SOX Compliance Pulse — Issue #1: The SEC Just Built a SOX Strike Force

Q: What is the SEC's new SOX Group?

On March 16, 2026, the SEC posted management roles for a dedicated SOX Group within its Division of Enforcement, tasked with investigating and litigating violations of auditing and related professional standards and provisions of the Sarbanes-Oxley Act and other relevant federal securities laws.

Q: What are the penalties for a false Section 302 certification?

Under 15 U.S.C. §7241, a knowing violation of Section 302 carries up to $1 million in fines and 10 years imprisonment. Willful violations under Section 906 (18 U.S.C. §1350) carry up to $5 million and 20 years imprisonment.

Q: When does PCAOB QC 1000 take effect?

PCAOB QC 1000 — requiring audit firms to maintain risk-based quality control systems — takes effect December 15, 2026, after a one-year delay from the original December 2025 date.

Q: What is the Section 302 sub-certification chain?

The sub-certification chain requires finance, legal, and business unit leaders to certify to the CEO/CFO that nothing material was omitted from their area before the executive signs the Section 302 certification. Companies that skip this chain are exposed if something surfaces later — the SEC reads missing sub-certifications as evidence of inadequate controls.

ComplianceStack

SOX Enforcement Watch

The SEC Just Built a Dedicated SOX Strike Force

The unit's mandate, per the official job posting: "investigate and litigate matters involving potential violations of auditing and related professional standards and provisions of the Sarbanes-Oxley Act and other relevant federal securities laws."

This is not a reorganization. It is a purpose-built enforcement engine standing up right now.

Why This Matters to You

The context is critical. The PCAOB — historically the primary auditor cop — had its 2026 budget cut 9.4%, with enforcement funding specifically down 15%. The new PCAOB board has produced minimal enforcement activity since reconstituting. According to Brattle Group data, 84% of 2025 PCAOB enforcement activity predated the board's leadership change.

The SEC is explicitly filling that gap. Chairman Paul Atkins has emphasized a "back to basics" posture — targeting those who "lie, cheat, or steal." The new SOX Group is the operational embodiment of that priority.

What This Group Will Pursue

Audit firms that fail to meet PCAOB professional standards
Companies with inadequate internal controls over financial reporting (ICFR)
CEO/CFO certification violations (Sections 302 and 906)
Complicity in corporate financial misconduct

9.4%

PCAOB 2026 Budget Cut

15%

PCAOB Enforcement Funding Cut

84%

2025 PCAOB Actions Pre-Ledership Change

March 2026 Enforcement Actions Setting the Tone

Audit firm enforcement (March 2026): The SEC charged an audit firm for failing to perform a 2020 audit in accordance with PCAOB standards. The settlement found the firm: did not adequately understand valuation-related internal controls; failed to obtain sufficient appropriate audit evidence; lacked due professional care and professional skepticism.

$80M broker-dealer fine (March 6, 2026): The SEC — alongside FinCEN and FINRA — imposed an $80 million fine on a broker-dealer for BSA violations. The largest AML penalty ever against a broker-dealer. A signal of regulators working in coordination on financial misconduct.

Bottom Line

Two enforcement regimes (SEC + PCAOB) just became one — and the new one is better funded and more aggressive. If your internal controls or audit documentation have gaps, Q2 2026 is your last low-risk window to address them.

Controls Intelligence — Section 302

What CEOs and CFOs Actually Sign When They Certify

Section 302 of SOX (codified at 15 U.S.C. § 7241) requires the principal executive officer and principal financial officer to personally certify each quarterly and annual report filed with the SEC.

What you are certifying:

You have reviewed the report
It contains no material misstatements or omissions
Financial statements fairly present the company's financial condition and results of operations
You are responsible for establishing and maintaining disclosure controls and procedures (DC&P)
You have evaluated DC&P effectiveness within 90 days prior to filing
You have disclosed any significant deficiencies or material weaknesses to the audit committee and external auditors
You have disclosed any fraud involving management or employees with a significant role in internal controls

Civil exposure: Up to $1 million fine and/or 10 years imprisonment for knowing violations. Up to $5 million fine and/or 20 years for willful violations (Section 906 criminal companion).

The 3 Section 302 Mistakes That Trigger SEC Scrutiny

1

No Formal Disclosure Committee

Most SEC enforcement actions involving 302 certifications trace back to a missing or dysfunctional disclosure committee. Without a formal committee with documented meeting minutes, your certification lacks the process infrastructure to support it. Size doesn't matter — a two-person committee with quarterly meetings and written agenda is defensible. No committee is not.

2

Inadequate Documentation Trail

The certification is only as strong as the evidence behind it. Auditors and SEC staff will ask: "Show me the controls you evaluated in the 90 days before signing." If the answer is a spreadsheet last touched six months ago, that is a problem. Your disclosure controls evaluation process needs a paper trail that predates each filing by at least 30 days.

3

Certification Signed Without the Sub-Certification Chain

The CEO/CFO certification is supposed to be backed by sub-certifications from finance, legal, and business unit leaders confirming nothing material was omitted from their area. Companies that skip this chain — treating 302 as a checkbox the CFO signs on deadline day — are exposed if something surfaces later. The SEC reads missing sub-certifications as evidence of inadequate controls.

Who Needs to Read This Now

🚀

Pre-IPO Companies

You need a functional 302 certification program before your first 10-Q, not after. Building this on a filing deadline creates maximum risk exposure.

🔄

Recent CFO Turnover

New executives sometimes sign certifications without being briefed on what the sub-certification chain requires. This is how personal liability accumulates.

📉

Smaller Reporting Companies

Section 404(b) external auditor attestation doesn't apply to you — but 302 certifications apply to every public company regardless of size.

Action Item of the Week

Audit Your Last 302 Sub-Certification Cycle

Pull your most recent 10-Q or 10-K filing. Confirm the following — this takes 30–60 minutes and creates a defensible compliance posture before the SEC's new SOX Group is fully staffed and operational.

You have signed sub-certifications from key functional leaders (finance, legal, business segments)

Your disclosure committee has meeting minutes dated within 90 days of the filing

Any significant deficiencies disclosed to auditors are also reflected in your evaluation

Your DC&P evaluation document is dated and shows who reviewed what

Want to check your full SOX certification readiness in 60 seconds? Run your SOX Pulse on ComplianceStack — enter your filer category and see your Section 302/404/906 status, certification gaps, and top action items. No login required.

Regulatory Radar — Q2/Q3 2026

Deadlines and Developments You Can't Miss

Date	Event	Who It Affects
Apr 15, 2026	Q1 10-Q filing deadline (large accelerated filers, calendar year-end)	Large accelerated filers
May 15, 2026	Q1 10-Q deadline (accelerated filers)	Accelerated filers
Jun 14, 2026	Q1 10-Q deadline (non-accelerated filers)	Non-accelerated filers
Dec 15, 2026	PCAOB QC 1000 effective date — audit firms must have risk-based quality control systems operational	All public companies with registered auditors
Dec 15, 2026	PCAOB AS 2901 effective date — new framework for responding to audit deficiencies discovered post-report	Auditors + audit committees

PCAOB QC 1000 — Why Your Audit Committee Should Care

The most consequential audit standard in years takes effect December 15, 2026. QC 1000 requires every registered audit firm to maintain a comprehensive, risk-based quality control system — a proactive posture, not a post-inspection cleanup.

What Changes for You

Audit firms will now produce certified annual evaluations of their own quality control systems
These evaluations — and any deficiencies found — become discoverable in litigation
A firm that finds its own QC gaps and fails to remediate them faces substantially elevated liability exposure

Reuters reported (April 15, 2026) that the Big Four raised significant objections to QC 1000 — the standard was originally scheduled for December 2025 and was delayed one year after firms cited "insurmountable implementation challenges."

Action: Ask your external auditor directly: "What is your QC 1000 implementation status?" A firm that cannot answer this question clearly is a risk factor in your audit committee report.

PCAOB 2026–2030 Strategic Plan — Comment Window Open

On March 31, 2026, the newly reconstituted PCAOB board voted unanimously to seek public comment on its 2026–2030 strategic plan. New leadership includes Chairman Demetrios Logothetis (retired EY partner), Mark Calabria (former OMB official), and Steven Laughton (former counsel to PCAOB member Christina Ho).

The comment window focuses on seven questions covering inspections, enforcement, and standard-setting priorities. If your industry or audit practice has specific concerns about the inspection program, this is the formal channel to raise them.