Frequently Asked Questions

What are Internal Controls over Financial Reporting?

Internal controls over financial reporting (sometimes referred to as "internal controls" or ICOFR) are a company's policies and procedures around its financial transactions. An internal control over financial reporting is defined by the SEC as ". . . a process designed by, or under the supervision of, the issuer's principal executive and principal financial officers, or persons performing similar functions, and effected by the issuer's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that: (1) pertain to the maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the issuer; (2) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the issuer are being made only in accordance with authorizations of management and directors of the issuer; and (3) provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statements." [Source:, Exchange Act Rule 13a-15 (f)]. 

What is the Sarbanes-Oxley Act?

The Sarbanes–Oxley Act of 2002 (Pub.L. 107-204, 116 Stat. 745, enacted July 30, 2002), also known as the 'Public Company Accounting Reform and Investor Protection Act' (in the Senate) and 'Corporate and Auditing Accountability and Responsibility Act' (in the House) and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002. It is named after sponsors U.S. Senator Paul Sarbanes (D-MD) and U.S. Representative Michael G. Oxley (R-OH).

The bill was enacted as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation's securities markets.

The legislation set new or enhanced standards for all U.S. public company boards, management and public accounting firms. It does not apply to privately held companies. The act contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. Harvey Pitt, the 26th chairman of the Securities and Exchange Commission (SEC), led the SEC in the adoption of dozens of rules to implement the Sarbanes–Oxley Act. It created a new, quasi-public agency, the Public Company Accounting Oversight Board, or PCAOB, charged with overseeing, regulating, inspecting and disciplining accounting firms in their roles as auditors of public companies. The act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.

The act was approved by the House by a vote of 423–3 and by the Senate 99–0. Former President George W. Bush signed it into law, stating it included "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt."

Comprehensive Overview

What is Sarbanes-Oxley, Section 404?

Section 404 relates to internal control over financial reporting at public companies.

  • Section 404(a) of the Act requires management to assess and report on the effectiveness of internal control over financial reporting (“ICFR”). It applies to non-accelerated filers - companies with public float of less than $75 million. 
  • Section 404(b) requires that an independent auditor attest to management’s assessment of the effectiveness of those internal controls. It applies to accelerated filers, companies with public float of between $75 million and $700 million, and large accelerated filers, companies with public float of $700 million or more.
  • Section 404 (c) - Section 404(c) provides that Section 404(b) shall not apply with respect to any audit report prepared for an issuer that is neither a large accelerated filer nor an accelerated filer. It was added by the Dodd-Frank Act passed in 2010. Prior to enactment of the Dodd-Frank Act, non-accelerated filers would have been required, under existing Commission rules, to include an auditor attestation report on ICFR in the annual report filed with the Commission for fiscal years ending on or after June 15, 2010. Learn more about the SEC's definition about Section 404(c) via this link.

What is Sarbanes-Oxley, Section 302?

Section 302 deals with "Management's Report", which is an attestation to the effectiveness of internal controls over financial reporting.

Section 302 requires that a public company include in its quarterly and annual reports an attestation by the company's principal executive and finance officer(s), or persons acting in that capacity, regarding the company's disclosure controls and procedures, and internal controls and procedures over financial reporting. Manually-signed originals of the 302 certifications must be kept by the company for five years.

As directed by Section 404 of the Sarbanes-Oxley Act of 2002, the SEC adopted rules requiring a company's management to include in their annual report a "management's report" on the company's internal control over financial reporting.

The internal control report must include:
  •  A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;
  • Management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year;
  • A statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting; 
  • A statement that the registered public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting. 
For more detailed information, visit

What is Sarbanes-Oxley, Section 802?

Sarbanes-Oxley Section 802 outlines criminal penalties for anyone who "knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11." This Section also outlines penalties for accountants who fail to meet the 5 year maintenance requirements for SOX documentation.  

What is Sarbanes-Oxley, Section 906?

Section 906 is an executive certification requirement similar to that of Section 302. In addition, Section 906 outlines criminal penalties.

What are Disclosure Controls?

The SEC defines disclosure controls and procedures as "controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports that it files or submits under the [Exchange] Act . . . is recorded, processed, summarized and reported, within the time periods specified in the Commission's rules and forms. Disclosure controls and procedures include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in the reports that it files or submits under the Act is accumulated and communicated to the issuer's management, including its principal executive and principal financial officers." [Source:, Rule 13a-15f].