No New Named Enforcement Actions — Week of June 16–23, 2026
Bottom line: No new SEC or PCAOB SOX-specific enforcement actions published this week. The SEC's SOX enforcement group, announced March 31, 2026, is still in formation. This is the fourth consecutive quiet week. Named cases typically trail policy infrastructure by 12–18 months. The window for proactive remediation continues through mid-2026.
This publication tracks named SEC and PCAOB enforcement actions from public releases. Enforcement data becomes searchable on SEC.gov typically 4–6 weeks after actions are filed. Weeks without named actions do not imply absent investigation activity. For real-time tracking, monitor SEC Enforcement Releases directly at sec.gov/divisions/enforce/enforceactions.html.
Reference baseline sources:
- SEC Enforcement Releases: 2025-041 (Feng), 2025-095 (NuScale), 2025-068 (MicroStrategy), 2025-112 (MathWorks), 2024-089 (Primoris)
- SEC Release 2026-46 (Filer Reform S7-2026-15)
- PCAOB Quality Control Standards (QC 1000, AS 2201, AS 1215)
Section 404 Deep Dive: ICFR Testing Gaps That Produce Material Weaknesses
Section 404 requires management to assess and report on the effectiveness of internal control over financial reporting (ICFR). The assessment itself is not the hard part. The hard part is the testing that supports the assessment — and the five gaps below represent where ICFR programs consistently break down, producing material weaknesses that trigger SEC inquiries and 8-K Item 4.02 disclosure obligations.
What Section 404 Requires (15 USC §7241(a))
Statutory basis: Section 404(a) requires management to assess and report on the effectiveness of ICFR annually in the 10-K. Section 404(b) requires independent external auditor attestation for large accelerated filers ($700M+ public float). The filer categories and their specific obligations are defined in SEC rules and PCAOB standards.
Filer Obligations Under Section 404
| Filer Type | 404(b) Auditor Attestation | 404(a) Management Assessment | ICFR Disclosure | Material Weakness Disclosure Trigger |
|---|---|---|---|---|
| Large Accelerated Filer (LAF) $700M+ public float |
Required — annual auditor attestation | Required — management assessment | Required — ICFR effectiveness disclosure | Any material weakness triggers 8-K Item 4.02 + 10-K ICFR report disclosure |
| Accelerated Filer $75M–$700M public float |
Required — annual auditor attestation | Required — management assessment | Required — ICFR effectiveness disclosure | Any material weakness triggers 8-K Item 4.02 + 10-K ICFR report disclosure |
| Non-Accelerated Filer Under $75M public float |
Not required | Required — management assessment | Required — ICFR disclosure in 10-K | Management must disclose any material weakness; 8-K Item 4.02 applies if discovered |
| Smaller Reporting Company (SRC) SRC designation |
Exempt from 404(b) auditor attestation | Required — management assessment | Required — ICFR disclosure in 10-K | Material weakness disclosure still required if identified |
Note: Proposed SEC rule S7-2026-15 (comment deadline July 6, 2026) would raise the LAF threshold from $700M to $2B public float, exempting ~2,200 additional companies from 404(b) attestation. If finalized, this would be the most significant filer reform since SOX 404 was implemented.
The Five ICFR Testing Gaps That Produce Material Weaknesses
- Gap 1 — Incomplete transaction-level control mapping: Entity-level controls (culture, tone at the top, audit committee oversight) are tested thoroughly, but the transaction-level controls (approval workflows, reconciliation procedures, cutoff testing) are not fully mapped. The result: a management assessment that covers entity-level controls but misses transaction-level gaps that can produce material misstatements.
- Gap 2 — No testing of information relied on from IT general controls (ITGC): ITGC results (access controls, change management, operations, monitoring) are not linked to the ICFR scope. The financial systems and applications that feed into the financial statements are controlled by ITGC, but the ICFR test plan doesn’t include testing whether those ITGC are operating effectively. Result: the information produced by entity (IPE) that flows into financial reporting has no tested control environment.
- Gap 3 — Segregation of duties gaps in journal entry approval: The same person initiates and approves journal entries, or the IT system doesn’t enforce segregation in the posting workflow. This is consistently cited in PCAOB inspection reports as a top deficiency. In practice: if one person can both create and approve an entry, they can post fictitious transactions without detection.
- Gap 4 — Subsequent-events review not integrated with ICFR: The Q4 subsequent-events review is conducted as a standalone procedure after year-end, but its findings are not integrated into the ICFR assessment. New facts discovered in January and February — after the controls testing period ended — may represent control failures that should be reflected in the ICFR opinion.
- Gap 5 — Management review controls run but not documented: The control activity runs (e.g., manager reviews the reconciliation, reviews the aged receivables report, approves the adjustment) but the execution is not documented. PCAOB inspectors consistently find that where there is no documentary evidence, there is no effective control. Operating effectiveness cannot be demonstrated without documentation.
The five gaps above are not hypothetical. Each is cited in PCAOB inspection reports in multiple consecutive years. The question for your ICFR program is not “do we have a policy?” — it’s “can we demonstrate the control operated in the testing period with contemporaneous documentation?”
PCAOB AS 2201 (Amended) — Effective December 15, 2026
Top-down, risk-based ICFR audit approach — re-scope your controls inventory now
- Top-down scope: Auditors start with entity-level controls and scope down to specific accounts/disclosures based on risk. This replaces the prior approach of starting at the account level and building up.
- Walkthrough documentation: All in-scope controls must have updated walkthrough documentation reflecting the current process. Stale walkthroughs are a top PCAOB finding.
- Deficiency evaluation thresholds tightened: More findings will be classified as significant deficiency rather than control deviation. The bar for passing ICFR without findings is higher.
- ITGC linkage explicit: Auditors must explicitly document how ITGC results inform ICFR scope. ITGC failures that affect financial reporting must be reflected in the ICFR opinion.
- AS 1215 (Amended): 14-day audit documentation deadline (from 45 days) — firms must finalize workpaper documentation within 14 days of field work completion.
- QC 1000: Firm-wide quality control systems — ask your audit firm how their QMS addresses the December 15 effective date.
Source: PCAOB AS 2201 (Amended); PCAOB Quality Control page; SEC Staff Guidance 2007 (ICFR)
Build Your ITGC Linkage Matrix Before Q3
📋 Map your ITGC to financial statement assertions before August filing deadlines.
ITGC deficiencies are the top PCAOB finding category for 6+ consecutive inspection cycles. If your ITGC results are not linked to ICFR scope, your 404(b) auditor will find the gap. Build the linkage matrix now.
Run your SOX Pulse → Free, no loginWhat to Build This Week
ITGC Linkage Matrix — 4-Step Process:
Why this week: Q3 10-Q filing deadlines begin in August. Accelerated filers recommended sign-off: August 7. Accelerated/LAF filing deadline: August 14. Non-accelerated: August 29. ITGC linkage matrix review should be complete before you begin Q3 close procedures.
Get your personalized SOX readiness score
Section 302/404/906 status — free, no login required
Q3 Deadlines & Upcoming Rule Changes
Q3 2026 Filing Deadlines
| Filer Type | Q2 Status | Q3 10-Q Certification | Q3 10-Q Filing | Notes |
|---|---|---|---|---|
| Large Accelerated Filer | CompletePassed | August 7, 2026 | August 14, 2026 | Certification sign-off 7 days before filing |
| Accelerated Filer | CompletePassed | August 7, 2026 | August 14, 2026 | Same as LAF; 404(b) attestation required |
| Non-Accelerated Filer | June 30Passed | August 22, 2026 | August 29, 2026 | 40-day window; 404(a) management assessment only |
| Smaller Reporting Co. | June 16Passed | August 7, 2026 | August 14, 2026 | SRC extension; 45-day window; 404(b) exempt |
SEC Rulemaking Pipeline — Action Required Before July 6
Proposed: Raises LAF threshold from $700M to $2B public float; adds 60-month seasoning requirement (company must have been below threshold for 5 consecutive years); exempts ~2,200 additional companies from 404(b) auditor attestation. Economic analysis estimates $1.1B annual savings for newly exempt filers.
Comment deadline July 6, 2026: If your company would newly qualify as non-accelerated or LAF-eligible, submit a comment at sec.gov/rules/submitcomment.htm. This is the most significant filer reform in SOX 404 history.
Proposed: Allow companies to adopt semiannual (rather than quarterly) reporting. Effect: Section 302 certifications drop from 4/year to 2/year; Section 906 certifications similarly reduced. Does not affect Section 404 ICFR frequency.
Comment deadline July 6, 2026: If your organization has a position on reporting frequency, submit a comment.
December 15, 2026 — The PCAOB Standard Cluster
Six PCAOB standards change simultaneously — 6 months away
- AS 2201 (Amended) — Top-down, risk-based ICFR audit approach. Re-scope your controls inventory now.
- AS 1215 (Amended) — 14-day audit documentation deadline (from 45 days). Workpaper discipline required.
- QC 1000 — Firm-wide quality control systems. Ask your audit firm how their QMS addresses this.
- AS 2901 — Modernized materiality standard effective for fiscal years ending December 15, 2026+.
- AS 1220 (Amended) — Engagement quality review standards updated for AS 2201 interdependency.
Source: PCAOB Quality Control page; SEC Press Release 2026-46; PCAOB Release No. 2024-005