The Sarbanes-Oxley Act of 2002 (SOX) is a law that implements regulations on publicly traded companies and accounting firms. SOX was created to improve the accuracy and reliability of corporate disclosures in financial statements and to protect investors from fraudulent accounting practices. 

While the act consists of eleven titles, a significant amount of SOX requirements live within Section 302 and Section 404. These SOX compliance activities include the identification and testing of internal controls over the financial reporting process. Plus, they require the submission of specific financial certifications in quarterly and annual reports to the United States Securities and Exchange Commission (SEC). 

Although these Sarbanes-Oxley sections are interrelated, there are differences between their specific requirements as well. 

SOX Section 302 requirements 

Section 302 of the Sarbanes-Oxley Act focuses on disclosure controls and procedures, plus the personal accountability of signing officers. SOX 302 requires that the principal executive and financial officers of a company, typically the CEO and CFO, personally attest that financial information is accurate and reliable. They must make these attestations within the quarterly 10-Q and annual 10-K reports filed with the SEC. 

Certification also applies to the implementation and maintenance of internal controls and procedures, as well as the reporting of deficiencies or changes related to internal controls. Although external auditors don’t officially audit SOX 302 disclosures, they still review them. 

When signing off on 302 disclosures, the principal officers are: 

  1. Confirming they reviewed the report
  2. Stating that, based on their knowledge, the report does not contain false or misleading statements or omit necessary material information
  3. Affirming, based on their knowledge, the financial statements and information in the report accurately present in all material respects the financial condition and results of operations for their company during the periods covered in the report.

So, if an executive officer signs a SOX 302 certification document, they personally take responsibility for it being true. They’re also responsible for fully disclosing all relevant procedures, and for clearly detailing any changes that occurred during the period of the report.

To prepare for this quarterly certification, companies typically send a questionnaire to people who have significant responsibility for financial results. These include operating officers, controllers, and accounting managers as well as the head of internal audit. 

This might be 15 to 20 people in a company or as many as 50 for a larger company, but it’s relative to the total number of employees and is a fairly small percentage. The survey may vary in length from one organization to another, but it has two main purposes: 

  1. Determine if there have been any significant changes to their internal controls of financial reporting that haven’t already been reported. 
  2. Inquire if the recipient is aware of any fraudulent activities.

If any irregularities are detected in the reports signed by these officials, those that certify them face serious consequences. Besides lawsuits and negative publicity, a corporate officer who does not comply or submits an inaccurate certification is subject to a fine up to $1 million and/or ten years in prison, even if done mistakenly. Those caught willfully certifying a false report risk significantly greater penalties, including up to $5,000,000 in fines or 20 years in prison, or both.

See also

Automating GRC: The Next Frontier in Risk Management

SOX Section 404 requirements

Section 404 requires that companies annually assess and report on the effectiveness of their internal control structure. This is management’s assessment and testing of the company’s internal controls and procedures for financial reporting. The focus of this testing is to evaluate and report on the design and operating effectiveness of the controls.

The results of the testing must be reviewed by management, and all control testing failures identified must be categorized as a deficiency, significant deficiency, or material weakness. The company is required to report on deficiencies to the Audit Committee and the Board of Directors, and material weaknesses must be disclosed in the company’s annual 10-K financial report.

In addition to the internal control assessment, SOX requirements mandate that public companies have an independent external auditor inspect their internal control practices and include the audit report within the company’s financial report.

 What makes SOX 302 and 404 requirements different?

Although both SOX 302 and 404 relate to internal controls, their requirements differ in frequency, effort, activities, and liability.

The frequency of SOX 302 requirements is quarterly. Companies conduct a survey, as described above, and include signed certifications with their quarterly filings with the SEC. The quarterly certification ensures that the signing officers have evaluated the effectiveness of the organization’s internal controls as of a date within 90 days prior to the report. SOX 404 requirements, on the other hand, are continuous with an annual independent audit, and their documented findings must be included with each year’s financial report. 

The amount of effort required for SOX 404 is greater because of the quantity or risk management activities involved and the fact that it happens on an ongoing basis. Documentation and maintenance of the systems involved are a daily event to ensure consistent compliance. SOX 302, on the other hand, requires minimal effort, occurring on a quarterly basis but not between occurrences.

The types of activities involved in SOX 302 are different from those required to comply with SOX 404. SOX 302 involves a survey and review of related reporting before top officers certify financial reporting, financial controls and fraud activity. 

SOX 404 includes processes and procedures for setup as well as risk management through monitoring and measuring to control risks associated with financial reporting. Plus, Section 404 includes an annual independent audit and a requirement to report deficiencies to the Audit Committee of the Board of Directors and material weaknesses disclosure in the company’s annual 10-K financial report.

The potential liability involved in SOX 302 is high since it is the personal liability of each signing officer, including the potential for serious fines and jail time, whereas SOX 404 applies only to the company.

Automating GRC: The Next Frontier
in Risk Management