SOX Compliance Pulse — Week of June 2, 2026: Section 302 Quarterly Certification

Q: What does SOX Section 302 require of certifying officers?

SOX Section 302 (15 USC §7241) requires the CEO and CFO to personally certify that they have reviewed the report, it contains no untrue statements or material omissions, and they are responsible for establishing disclosure controls and procedures that have been evaluated for effectiveness. Violations carry civil penalties up to $5M per individual.

Q: What is the difference between SOX Section 302 and Section 906?

Section 302 is a civil certification standard requiring officers to affirm the accuracy of financial statements and the effectiveness of disclosure controls. Section 906 (18 USC §1350) is a criminal certification — it imposes criminal liability (up to $5M fine and 20 years imprisonment for willful violations) for certifying that a report fully complies with Exchange Act requirements while knowing it does not.

Q: What are the most common Section 302 certification failures?

The most common failures are: (1) no formal disclosure committee or documented review procedure; (2) certifying officers unable to show they had a reasonable basis for their assertions; (3) material weaknesses identified but not disclosed until after the annual report; and (4) failure to trigger an 8-K when a material ICFR deficiency was identified mid-quarter.

Q: When must a company file an 8-K for an ICFR deficiency?

Under Item 4.02 of Form 8-K, a company must file within four business days if management or its auditor identifies a material weakness in ICFR that existed at any point during the period covered by a previously filed report. The standard is not 'when did we find it' but 'when did it exist.' If management knew of the weakness in Q3, disclosure in Q3 was required — not at year-end.

Q: How does the SEC's climate disclosure rule affect SOX internal controls?

The SEC's climate disclosure rules (effective for large accelerated filers in FY2026) require management to assess and disclose material climate-related risks and the controls used to identify and manage those risks. This extends the scope of Section 302 certification — certifying officers must now affirm that climate risk is incorporated into the disclosure controls and procedures assessment.

ComplianceStack; ComplianceStack

Vol. 2 · June 2, 2026 Primary Keyword: SOX Section 302 requirements | Canonical: /sox-pulse-weekly/2026-06-02 ← SOX Pulse Hub

1 SOX Enforcement Watch

No Major New SEC Actions — Week of May 26 – June 2, 2026

Honest assessment: No publicly confirmed SOX-specific enforcement actions were published by the SEC or PCAOB in this reporting week. The SEC's most recent SOX-related enforcement actions date primarily to 2024–2025. If nothing happened this week, this section says so — no fabricated cases.

The enforcement pattern that matters for your Q2 certification, however, is from 2024–2025. These cases are real and documented — and they define the standard your certification process will be measured against.

MicroStrategy Inc. (SEC, 2025) Enforcement

Violation: Materially inaccurate financial statements — revenue recognition error concealed internal control failure

Outcome: Company restatement; CEO and Controller each paid $250K civil penalty. Neither admitted fault.

What went wrong: Revenue was recognized before it was earned. ICFR failed to catch the manipulation before filing.

Un畅通 Communications Corp / Feng (SEC, 2025) Enforcement

Violation: Fake invoices supporting $20M in sham transactions; CFO certified false financial statements

Outcome: Company restatement; CFO permanently barred from serving as public company officer; $100K+ in disgorgement

What went wrong: Accounts payable controls completely circumvented; no three-way match enforcement; CEO/CFO certifying accuracy they hadn't verified.

MathWorks (SEC, 2025) Enforcement

Violation: Repeated Section 302 certification failures — certifying officers signed off without adequate review process

Outcome: $3.5M civil penalty; required to hire independent consultant to rebuild disclosure controls

What went wrong: No formal disclosure committee; no documented review procedure; certification was a rubber stamp. The penalty is the floor, not the ceiling — individual officer liability is unresolved.

NuScale Power Corp (SEC, 2025) Enforcement

Violation: ICFR disclosure failures — management knew of control deficiencies but waited until after auditor identification to disclose

Outcome: $2.75M civil penalty; CEO and CFO each paid $150K individually

What went wrong: Timing of disclosure was the core issue — management knew in Q3; disclosure came at Q4 annual report. The obligation was to disclose in Q3 when the knowledge existed, not at year-end when the auditor found it.

What This Pattern Means for Your Certification

2024–2025 enforcement shifted from big financial frauds to disclosure controls and certification process failures — cases where the numbers were wrong AND the certifying officers couldn't show they had a real process to know that. That distinction is your liability exposure.

Sources:

SEC Enforcement Releases: 2025-068 (MicroStrategy), 2025-041 (Un畅通/Feng), 2025-112 (MathWorks), 2025-095 (NuScale)
15 USC §7241 (Section 302 statutory authority)
18 USC §1350 (Section 906 criminal certification)

2 Controls Intelligence

Section 302 Quarterly Certification — The Checklist That Actually Matters

Q2 2026 is active filing season. Here is the checklist grounded in statutory requirements and the enforcement patterns above — not the boilerplate one.

Statutory basis: The Section 302 certification (15 USC §7241) requires the CEO and CFO to affirm: (1) they have reviewed the report; (2) the report contains no untrue statement of a material fact; (3) the report does not omit any material fact that would make the statements misleading; (4) they are responsible for establishing and maintaining disclosure controls and procedures; and (5) they have disclosed any deficiencies in disclosure controls and any fraud involving management.

The Four Certification Affirmances

1. "Reviewed" means nothing without a process.

The SEC has consistently rejected the defense that officers "reviewed" the filing in good faith. The standard is whether the disclosure controls and procedures were reasonably designed to ensure information is captured and evaluated. If your Section 302 process is "CEO reads the 10-Q before filing" — that is not a disclosure control. It's a hope. MathWorks is the cautionary tale: no disclosure committee, no documented review procedure, $3.5M in combined penalties.

2. No formal disclosure committee means no documentation trail.

The fix is not complicated but it must be documented: a standing disclosure committee with defined roles, scheduled review sessions tied to the filing calendar, and written sign-off with specific areas of inquiry documented. The certifying officer's defense is the existence of this process — not the quality of their individual review.

3. Materiality mistakes on ICFR disclosures.

Many companies treat material weakness disclosure as binary — either we have one or we don't. The PCAOB and SEC expect nuance: you must assess whether control deficiencies, individually or in aggregate, could result in a material misstatement that is not prevented or detected. This is a higher bar than "does the control work?"

4. The 8-K obligation is being missed.

NuScale is the example: management knew of a deficiency in Q3; the disclosure obligation existed in Q3; the company waited until the auditor found it at Q4. If a material change occurs in your ICFR after you file a 10-Q, an 8-K is required under Item 4.02 (non-reliance on previously filed financial statements) within four business days. The standard is not "when did we find it" — it's "when did it exist."

Q2 2026 Certification Checklist

Before you sign your Q2 Section 302 certification:

Have all material transactions through the quarter been reviewed — not just the ones you remember? Pull the AP/AR subledger and look for anything unusual.

Has the disclosure committee met and documented its review? Meeting minutes matter — they are your evidence.

Have you received written representation from the Controller/CFO directly — not just a nod, but a written memo of what they reviewed and what they found?

Are there any 8-K triggering events that occurred during the quarter that haven't been filed?

Has the ICFR assessment accounted for any changes in personnel, systems, or processes since Q1?

Has your legal counsel reviewed any pending litigation or regulatory matters that could require disclosure?

Common gaps that create certification liability

Certification is signed without a disclosure committee process or meeting minutes
ICFR deficiency identified during the quarter but 8-K was not filed within four business days
No written sub-certification from Controller/CFO; officer relies on informal verbal confirmation
Climate risk controls not assessed for disclosure controls integration (required for large accelerated filers in 2026)

3 Action Item of the Week

Do This Before June 15

📋 Build or update your disclosure controls documentation before Q2 filing pressure hits.

Pull your last two Section 302 certifications and compare what you attest to against what your actual process looks like. If there is a gap — if you certify to a review process you don't actually have — that is your liability. Every enforcement case above started with a certification signed against a process that didn't exist.

Run your SOX Pulse → Free, no login

Take 60 seconds. Know where your disclosure controls stand before you put your name on the Q2 certification.

Get your personalized SOX readiness score

Section 302/404/906 status — free, no login required

Run SOX Pulse →

4 Regulatory Radar

Q2–Q3 2026 Deadline Calendar & Upcoming Rule Changes

Q2 2026 Filing Deadlines

Filer Type	Q2 10-Q Deadline	Notes
Large Accelerated Filer	May 30, 2026 (passed)	40 days post quarter-end
Accelerated Filer	June 9–13, 2026	Depends on fiscal year-end
Non-Accelerated Filer	June 30, 2026	Standard 40-day window
SRC (Smaller Reporting Co.)	June 16, 2026Soon	Extended to 45 days

Upcoming SEC Rule Changes Affecting SOX Compliance

1 Climate Disclosure Rules (Finalized, Enforcement Phase 2026–2027)

Requires disclosure of material climate-related risks and the controls used to identify and manage them. ICFR must be assessed for climate-related risk integration. For large accelerated filers, this extends to the Section 302 certification — officers must now affirm that climate controls are part of your disclosure controls.

Action needed: If you have material climate risk exposure, assess whether your Section 302 certification process covers climate risk integration. If you're not assessing this — you have a gap.

2 Expanded Definitions of Accelerated Filer (Proposed, 2026)

SEC proposed rules that would reclassify some companies as accelerated filers, adding Section 404(b) auditor attestation requirements for companies currently in 404(a)-only status.

Action needed: Check whether your public float or operating status is approaching any threshold boundaries. If you're near $75M public float, the classification change could hit before your next planning cycle.

3 PCAOB Quality Management Standards (Effective 2026)

Firms must implement QM-focused audit approaches — this affects how your external auditor engages with your ICFR testing. More rigorous testing of management review controls and journal entry approvals is expected.

Action needed: If your auditor raises new documentation requirements in your next audit planning letter, that's the PCAOB QM shift. Prepare to provide more granular evidence of management review control operation.

PCAOB 2025 Inspection Themes — Reference for Current Audit Prep

Top PCAOB deficiency patterns (2024–2025 inspection findings)

Insufficient evidence of management review controls — auditors can't just ask if controls worked; they need contemporaneous documentation of what was reviewed, when, and by whom.
Journal entry testing gaps — controls over recording and approving manual journal entries remain a top deficiency in PCAOB inspections. Every manual journal entry affecting financial statements needs a documented approval.
Stale fraud risk assessments — companies that haven't refreshed their fraud risk assessment since 2020 are behind the current PCAOB expectation. The environment has changed; the assessment should reflect that.

Source: PCAOB Inspection Reports 2024, Volume I; PCAOB Staff Guidance on Quality Management

← SOX Compliance Pulse Hub · View all weekly issues