SOX is the Sarbanes-Oxley Act, and for most compliance and finance teams it comes down to two sections. Section 302 is the quarterly certification where the CEO and CFO put their names behind the financial reports. Section 404 is the annual work behind that signature: management assesses whether its internal control over financial reporting is effective, and for many companies the external auditor independently attests to the same thing. The control framework that organizes the work is COSO. The unit of work is a key control, documented in a risk-control matrix, tested for both design and operating effectiveness. The thing everyone is trying to avoid is a material weakness, the finding that says ICFR is not effective.
SOX has a reputation for being a paperwork exercise. Part of that reputation is earned, because plenty of teams run it as a binder-filling ritual nobody reads. The teams that get it right treat it as something simpler and harder. A public company tells investors its numbers are reliable, and SOX is the discipline that makes that claim true and provable. When a CEO signs a 10-K, the controls behind the numbers are what make that signature safe to give.
This guide walks the program the way a practitioner runs it: who SOX applies to, what Sections 302 and 404 actually require, how COSO organizes the controls, the difference between a control that is designed well and one that operates, how deficiencies get classified, and how the annual cycle moves from scoping to opinion. Where a detail depends on a company's specific facts, this guide says so rather than guessing.
Who SOX applies to
The Sarbanes-Oxley Act of 2002 applies to public companies, called issuers, that file reports with the US Securities and Exchange Commission. If a company is listed on a US exchange or otherwise has registered securities, it is in scope. The Act also reaches the registered public accounting firms that audit those issuers, which is why it created the Public Company Accounting Oversight Board to oversee them.
Most SOX provisions do not bind private companies. The common exception in practice is the private company that is preparing for an initial public offering or an acquisition by a public company, which often builds SOX-ready controls a year or more ahead so the first reporting cycle as a public company is not a scramble. There is also a familiar split among public companies themselves on the auditor attestation requirement, which the next section covers.
Section 302: the certification
Section 302 requires the principal executive officer and principal financial officer, in practice the CEO and CFO, to personally certify each quarterly and annual report. The certification covers a few things in plain terms. They have reviewed the report. To their knowledge it does not contain a material misstatement or omission. The financial statements fairly present the company's condition. They are responsible for establishing and maintaining disclosure controls and procedures, and they have evaluated those controls. And they have disclosed any significant deficiencies and any fraud involving management to the auditors and the audit committee.
Section 302 puts accountability where it cannot be delegated away. The officers are not certifying that nothing will ever go wrong. They are certifying that they built a control system, looked at whether it works, and told the right people what they found. A false certification carries personal consequences for the people who signed, which is the whole design intent.
Section 404: internal control over financial reporting
Section 404 is the heart of the workload, and it has two parts.
Section 404(a) requires management to assess and report, each year in the annual report, on the effectiveness of the company's internal control over financial reporting, usually shortened to ICFR. Management has to state its responsibility for ICFR, identify the control framework it used, and give its conclusion on whether ICFR is effective as of year-end.
Section 404(b) requires the company's external auditor to independently attest to the effectiveness of ICFR. This is a separate opinion from the audit of the financial statements themselves, and the public-company audit standard that governs it is PCAOB AS 2201, the standard on an audit of internal control over financial reporting that is integrated with an audit of financial statements. Not every issuer is subject to 404(b). Smaller reporting companies and non-accelerated filers have historically been exempt from the auditor attestation, though they remain subject to 404(a) management assessment. Whether a specific company falls inside 404(b) depends on its filer status, which is a fact to confirm for each company rather than assume.
| Provision | Who acts | What it requires |
|---|---|---|
| Section 302 | CEO and CFO | Personal certification, each quarter and year, that the reports are accurate and that disclosure controls exist and were evaluated. |
| Section 404(a) | Management | Annual assessment and report on whether ICFR is effective, naming the control framework used. |
| Section 404(b) | External auditor | Independent attestation on ICFR effectiveness under PCAOB AS 2201, for issuers subject to it. |
The COSO framework
SOX requires management to base its ICFR assessment on a suitable, recognized control framework, and the one almost every US issuer uses is COSO, the framework from the Committee of Sponsoring Organizations of the Treadway Commission. Its 2013 Internal Control Integrated Framework organizes internal control into five components and seventeen underlying principles. A program that maps cleanly to the five components is a program an auditor can follow.
| COSO component | What it covers |
|---|---|
| Control environment | The tone at the top. Integrity, ethical values, board oversight, organizational structure, and accountability that set the foundation for everything else. |
| Risk assessment | Identifying and analyzing the risks of material misstatement across accounts and processes, including fraud risk, so controls can be aimed at the right places. |
| Control activities | The actual controls. Approvals, reconciliations, segregation of duties, system access controls, and the policies and procedures that carry them out. |
| Information and communication | The quality of the data flowing through the reporting process, and whether responsibilities are communicated up, down, and across the organization. |
| Monitoring activities | Ongoing and separate evaluations that confirm the components are present and working, and that deficiencies get reported and fixed. |
A practical way to read COSO is as a spectrum from the general to the specific. The control environment is the culture. Control activities are the individual checks a person performs every month. Entity-level controls sit closer to the environment end, and process-level controls sit closer to the activity end. A strong program needs both, because an entity-level control like audit committee oversight does not catch a missed reconciliation, and a reconciliation does not fix a culture that pressures people to hit a number.
Design vs operating effectiveness
Every key control gets evaluated on two separate questions, and confusing them is the most common scoping mistake.
Design effectiveness asks whether the control, if it operates as described, would actually prevent or detect a material misstatement in the relevant assertion. A control can be performed faithfully every single day and still be poorly designed, because it was never aimed at the risk that matters. You test design by understanding the control and walking a transaction through it.
Operating effectiveness asks whether the control actually ran as designed throughout the period, by the right person, with the right competence and authority. You test operating effectiveness by examining evidence across the period, often a sample of instances, to confirm the control was performed consistently rather than once for the audit.
"The controller reviews the bank reconciliation monthly and signs it." The control is performed every month and the signature is always there. But the review is a sign-off with no evidence of what was actually examined, so an unreconciled item could pass through unnoticed. Designed weakly, even though it operates.
"The controller reconciles the bank account monthly, investigates and documents every reconciling item over the defined threshold, and signs and dates the workpaper. A second reviewer re-performs the math on a sample." Aimed at the risk, evidenced, and re-performable. An auditor can test both design and operation.
This distinction carries weight because ICFR is concluded effective only when key controls are both designed appropriately and operating effectively. A well-designed control nobody actually performed is a finding. So is a control someone performed faithfully that was never aimed at the risk in the first place.
Key controls and the risk-control matrix
You cannot test everything, and SOX does not ask you to. The program is built around key controls, the subset of controls that, if they failed, could allow a material misstatement to reach the financial statements. Identifying them starts from the financial statements and works backward: which accounts and disclosures are material, what could go wrong in each relevant assertion, and which controls address those risks.
The document that holds this together is the risk-control matrix, often called the RCM. It is the spine of a SOX program, and a good one lets an auditor trace a clean line from a financial statement risk to the control that mitigates it to the test that proves it. A typical RCM row carries these fields.
| RCM field | What it captures |
|---|---|
| Process / cycle | The business process, such as revenue, procure-to-pay, payroll, or financial close. |
| Risk of misstatement | What could go wrong, stated specifically rather than generically. |
| Assertion | The financial statement assertion at risk: existence, completeness, accuracy, valuation, rights and obligations, presentation. |
| Control description | What the control is, who performs it, how often, and what evidence it produces. |
| Control type | Preventive or detective, manual or automated, and whether it is a key control. |
| Test of design and operation | How design was evaluated and how operating effectiveness was tested, with sample size and results. |
The discipline that makes the RCM useful is specificity. "Management reviews results" is not a control description. "The FP&A director compares actual revenue to forecast by product line, investigates variances over the defined threshold, and documents the explanation before the close is finalized" is a control someone can test. Vague descriptions are where a program quietly comes apart, because an auditor cannot test what the matrix does not describe.
Walkthroughs and testing
The standard way to confirm you understand a control and that it is designed appropriately is a walkthrough: tracing a single transaction from its origination through the process and into the financial statements, following the control as it operates along the way. A walkthrough confirms the control exists as documented and is aimed at the right risk. It is a test of one.
Operating effectiveness needs more than one. For a control that runs many times in a period, testers examine a sample of occurrences and evaluate whether the control was performed each time as designed. Sample sizes scale with how often the control runs and how much you are relying on it. Automated controls can sometimes be tested once if the supporting general IT controls over change and access are themselves effective, which is why IT general controls sit underneath so much of a SOX program.
Deficiency severity: deficiency, significant deficiency, material weakness
When a control fails a test, the finding gets classified by severity, and the classification drives everything that follows. The three levels build on each other.
| Severity | Definition | Consequence |
|---|---|---|
| Control deficiency | A control is missing, or it is designed or operating such that it does not allow management or employees to prevent or detect misstatements on a timely basis. | Tracked and remediated. Generally not separately reported externally on its own. |
| Significant deficiency | A deficiency, or combination of deficiencies, less severe than a material weakness but important enough to merit attention by those responsible for financial reporting oversight. | Reported to the audit committee. ICFR can still be effective. |
| Material weakness | A deficiency, or combination of deficiencies, such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis. | ICFR is reported as not effective. Disclosed publicly. Often moves the stock. |
Two judgments decide where a finding lands: the magnitude of the potential misstatement and the likelihood it could occur. A single material weakness forces management to report that ICFR is not effective, and where 404(b) applies, the auditor reaches the same conclusion in its own opinion. That makes the classification conversation one of the most consequential a SOX team has all year. Severity is a matter of professional judgment applied to specific facts, never a formula, so good practitioners write down their reasoning instead of asserting a conclusion.
The annual SOX cycle
A mature program runs SOX as a continuous cycle rather than a year-end fire drill. The work spreads across the year so that by the time the 10-K is due, the conclusion is already supported.
| Phase | What happens |
|---|---|
| 1. Scoping and risk assessment | Determine which accounts, disclosures, and locations are material and in scope. Refresh the risk assessment and confirm which controls are key. Set materiality. |
| 2. Documentation | Update process narratives, flowcharts, and the risk-control matrix so they match how the business actually operates this year, not last year. |
| 3. Design evaluation and walkthroughs | Walk each key control to confirm it is designed to address its risk and operates as documented. |
| 4. Operating effectiveness testing | Test samples across the period. This runs through the year, often in interim and year-end rounds, so issues surface with time to fix them. |
| 5. Deficiency evaluation and remediation | Classify any exceptions by severity, remediate where possible before year-end, and re-test remediated controls. |
| 6. Assessment and reporting | Management concludes on ICFR effectiveness, the CEO and CFO certify, the auditor renders its attestation where 404(b) applies, and the conclusions go into the annual report. |
The teams that suffer are the ones that compress all of this into the last six weeks. When you test late, a failed control has no runway for remediation, and a fixable deficiency can become a reported material weakness purely because you ran out of calendar. Spreading the work across the year is how you keep a control failure from turning into a disclosure.
The PCAOB standards behind the audit
The external auditor's attestation runs on PCAOB standards, and those standards have moved. AS 2201 still governs the integrated audit of internal control over financial reporting. Sitting above it now is AS 1000, General Responsibilities of the Auditor in Conducting an Audit, which the PCAOB adopted in 2024 to consolidate and replace several older foundational standards (AS 1001, 1005, 1010, and 1015). It is effective for audits of fiscal years beginning on or after December 15, 2024, and it shortened the auditor's documentation-completion window from 45 days to 14. A current ICFR audit references AS 1000 alongside AS 2201.
A SOX readiness checklist
Run this before the cycle closes:
- The scope ties to material accounts, disclosures, and locations, with the rationale documented.
- The risk-control matrix traces each financial statement risk to a control to a test, with no orphan risks.
- Every key control description is specific enough to test: who, what, how often, what evidence.
- Each key control has both a design evaluation and operating effectiveness testing on file.
- IT general controls over access and change support every automated control you are relying on.
- Exceptions are classified by severity with the magnitude-and-likelihood reasoning written down.
- Remediated controls were re-tested, not just re-described.
- The Section 302 sub-certifications support the CEO and CFO signatures up the chain.
- Significant deficiencies and any management fraud were reported to the audit committee.
- The management assessment names the control framework used and reconciles with the auditor's view where 404(b) applies.
The goal of SOX is not a thicker binder than last year. It is a record an auditor can follow and an investor can trust: someone identified what could go wrong with the numbers, built controls to catch it, tested whether those controls actually work, and signed their name to the result. A program that can show that work holds up. A program that cannot is one material weakness away from finding out in public.