SOX Compliance Requirements for Public Companies

Summary

Every company registered with the SEC under the Securities Exchange Act of 1934 must comply with the Sarbanes-Oxley Act of 2002 (SOX): CEO/CFO certification of financial statements (Section 302), annual management assessment of internal controls over financial reporting (Section 404(a)), independent auditor attestation of ICFR for accelerated and large accelerated filers (Section 404(b)), and 7-year retention of audit workpapers (Section 802), all built on the COSO 2013 framework. Non-accelerated filers (public float < $75M) and emerging growth companies are exempt from 404(b) only. Penalties run to $5M and 20 years for willful false certification (Section 906) and 20 years for document destruction (Section 802). Two 2026 developments are reshaping the landscape: the SEC stood up a dedicated Enforcement "SOX Group" targeting audit-quality and ICFR failures (March 2026), and proposed a two-tier filer framework raising the large-accelerated-filer float threshold to $2B and limiting 404(b) to large accelerated filers (May 19, 2026 — a proposal in a 60-day comment period, not yet law). [src1, src2, src9, src10]

Rule

All companies registered with the SEC under the Securities Exchange Act of 1934 must comply with the Sarbanes-Oxley Act of 2002 (SOX). This requires CEO and CFO personal certification of financial statements (Section 302), annual management assessment of internal controls over financial reporting (ICFR) under Section 404(a), independent auditor attestation of ICFR for accelerated and large accelerated filers (Section 404(b)), and retention of audit workpapers for a minimum of seven years (Section 802). Compliance must be built on a recognized internal control framework — in practice, virtually all filers use the COSO 2013 Internal Control — Integrated Framework. [src1, src2]

Evidence

Since SOX's enactment, enforcement has been sustained and penalties severe: executives who knowingly certify non-compliant reports face up to $1 million in fines and 10 years imprisonment under Section 906, escalating to $5 million and 20 years for willful violations with intent to deceive. [src1, src7] Section 802 imposes up to 20 years imprisonment for destruction, alteration, or concealment of documents relevant to a federal investigation. [src8] In the first ten months of 2024 alone, 140 public companies declared their previous financial statements unreliable due to material errors — a nine-year high. [src5] The SEC reported 24,000 whistleblower tips in its 2024 enforcement results and issued an $18 million civil penalty against J.P. Morgan for violating whistleblower protection rules. [src7] The Protiviti 2024 SOX survey found that compliance is becoming more resource-intensive, with most companies reporting increased requirements over the prior two years. [src6] Enforcement scrutiny intensified further in 2026: in March 2026 the SEC's Division of Enforcement stood up a dedicated "SOX Group" — a specialized team of investigators, attorneys, and accountants reporting to the Enforcement Division's Chief Accountant — to investigate and litigate violations of auditing and professional standards under SOX, signaling lower tolerance for ICFR failures and quicker public exposure of audit-quality matters (the SEC operates without the PCAOB's confidentiality regime). [src10]

Key Properties

• Governing statute: Sarbanes-Oxley Act of 2002, Pub. L. 107-204, 116 Stat. 745
• Enforcement bodies: Securities and Exchange Commission (SEC), Public Company Accounting Oversight Board (PCAOB), Department of Justice (DOJ)
• Section 302 penalty (civil): Personal CEO/CFO liability; SEC enforcement actions, fines, officer/director bars
• Section 906 penalty (criminal): Up to $1M fine / 10 years imprisonment (knowing); up to $5M / 20 years (willful) [src1]
• Section 802 penalty (criminal): Up to $1M fine / 20 years imprisonment for document destruction or alteration [src8]
• Internal control framework: COSO 2013 Internal Control — Integrated Framework (17 principles, 5 components) [src3]
• Audit standard: PCAOB AS 2201 (integrated audit of financial statements and ICFR) [src2]
• Record retention: Minimum 7 years for audit workpapers and related documents [src8]

Conditions

• Applies when: The entity is an SEC-registered public company (domestic issuer or foreign private issuer) filing periodic reports with the SEC. All companies subject to Sections 302, 906, 802, and 404(a). Accelerated and large accelerated filers are additionally subject to Section 404(b) auditor attestation. [src1]
• Does NOT apply when: The entity is a private company not registered with the SEC, a non-reporting company, or a state/local government entity. Non-accelerated filers and emerging growth companies (EGCs) are exempt from Section 404(b) auditor attestation only — they must still comply with 404(a) management assessment. [src1, src4]
• Confidence degrades when: PCAOB AS 2201 amendments (effective December 15, 2026, postponed one year via PCAOB File No. PCAOB-2025-01) may alter audit procedures; the SEC's May 19, 2026 filer-status proposal (two-tier framework, $2B large-accelerated-filer threshold, Section 404(b) limited to large accelerated filers) is in a 60-day comment period and would, if finalized, expand the population of filers exempt from auditor attestation; the SEC is reviewing foreign private issuer eligibility criteria (concept release issued June 2025); cybersecurity-related ICFR expectations are evolving as SEC/PCAOB signal that material cyber risks can indicate ICFR weaknesses. [src2, src6, src9]

Constraints

• SOX is a US federal statute. It applies to companies registered with the SEC regardless of where they are headquartered, but it does not govern companies listed only on non-US exchanges. [src1]
• The Section 404(b) auditor attestation exemption for non-accelerated filers is a permanent exemption under the JOBS Act (2012); EGC status expires after 5 fiscal years or upon meeting certain revenue/float thresholds. [src4]
• PCAOB AS 2201 amendments approved by the SEC take effect for fiscal years beginning on or after December 15, 2026 (the effective date was postponed one year via PCAOB File No. PCAOB-2025-01, Aug. 2025) — until then, the current version of AS 2201 applies. [src2]
• The current filer-status thresholds (large accelerated filer >= $700M float, accelerated filer $75M-$700M, non-accelerated filer < $75M) and the 404(b) exemptions tied to them remain in force. The SEC's May 19, 2026 proposal would replace this with a two-tier framework (large accelerated filers at a $2B float threshold; everyone else a non-accelerated filer, with 404(b) limited to large accelerated filers), but it is a PROPOSAL in a 60-day comment period — do not advise compliance against it until a final rule issues. [src9]
• SOX does not mandate a specific control framework, but the SEC's 2007 interpretive guidance endorses frameworks issued by bodies that follow due process (effectively pointing to COSO). Choosing a non-COSO framework creates additional burden of proof. [src3]
• SOX ICFR requirements focus exclusively on controls over financial reporting. Broader operational, IT security, or compliance controls outside the financial reporting chain are not within SOX scope, though IT general controls (ITGCs) supporting financial systems are in scope. [src6]

Rationale

SOX was enacted in response to the Enron, WorldCom, and Tyco accounting scandals of 2001-2002 that caused billions in investor losses and eroded public trust in US capital markets. The Act's core design is to hold corporate executives personally accountable for the accuracy of financial statements, ensure independent audit oversight through the PCAOB, and impose severe criminal penalties for fraud and obstruction. By requiring documented internal controls assessed annually, SOX creates a preventive system that makes material misstatements harder to conceal and easier to detect before they cause investor harm. [src1, src3]

Framework Selection Decision Tree

START — User needs financial reporting compliance guidance
├── Which jurisdiction?
│   ├── US (SEC-registered company)
│   │   └── SOX Compliance Requirements ← YOU ARE HERE
│   ├── EU (listed company)
│   │   └── EU Financial Reporting Directives (CSRD, Transparency Directive)
│   └── Multiple jurisdictions
│       └── Start with primary listing jurisdiction, then layer additional requirements
├── Is the company SEC-registered (public)?
│   ├── YES → SOX applies: determine filer status
│   │   ├── Large accelerated filer (float >= $700M) → Full SOX: 302 + 404(a) + 404(b) + 906 + 802
│   │   ├── Accelerated filer (float $75M-$700M) → Full SOX: 302 + 404(a) + 404(b) + 906 + 802
│   │   ├── Non-accelerated filer (float < $75M) → SOX: 302 + 404(a) + 906 + 802 (404(b) exempt)
│   │   └── Emerging growth company → SOX: 302 + 404(a) + 906 + 802 (404(b) exempt)
│   └── NO → SOX does not legally apply (may adopt voluntarily)
├── Is there an existing ICFR program?
│   ├── YES → Audit against COSO 2013: assess 5 components, 17 principles
│   └── NO → Start with COSO 2013 framework implementation, then build ICFR
└── Foreign private issuer?
    ├── YES, accelerated/large accelerated filer → Full SOX including 404(b)
    ├── YES, non-accelerated or EGC → SOX 302 + 404(a) (404(b) exempt)
    └── Consider extended filing deadlines (Form 20-F: 4 months vs 10-K: 60-90 days)

Application Checklist

Step 1: Determine SOX applicability and filer status

• Inputs needed: Entity type (domestic issuer, FPI), SEC registration status, public float, annual revenue, EGC status, years since IPO
• Output: Go/no-go determination on SOX applicability and specific section obligations (302, 404(a), 404(b), 802, 906)
• Constraint: If the entity is not SEC-registered, SOX does not apply as a legal obligation. Do not advise mandatory compliance for private companies. [src1]

Step 2: Select internal control framework and scope ICFR

• Inputs needed: Current control environment, IT systems supporting financial reporting, business processes affecting financial statements, material accounts and disclosures
• Output: COSO 2013-based control framework mapped to the entity's financial reporting processes; inventory of in-scope applications, databases, and ITGCs
• Constraint: All five COSO components (Control Environment, Risk Assessment, Control Activities, Information & Communication, Monitoring Activities) and all 17 principles must be addressed. A deficiency in any principle that is not present and functioning constitutes at least a deficiency. [src3, src2]

Step 3: Design, implement, and document controls

• Inputs needed: COSO-mapped risk assessment, process narratives or flowcharts, IT system inventory, segregation of duties matrix
• Output: Documented control descriptions (what, who, when, how, evidence), risk-control matrices for each significant process, ITGC documentation (access management, change management, operations, SDLC)
• Constraint: Controls must be specific enough to be testable. Narrative-only documentation without identifiable control points will fail the management assessment. Management must test both design effectiveness and operating effectiveness before year-end. [src2, src4]

Step 4: Conduct management assessment (Section 404(a))

• Inputs needed: Completed control testing results, remediation status for any identified deficiencies, population and sampling methodology
• Output: Management's report on ICFR effectiveness as of fiscal year-end, included in the annual report (10-K or 20-F)
• Constraint: Management must evaluate whether deficiencies individually or in combination constitute a material weakness. If a material weakness exists, management cannot conclude that ICFR is effective. [src1, src2]

Step 5: Obtain auditor attestation (Section 404(b), if required)

• Inputs needed: Management's ICFR assessment, auditor's independent testing results, evaluation of any material weaknesses or significant deficiencies
• Output: Auditor's report on ICFR, filed alongside management's report in the annual report
• Constraint: Only required for accelerated and large accelerated filers. The auditor must form an independent opinion — they cannot simply rely on management's testing. If the auditor identifies a material weakness that management did not, this is an adverse opinion on ICFR. Escalate to audit committee immediately. [src2, src4]

Decision Logic

If the entity is not registered with the SEC under the Securities Exchange Act of 1934

--> SOX does not apply as a legal obligation. Do not advise mandatory compliance; a private company may voluntarily adopt SOX-like controls (often to prepare for an IPO or satisfy lenders/acquirers), but Sections 302, 404, 802, and 906 are not enforceable against it. [src1]

If the entity is a non-accelerated filer (public float < $75M) or an emerging growth company

--> Apply Sections 302, 404(a), 906, and 802, but treat Section 404(b) auditor attestation as exempt. Confirm the management ICFR assessment is still performed and filed — the exemption removes the independent auditor opinion, not management's own assessment. [src1, src4]

If the entity is an accelerated or large accelerated filer

--> Apply the full SOX stack: 302 certification, 404(a) management assessment, 404(b) auditor attestation, plus 906 and 802. Scope ITGCs for every financially significant application from the start; auditor reliance on automated controls and system-generated reports depends on access, change, and operations controls being effective. [src2, src3]

If the company is planning around the SEC's May 19, 2026 filer-status proposal ($2B large-accelerated-filer threshold, two-tier framework)

--> Continue complying against the CURRENT $75M/$700M thresholds. The proposal is in a 60-day comment period and is not law; do not drop Section 404(b) attestation in anticipation of it. Track the final rule and re-scope only once it is adopted. [src9]

If the company is undergoing an audit or has open financial-reporting questions in 2026

--> Treat audit-quality and ICFR documentation as elevated-risk: the SEC's new Enforcement "SOX Group" (stood up March 2026) investigates auditing- and professional-standards violations and operates without the PCAOB's confidentiality regime, so exposure can become public faster. Ensure the sub-certification cascade and control evidence are complete before sign-off. [src10]

If management identifies a deficiency in any of the five COSO components or 17 principles

--> Evaluate whether it is a deficiency, significant deficiency, or material weakness. A principle that is not present and functioning is at minimum a deficiency; if deficiencies individually or in combination create a reasonable possibility of an undetected material misstatement, management cannot conclude ICFR is effective and must disclose the material weakness. Escalate any auditor-identified material weakness to the audit committee immediately. [src2, src3]

If the user actually needs EU markets compliance or data-privacy compliance (not US financial reporting)

--> Route to the correct unit: MiFID II [compliance/financial/mifid-ii/2026] for EU markets-conduct rules, or GDPR Summary [compliance/privacy/gdpr-summary/2026] for data privacy. SOX governs ICFR for SEC registrants only. [src1]

Anti-Patterns

Wrong: Treating SOX 404 as an annual one-time exercise

Many companies compress all SOX testing into Q4, rushing to complete walkthroughs, sample testing, and remediation before year-end. This results in insufficient sample sizes, untested controls for Q1-Q3, and material weaknesses discovered too late to remediate. [src5]

Correct: Implement continuous monitoring with quarterly checkpoints

Distribute control testing across all four quarters. Test each key control at least twice during the year (interim + year-end). Establish a SOX calendar with deadlines for risk assessment (Q1), walkthrough updates (Q2), interim testing (Q2-Q3), and year-end testing/remediation (Q4). [src4]

Wrong: Scoping only financial application controls while ignoring ITGCs

Companies that focus exclusively on business process controls (three-way match, journal entry review) but neglect IT general controls often discover that auditors cannot rely on automated controls or system-generated reports because access management, change management, and operations controls are deficient. [src6]

Correct: Scope ITGCs for every in-scope application from the start

Map all financially significant applications, databases, operating systems, and networks. For each, document and test ITGCs across four domains: access management (provisioning, deprovisioning, privileged access, password policies), change management (development, testing, approval, migration), IT operations (job scheduling, backup, incident management), and program development (SDLC controls for new systems). [src3, src6]

Wrong: CEO/CFO signing Section 302 certifications without substantive review

Some executives treat the quarterly certification as a formality, signing without reviewing the sub-certifications from business unit controllers and IT leaders. This exposes them to personal liability if a misstatement is later discovered. [src1, src7]

Correct: Establish a formal sub-certification cascade

Implement a quarterly sub-certification process where business unit leaders, controllers, and IT directors sign representations flowing up to the CEO/CFO. Each sub-certification should cover specific assertions about their area of responsibility, creating an evidence trail that supports the executive certification. [src4]

Counter-Arguments

• SOX compliance costs disproportionately burden smaller public companies. A 2024 Protiviti survey found that average SOX compliance costs continue to rise year-over-year, leading some to argue that the Section 404(b) exemption for non-accelerated filers should be expanded or that a scaled framework for smaller companies is needed. [src6]
• Some academics and practitioners argue that SOX has not demonstrably reduced financial fraud — major frauds (Wirecard 2020, Luckin Coffee 2020) occurred despite SOX-like controls, suggesting that the Act creates compliance theatre that consumes resources without proportionate risk reduction. [src5]
• The Act's US-centric design creates duplicate compliance burdens for foreign private issuers already subject to rigorous home-country audit and governance requirements (e.g., UK Corporate Governance Code, Japan's J-SOX), leading to calls for mutual recognition frameworks. [src4]

Common Misconceptions

Misconception: SOX applies to all public companies worldwide.
Reality: SOX applies only to companies registered with the SEC under the Securities Exchange Act of 1934. Companies listed exclusively on non-US exchanges (e.g., London Stock Exchange, Tokyo Stock Exchange) with no US registration are not subject to SOX. Foreign private issuers with US listings are subject to SOX but receive certain accommodations such as extended filing deadlines and use of IFRS. [src1, src4]

Misconception: Non-accelerated filers are exempt from SOX entirely.
Reality: Non-accelerated filers are exempt only from Section 404(b) — the requirement for independent auditor attestation of ICFR. They must still comply with all other SOX requirements, including Section 302 (CEO/CFO certification), Section 404(a) (management's own assessment of ICFR), Section 906 (criminal certification), and Section 802 (record retention). [src1]

Misconception: Passing the SOX audit means the company has no fraud risk.
Reality: SOX provides reasonable assurance, not absolute assurance, about the reliability of financial reporting. A clean SOX opinion means no material weaknesses in ICFR were identified as of the assessment date. It does not guarantee the absence of fraud, misstatement, or future control failures. Management override of controls is an inherent limitation that SOX cannot fully eliminate. [src2, src3]

Misconception: SOX only covers financial controls, not IT systems.
Reality: While SOX focuses on internal controls over financial reporting, IT general controls (ITGCs) are squarely in scope for any IT system that processes, stores, or generates data used in financial reporting. This includes access management, change management, and operations controls for ERP systems, general ledgers, sub-ledgers, reporting tools, and supporting infrastructure. As of 2025, SEC and PCAOB guidance signals that material cybersecurity risks may indicate weaknesses in ICFR. [src6, src3]

Comparison with Similar Rules

When This Matters

Fetch this rule when a user asks about SOX compliance requirements, Sarbanes-Oxley obligations for public companies, Section 302 or 404 requirements, CEO/CFO certification obligations, internal controls over financial reporting (ICFR), PCAOB audit standards for ICFR, SOX penalties and enforcement, or when evaluating whether SOX applies to a specific entity (including foreign private issuers and emerging growth companies).