SOX Compliance: Sarbanes Oxley Controls and 404 Checklist

Jul 12, 2026

Try it now, capture a real invoice

Free plan · No credit card · Your data stays yours

SOX compliance: the short answer

SOX compliance means a public company has documented its internal controls over financial reporting, tested them, and can prove they worked all year. Section 404 is the part that creates the workload: management must assess those controls annually, and for larger filers an external auditor must attest to them separately. Accounts payable is the cycle auditors dig into first, because it is where cash actually leaves the building.

The practical translation for a controller: every dollar paid needs an approval you can evidence, a person who approved it who did not also enter it, and a system record showing both. If your evidence is a folder of forwarded emails, you are not compliant, you are just lucky so far.

What is SOX compliance?

The Sarbanes-Oxley Act of 2002 was passed after the Enron and WorldCom collapses to stop executives from cooking books and claiming ignorance. It applies to US public companies, foreign issuers listed on US exchanges, and the accounting firms that audit them. SOX compliance is not a certification you buy or a badge you display. It is an ongoing obligation to maintain internal controls over financial reporting (ICFR) and to have the CEO and CFO personally certify the numbers.

The phrase "SOX compliant software" gets thrown around loosely by vendors. No software is SOX compliant on its own. Software either helps you run and evidence the controls, or it does not. The obligation stays with the company.

Who has to comply with SOX?

Not every requirement hits every company the same way. The dividing line is public float, which determines your filer status:

Filer statusPublic float404(a) management assessment404(b) auditor attestation
Large accelerated filer$700M or moreRequiredRequired
Accelerated filer$75M to $700MRequiredRequired (unless an SRC with revenue under $100M)
Non-accelerated filerUnder $75MRequiredExempt
Emerging growth companyVaries (JOBS Act)RequiredExempt for up to 5 years
Private companyN/ANot requiredNot required

One nuance that trips up finance teams at growing companies: a smaller reporting company with annual revenue under $100 million is excluded from the accelerated filer definition, so it stays exempt from the auditor attestation even if its float crosses $75 million. Worth checking before you budget for a 404(b) audit you may not owe.

Also note the SEC proposed rule changes in May 2026 that would narrow 404(b) to large accelerated filers only. That is a proposal, not law, and as of July 2026 it has not been finalized. Do not restructure your control program around a rule that has not landed.

Does SOX apply to private companies?

Legally, no. The ICFR reporting requirements of Section 404 apply to public registrants. Two exceptions matter in practice. First, the anti-fraud and document destruction provisions (Sections 802 and 1107) apply to everyone, including private firms and nonprofits. Shredding records to obstruct a federal investigation is a crime regardless of whether you are listed. Second, private companies planning an IPO get pulled in early: underwriters and auditors expect a functioning control environment before you file, and building one takes a year or more. Most pre-IPO companies start SOX readiness well ahead of the S-1.

SOX compliance requirements: the sections that actually matter

SectionWhat it requiresWho it lands on
302CEO and CFO personally certify each quarterly and annual report, including that disclosure controls are effectiveExecutives (quarterly)
404(a)Management assesses and reports on the effectiveness of internal controls over financial reportingFinance, internal audit (annually)
404(b)The external auditor issues a separate opinion on ICFRExternal auditor (larger filers only)
409Rapid disclosure of material changes in financial conditionExecutives, legal
802Record retention; criminal penalties for destroying or falsifying recordsEveryone, including private firms
906Criminal penalties for knowingly certifying a false report (up to $5M and 20 years)CEO and CFO

What is SOX 404?

Section 404 has two halves and people constantly conflate them. 404(a) is management's own assessment: you identify the risks to accurate financial reporting, define controls that address them, test those controls, and state in your annual report whether they are effective. 404(b) is the external auditor's independent opinion on the same thing. 404(a) is the annual grind for the finance team. 404(b) is the expensive part, and it is the one smaller filers are exempt from.

Both halves rest on the same underlying work: a documented set of controls, evidence that each one operated throughout the period, and honest disclosure when one did not.

Why accounts payable is the highest-risk SOX cycle

Auditors allocate effort by risk, and AP concentrates risk in a way few other cycles do. It touches cash directly, it runs on high transaction volume, it depends on documents that arrive from outside the company in inconsistent formats, and it is the single most common vector for occupational fraud. A revenue misstatement usually needs a judgment call to go wrong. An AP misstatement just needs someone to pay the same invoice twice, or to pay a vendor that does not exist.

The two assertions auditors care about most in AP are completeness (is every liability you owe actually recorded, including the invoices sitting in someone's inbox at year end) and cutoff (is the expense booked in the right period). Both fail silently. Neither is caught by looking at a bank balance.

SOX controls for accounts payable

These are the controls that show up on nearly every AP risk and control matrix, and what each one is actually there to stop:

ControlWhat it preventsHow the auditor tests it
Segregation of dutiesOne person entering, approving, and paying an invoicePulls a user access report and looks for role conflicts
Vendor master change approvalA fake or altered vendor bank account receiving paymentSamples vendor master changes and traces each to an approval
Three-way matchPaying for goods never ordered or never receivedSamples invoices and checks the PO and receipt behind each
Approval thresholds (delegation of authority)Spend approved by someone without the authority to commit itTests payments against the approval matrix in force
Duplicate payment detectionPaying the same invoice twiceRuns duplicate analytics across the payment population
Period-end accrual reviewUnrecorded liabilities and wrong-period expensesSearches for unrecorded liabilities: reviews post-close payments
System audit trailUntraceable changes to invoices or paymentsInspects logs for who changed what and when

Vendor master control is the one companies underrate most. Approval limits govern how much gets paid. The vendor master governs who gets paid, and changing a bank account on an existing vendor record is a quieter way to steal than inventing a fake invoice. If only one AP control gets tightened this quarter, make it that one. Our full breakdown of accounts payable internal controls goes through each in more depth, and segregation of duties covers the role conflicts auditors flag first.

SOX compliance checklist

A working checklist for the AP cycle, in the order it makes sense to do it:

  1. Map the process. Document how an invoice actually gets from arrival to payment today, not how the policy says it does. Walk one real invoice through end to end.
  2. Identify the risks. At each step, ask what could go wrong that would misstate the financials or lose cash.
  3. Define the control for each risk. Name it, name the owner, name the frequency, and state what evidence it produces.
  4. Fix the access. Pull system roles and remove conflicting permissions before an auditor finds them.
  5. Test the controls yourself. Sample transactions, confirm the control operated, and keep the workpaper. Self-identified issues are treated far more kindly than auditor-identified ones.
  6. Document compensating controls where the team is too small for full segregation. Auditors accept this when it is written down, reasoned, and tested.
  7. Remediate and retest. A deficiency you fixed in November still needs to have operated long enough to prove it works.
  8. Keep the evidence organized. If producing evidence takes two weeks of digging, the control is not really operating.

Companies with obligations spanning more than finance often end up tracking these commitments in a dedicated compliance management system rather than a spreadsheet, simply because the audit trail on a spreadsheet is whatever the last person to save it says it is.

What auditors will ask you for

The request list is predictable, which means you can prepare for it. Expect: a complete AP aging tied to the general ledger; the full vendor master with a log of every change made during the period; a list of all users with AP permissions and their roles; a sample of invoices with the PO, receipt, and approval for each; the payment register for the year; evidence of your duplicate payment monitoring; the approval matrix in force and evidence it was applied; and the post-year-end payment listing they will use to search for unrecorded liabilities.

Notice how much of that is a system export if your controls live in software, and how much of it is a scavenger hunt if they live in email.

Deficiency, significant deficiency, or material weakness?

These three terms are not synonyms and the distinction drives the disclosure.

FindingMeaningConsequence
Control deficiencyA control is missing or did not operate as designedFix it; usually no external disclosure
Significant deficiencySerious enough to merit attention by those responsible for oversightReported to the audit committee
Material weaknessA reasonable possibility that a material misstatement would not be prevented or detectedDisclosed publicly; ICFR declared ineffective

A disclosed material weakness is a genuinely bad day: it commonly moves the stock, raises audit fees, and invites shareholder attention. Most of them trace back to something dull, like an access conflict nobody cleaned up or a reconciliation that was signed off without being performed.

What happens if you fail SOX compliance?

Consequences scale with intent. An ineffective ICFR opinion means public disclosure, higher audit fees, and pressure from the board. Knowingly certifying a false financial report is criminal under Section 906, carrying penalties up to $5 million and 20 years. Destroying or altering records to impede an investigation is prosecutable under Section 802. In practice, the everyday cost of failing SOX is not prison, it is the remediation project: a year of expensive external help rebuilding controls you could have built cheaper the first time.

How automation turns SOX evidence into a by-product

The expensive part of SOX is rarely the control itself. It is proving the control happened. A manual approval is only evidence if someone kept the email, filed it, and can find it eleven months later. A system approval is evidence automatically, with a timestamp and a user ID attached.

That is the real reason AP automation and SOX work well together. When invoices are captured, matched to the PO and receipt, routed by an approval matrix, screened for duplicates, and paid inside one system, the control evidence is generated as a side effect of doing the work. Nobody assembles a binder. The audit trail already exists. Our accounts payable audit software enforces segregation of duties structurally, blocks duplicate payments before the payment run, and keeps a time-stamped record from purchase order to payment, so the auditor's request list becomes an export rather than a project. If you are running three-way matching on paper today, that is the first control worth moving into a system.

How much does SOX compliance cost?

It varies far too much to quote a number honestly, and any vendor who gives you a precise figure is guessing. The drivers are your filer status (404(b) attestation is the big one), the number of significant processes and locations in scope, how much of your control evidence is manual, and whether you use external consultants for testing. The single largest controllable cost is manual evidence collection, because it consumes finance-team hours every quarter and it scales with transaction volume. Automating the evidence, not the assessment, is where the savings are.

The bottom line

SOX compliance rewards boring, consistent execution. Document what you do, do what you documented, and keep the proof where you can find it. In accounts payable that means: no one person owns an invoice from entry to payment, vendor bank changes get a second pair of eyes, invoices match their POs, duplicates get blocked rather than recovered, and the system remembers who did what. Get those five right and most of a SOX audit stops being frightening.