/USC citations, AI readiness scoring, and auditor-ready document generation.
Certify disclosure controls, ICFR design, and financial statement accuracy. Required on every 10-K and 10-Q. 18 checklist items covering all five §302 sub-certifications.
Management's ICFR effectiveness assessment using COSO 2013. Accelerated filers require 404(b) external auditor attestation. 22 items covering design, testing, and deficiency classification.
Criminal certification that periodic reports fully comply with the Exchange Act and fairly present financial condition. Willful false certifications: $5M fine + 20 years prison. 12 items covering criminal exposure.
Know what each certification requires, who signs it, and what's at stake.
| Requirement | Section 302 (Civil) | Section 404 (ICFR) | Section 906 (Criminal) |
|---|---|---|---|
| Citation | 15 USC §7241 | 15 USC §7262 | 18 USC §1350 |
| Frequency | Quarterly (10-Q) + Annual (10-K) | Annual (10-K only) | Quarterly (10-Q) + Annual (10-K) |
| Who Signs | CEO + CFO | Management (+ external auditor for LAF/AF) | CEO + CFO |
| Exhibit Number | Exhibit 31.1 & 31.2 | Part of annual report body | Exhibit 32.1 (combined) |
| Civil Penalty | Up to $1,000,000 | Up to $500,000 (restatement) | Up to $1,000,000 |
| Criminal Penalty | $1M fine + 10 years (knowing) | N/A (civil only) | $5M fine + 20 years (willful) |
| Small Company Exemption | None — all public companies | 404(b) exempt for NAF, SRC, EGC | None — all public companies |
| External Auditor Required | No | Yes (404b) for LAF + AF only | No |
| Primary Focus | Disclosure controls + financial accuracy | ICFR design + effectiveness + deficiencies | Full compliance + fair presentation |
From checklist to auditor-ready output in three steps.
Each certification section has an interactive checklist with every requirement. Mark items as Not Started, In Progress, Complete, or N/A. Progress saves automatically. Material weakness indicators are prioritized first.
After marking your checklist, click "Assess My Readiness." AI analyzes your gaps against your filer category, flags critical blockers, and generates a risk-rated remediation plan with timeline estimates.
Export a free readiness summary with your current status, top gaps, and recommended actions. Premium package adds management assessment narrative, controls testing templates, and audit committee communication templates.
Clear answers to SOX certification requirements.
The Sarbanes-Oxley Act imposes three key certification requirements: Section 302 (15 USC §7241) — CEO/CFO quarterly/annual civil certifications covering disclosure controls and ICFR; Section 404 (15 USC §7262) — Annual management ICFR assessment (plus external auditor attestation for accelerated filers under PCAOB AS 2201); Section 906 (18 USC §1350) — Criminal certification that each periodic report fully complies with Exchange Act requirements and fairly presents financial condition. All three are required on every 10-K and 10-Q (except 404, which is annual only).
Section 302 is a civil certification. Officers certify that disclosure controls are effective, ICFR is properly designed, and financial statements are accurate. Penalties for knowing false certification: $1M civil + up to $1M criminal and 10 years. Section 906 is a criminal certification added to each periodic report as a separate exhibit. Officers certify that the report "fully complies" with Exchange Act and "fairly presents" financial condition. Penalties are steeper: knowing violation = $1M + 10 years; willful violation = $5M + 20 years (18 USC §1350(c)). Both certifications are required — you cannot omit either.
Section 404(b) external auditor attestation is required for accelerated filers (public float $75M–$700M) and large accelerated filers (public float ≥$700M). Exempt: non-accelerated filers (<$75M float), smaller reporting companies (SRCs: revenue <$250M or float <$700M), and emerging growth companies (EGCs) for 5 fiscal years post-IPO under the JOBS Act. All public companies — regardless of size — must comply with 404(a) management assessment, Section 302, and Section 906. There are no total SOX exemptions for registered issuers.
Filing deadlines depend on filer category: Large accelerated filers (float ≥$700M): 10-K due 60 days after fiscal year-end; 10-Q due 40 days after quarter-end. Accelerated filers (float $75M–$700M): 10-K due 75 days after fiscal year-end; 10-Q due 40 days after quarter-end. Non-accelerated filers: 10-K due 90 days; 10-Q due 45 days. Section 302 and Section 906 certifications are filed with each report. Late filings trigger SEC enforcement and can constitute separate disclosure violations. Use the Deadline Tracker to set reminders based on your fiscal year-end.