slice icon Context Slice

US Corporate Compliance Requirements

The Sarbanes-Oxley Act of 2002 (SOX) fundamentally changed US public company compliance obligations by requiring management to assess and report on internal control effectiveness and establishing personal accountability for financial reporting accuracy. SOX applies to companies registered with the SEC under the Securities Exchange Act of 1934, including US public companies, foreign private issuers, and certain smaller reporting companies with exemptions. Understanding SOX requirements is essential for any US public company compliance program.

SOX Overview

SOX was enacted in response to major accounting scandals to restore investor confidence through enhanced corporate accountability, improved financial reporting accuracy, and strengthened internal controls. The Act created the Public Company Accounting Oversight Board (PCAOB) to oversee public company audits and established personal liability for executives certifying false financial statements.

Key sections include: Section 302 requiring CEO/CFO certifications in quarterly and annual reports, Section 404(a) requiring management's assessment of internal control effectiveness, Section 404(b) requiring independent auditor attestation for larger companies, Section 906 imposing criminal penalties for false certifications. The Act applies to all US public companies regardless of size, though smaller companies have certain exemptions from auditor attestation requirements.

Section 302: CEO/CFO Certifications

Section 302 requires the principal executive officer (typically CEO) and principal financial officer (typically CFO) to personally certify each quarterly Form 10-Q and annual Form 10-K filed with the SEC. These certifications must be included as exhibits to the reports and cannot be delegated.

Certifying officers must certify five key matters: they have reviewed the report and, to their knowledge, it contains no untrue material statements nor omits material facts needed to make statements not misleading; the financial statements and other information fairly present in all material respects the company's financial condition and results of operations; they are responsible for establishing and maintaining internal control over financial reporting and disclosure controls and procedures; they have evaluated the effectiveness of disclosure controls and internal controls as of a date within 90 days preceding the report and presented their conclusions; they have disclosed to auditors and audit committee all significant deficiencies and material weaknesses, any fraud involving employees with significant control roles, and any material changes in internal controls.

The certification requirement creates personal liability—knowingly providing false certifications or omitting required disclosures can result in civil penalties (fines, disgorgement) and criminal penalties (fines up to $5 million, imprisonment up to 20 years for willful violations). This personal accountability drives management attention to financial reporting accuracy and internal control effectiveness.

Section 404: Management Assessment of Internal Controls

Section 404(a) requires management to include an Internal Control Report in the annual Form 10-K. This report must state management's responsibility for establishing and maintaining adequate internal control over financial reporting (ICFR), identify the framework used for assessment (commonly COSO Internal Control–Integrated Framework), provide management's assessment of ICFR effectiveness as of fiscal year-end, and disclose any material weaknesses identified. If material weaknesses exist, management cannot assert that controls are effective.

Management's assessment requires documentation of internal controls and evidence supporting the assessment, including both design and operating effectiveness of key controls. Documentation typically includes process narratives, control descriptions, risk assessments, test plans, test results, and evaluation conclusions. Management must test controls to verify operating effectiveness, not just document their design.

Section 404(b) requires independent auditor attestation on management's assessment for accelerated and large accelerated filers (companies with public float above $75 million). Emerging Growth Companies (EGCs) and non-accelerated filers are exempt from auditor attestation but still subject to 404(a) management assessment. The exemption threshold provides relief for smaller companies while maintaining accountability.

Auditors conduct integrated audits that combine financial statement audit work with internal control testing. PCAOB standards require auditors to evaluate both management's assessment process and test controls themselves to render an opinion. Auditor testing is risk-based, focusing on controls that address risks of material misstatement.

Control Deficiency Classifications

Control deficiencies are weaknesses in design or operation of controls that could adversely affect ICFR. Deficiencies are classified by severity: control deficiencies that do not rise to significant deficiency or material weakness level but merit attention; significant deficiencies are less severe than material weaknesses but important enough to merit attention by those responsible for oversight; material weaknesses are deficiencies (or combination thereof) such that there is reasonable possibility a material misstatement will not be prevented or detected on a timely basis.

Material weaknesses require immediate disclosure in management's report and preclude assertion that controls are effective. Management must describe the nature of the material weakness, its impact, and remediation plans. Companies with material weaknesses often face increased audit scrutiny, potential regulatory investigation, and negative market reactions.

Significant deficiencies must be communicated to management and audit committees but do not preclude an effective controls assertion. However, multiple significant deficiencies or a pattern of deficiencies may collectively indicate a material weakness. Management should prioritize remediation of significant deficiencies to prevent escalation.

SEC Filing Requirements

Public companies must file periodic reports with the SEC: Form 10-K annual report due 60 days after fiscal year-end for large accelerated filers, 75 days for accelerated filers, 90 days for non-accelerated filers; Form 10-Q quarterly reports due 40 days after quarter-end for large accelerated filers, 45 days for accelerated filers, 45 days for non-accelerated filers. These deadlines create tight timeframes for completing financial statements, management assessments, and auditor work.

Forms 10-K and 10-Q include financial statements, management discussion and analysis (MD&A), Section 302 certifications as exhibits, and for annual reports, Section 404 management assessment and auditor attestation (if applicable). Late filings trigger regulatory scrutiny, potential delisting threats, and negative market reactions.

Filer categories determine deadlines and requirements: large accelerated filers (public float $700 million or more) have shortest deadlines and full 404(b) requirements; accelerated filers (public float $75 million to $700 million) have moderate deadlines and full 404(b) requirements; non-accelerated filers (public float under $75 million) have longer deadlines and are exempt from 404(b) auditor attestation but still subject to 404(a) management assessment.

PCAOB Standards

The PCAOB establishes auditing standards for public company audits, including integrated audits of financial statements and internal controls. PCAOB standards require auditors to plan and perform audits to obtain reasonable assurance about whether financial statements are free of material misstatement and whether internal controls are effective.

Key PCAOB standards include: AS 2201 (audit of internal control over financial reporting that is integrated with audit of financial statements), AS 1301 (communications with audit committees), AS 2410 (related party transactions). PCAOB standards emphasize risk-based approaches, professional skepticism, and sufficient appropriate audit evidence.

PCAOB inspections review audit firm compliance with standards and identify deficiencies. Inspection findings can result in remediation requirements, restrictions on practice, or enforcement actions for serious violations. Firms must address inspection findings through root cause analysis and process improvements.

Key Numbers

Filing deadlines: Form 10-K due 60 days (large accelerated), 75 days (accelerated), 90 days (non-accelerated) after fiscal year-end; Form 10-Q due 40 days (large accelerated), 45 days (accelerated and non-accelerated) after quarter-end. Section 302 certifications require evaluation within 90 days preceding report filing dates.

Filer thresholds: large accelerated filer requires $700 million public float; accelerated filer requires $75-700 million public float; non-accelerated filer below $75 million public float. Public float is calculated using share price and outstanding shares as of measurement date.

Remediation timelines: material weaknesses typically require remediation plans within 90 days of identification, remediation completion within one year to avoid repeat findings, verification testing after remediation to confirm effectiveness. Accelerated remediation demonstrates management commitment and reduces ongoing audit scrutiny.

Penalties for false certifications: civil penalties up to $5 million per violation, criminal penalties up to $5 million fines and 20 years imprisonment for willful violations, SEC can bar individuals from serving as officers or directors, potential disgorgement of ill-gotten gains.

Common Misconceptions

"SOX is just a paperwork exercise" misunderstands requirements—SOX demands both proper control design and demonstrated operating effectiveness through testing. Companies must provide evidence of control operation, not just documentation of existence. Auditors test controls and will identify design flaws or operating failures.

"Smaller companies are exempt from SOX" is partially true but misleading—while non-accelerated filers are exempt from Section 404(b) auditor attestation, they remain subject to Section 302 CEO/CFO certifications and Section 404(a) management assessment of internal controls. All public companies face significant SOX obligations regardless of size.

"Once controls are effective, we're always compliant" ignores that risks evolve, systems change, processes are modified, and personnel turnover occurs. SOX compliance requires continuous monitoring, regular risk assessments, and periodic updates. Companies must re-evaluate controls when significant changes occur and cannot rely on prior-year effectiveness indefinitely.

"Material weaknesses mean the company will be delisted" overstates consequences—while material weaknesses trigger disclosure requirements, increased scrutiny, and potential market reactions, they do not automatically result in delisting. Companies must remediate material weaknesses within reasonable timeframes (typically one year) and demonstrate progress to avoid ongoing consequences.

"Auditors will tell us what controls to implement" misunderstands auditor role—auditors test and assess controls but do not design them. Management must design, implement, and assess controls; auditors independently evaluate management's process and test controls themselves. Relying on auditors for control design creates independence issues.