Try it now, capture a real invoice
Free plan · No credit card · Your data stays yours
SOX compliance: the short answer
SOX compliance means a public company has documented its internal controls over financial reporting, tested them, and can prove they worked all year. Section 404 is the part that creates the workload: management must assess those controls annually, and for larger filers an external auditor must attest to them separately. Accounts payable is the cycle auditors dig into first, because it is where cash actually leaves the building.
The practical translation for a controller: every dollar paid needs an approval you can evidence, a person who approved it who did not also enter it, and a system record showing both. If your evidence is a folder of forwarded emails, you are not compliant, you are just lucky so far.
What is SOX compliance?
The Sarbanes-Oxley Act of 2002 was passed after the Enron and WorldCom collapses to stop executives from cooking books and claiming ignorance. It applies to US public companies, foreign issuers listed on US exchanges, and the accounting firms that audit them. SOX compliance is not a certification you buy or a badge you display. It is an ongoing obligation to maintain internal controls over financial reporting (ICFR) and to have the CEO and CFO personally certify the numbers.
The phrase "SOX compliant software" gets thrown around loosely by vendors. No software is SOX compliant on its own. Software either helps you run and evidence the controls, or it does not. The obligation stays with the company.
Who has to comply with SOX?
Not every requirement hits every company the same way. The dividing line is public float, which determines your filer status:
| Filer status | Public float | 404(a) management assessment | 404(b) auditor attestation |
|---|---|---|---|
| Large accelerated filer | $700M or more | Required | Required |
| Accelerated filer | $75M to $700M | Required | Required (unless an SRC with revenue under $100M) |
| Non-accelerated filer | Under $75M | Required | Exempt |
| Emerging growth company | Varies (JOBS Act) | Required | Exempt for up to 5 years |
| Private company | N/A | Not required | Not required |
One nuance that trips up finance teams at growing companies: a smaller reporting company with annual revenue under $100 million is excluded from the accelerated filer definition, so it stays exempt from the auditor attestation even if its float crosses $75 million. Worth checking before you budget for a 404(b) audit you may not owe.
Also note the SEC proposed rule changes in May 2026 that would narrow 404(b) to large accelerated filers only. That is a proposal, not law, and as of July 2026 it has not been finalized. Do not restructure your control program around a rule that has not landed.
Does SOX apply to private companies?
Legally, no. The ICFR reporting requirements of Section 404 apply to public registrants. Two exceptions matter in practice. First, the anti-fraud and document destruction provisions (Sections 802 and 1107) apply to everyone, including private firms and nonprofits. Shredding records to obstruct a federal investigation is a crime regardless of whether you are listed. Second, private companies planning an IPO get pulled in early: underwriters and auditors expect a functioning control environment before you file, and building one takes a year or more. Most pre-IPO companies start SOX readiness well ahead of the S-1.
SOX compliance requirements: the sections that actually matter
| Section | What it requires | Who it lands on |
|---|---|---|
| 302 | CEO and CFO personally certify each quarterly and annual report, including that disclosure controls are effective | Executives (quarterly) |
| 404(a) | Management assesses and reports on the effectiveness of internal controls over financial reporting | Finance, internal audit (annually) |
| 404(b) | The external auditor issues a separate opinion on ICFR | External auditor (larger filers only) |
| 409 | Rapid disclosure of material changes in financial condition | Executives, legal |
| 802 | Record retention; criminal penalties for destroying or falsifying records | Everyone, including private firms |
| 906 | Criminal penalties for knowingly certifying a false report (up to $5M and 20 years) | CEO and CFO |
What is SOX 404?
Section 404 has two halves and people constantly conflate them. 404(a) is management's own assessment: you identify the risks to accurate financial reporting, define controls that address them, test those controls, and state in your annual report whether they are effective. 404(b) is the external auditor's independent opinion on the same thing. 404(a) is the annual grind for the finance team. 404(b) is the expensive part, and it is the one smaller filers are exempt from.
Both halves rest on the same underlying work: a documented set of controls, evidence that each one operated throughout the period, and honest disclosure when one did not.
Why accounts payable is the highest-risk SOX cycle
Auditors allocate effort by risk, and AP concentrates risk in a way few other cycles do. It touches cash directly, it runs on high transaction volume, it depends on documents that arrive from outside the company in inconsistent formats, and it is the single most common vector for occupational fraud. A revenue misstatement usually needs a judgment call to go wrong. An AP misstatement just needs someone to pay the same invoice twice, or to pay a vendor that does not exist.
The two assertions auditors care about most in AP are completeness (is every liability you owe actually recorded, including the invoices sitting in someone's inbox at year end) and cutoff (is the expense booked in the right period). Both fail silently. Neither is caught by looking at a bank balance.
SOX controls for accounts payable
These are the controls that show up on nearly every AP risk and control matrix, and what each one is actually there to stop:
| Control | What it prevents | How the auditor tests it |
|---|---|---|
| Segregation of duties | One person entering, approving, and paying an invoice | Pulls a user access report and looks for role conflicts |
| Vendor master change approval | A fake or altered vendor bank account receiving payment | Samples vendor master changes and traces each to an approval |
| Three-way match | Paying for goods never ordered or never received | Samples invoices and checks the PO and receipt behind each |
| Approval thresholds (delegation of authority) | Spend approved by someone without the authority to commit it | Tests payments against the approval matrix in force |
| Duplicate payment detection | Paying the same invoice twice | Runs duplicate analytics across the payment population |
| Period-end accrual review | Unrecorded liabilities and wrong-period expenses | Searches for unrecorded liabilities: reviews post-close payments |
| System audit trail | Untraceable changes to invoices or payments | Inspects logs for who changed what and when |
Vendor master control is the one companies underrate most. Approval limits govern how much gets paid. The vendor master governs who gets paid, and changing a bank account on an existing vendor record is a quieter way to steal than inventing a fake invoice. If only one AP control gets tightened this quarter, make it that one. Our full breakdown of accounts payable internal controls goes through each in more depth, and segregation of duties covers the role conflicts auditors flag first.
SOX compliance checklist
A working checklist for the AP cycle, in the order it makes sense to do it:
- Map the process. Document how an invoice actually gets from arrival to payment today, not how the policy says it does. Walk one real invoice through end to end.
- Identify the risks. At each step, ask what could go wrong that would misstate the financials or lose cash.
- Define the control for each risk. Name it, name the owner, name the frequency, and state what evidence it produces.
- Fix the access. Pull system roles and remove conflicting permissions before an auditor finds them.
- Test the controls yourself. Sample transactions, confirm the control operated, and keep the workpaper. Self-identified issues are treated far more kindly than auditor-identified ones.
- Document compensating controls where the team is too small for full segregation. Auditors accept this when it is written down, reasoned, and tested.
- Remediate and retest. A deficiency you fixed in November still needs to have operated long enough to prove it works.
- Keep the evidence organized. If producing evidence takes two weeks of digging, the control is not really operating.
Companies with obligations spanning more than finance often end up tracking these commitments in a dedicated compliance management system rather than a spreadsheet, simply because the audit trail on a spreadsheet is whatever the last person to save it says it is.
What auditors will ask you for
The request list is predictable, which means you can prepare for it. Expect: a complete AP aging tied to the general ledger; the full vendor master with a log of every change made during the period; a list of all users with AP permissions and their roles; a sample of invoices with the PO, receipt, and approval for each; the payment register for the year; evidence of your duplicate payment monitoring; the approval matrix in force and evidence it was applied; and the post-year-end payment listing they will use to search for unrecorded liabilities.
Notice how much of that is a system export if your controls live in software, and how much of it is a scavenger hunt if they live in email.
Deficiency, significant deficiency, or material weakness?
These three terms are not synonyms and the distinction drives the disclosure.
| Finding | Meaning | Consequence |
|---|---|---|
| Control deficiency | A control is missing or did not operate as designed | Fix it; usually no external disclosure |
| Significant deficiency | Serious enough to merit attention by those responsible for oversight | Reported to the audit committee |
| Material weakness | A reasonable possibility that a material misstatement would not be prevented or detected | Disclosed publicly; ICFR declared ineffective |
A disclosed material weakness is a genuinely bad day: it commonly moves the stock, raises audit fees, and invites shareholder attention. Most of them trace back to something dull, like an access conflict nobody cleaned up or a reconciliation that was signed off without being performed.
What happens if you fail SOX compliance?
Consequences scale with intent. An ineffective ICFR opinion means public disclosure, higher audit fees, and pressure from the board. Knowingly certifying a false financial report is criminal under Section 906, carrying penalties up to $5 million and 20 years. Destroying or altering records to impede an investigation is prosecutable under Section 802. In practice, the everyday cost of failing SOX is not prison, it is the remediation project: a year of expensive external help rebuilding controls you could have built cheaper the first time.
How automation turns SOX evidence into a by-product
The expensive part of SOX is rarely the control itself. It is proving the control happened. A manual approval is only evidence if someone kept the email, filed it, and can find it eleven months later. A system approval is evidence automatically, with a timestamp and a user ID attached.
That is the real reason AP automation and SOX work well together. When invoices are captured, matched to the PO and receipt, routed by an approval matrix, screened for duplicates, and paid inside one system, the control evidence is generated as a side effect of doing the work. Nobody assembles a binder. The audit trail already exists. Our accounts payable audit software enforces segregation of duties structurally, blocks duplicate payments before the payment run, and keeps a time-stamped record from purchase order to payment, so the auditor's request list becomes an export rather than a project. If you are running three-way matching on paper today, that is the first control worth moving into a system.
How much does SOX compliance cost?
It varies far too much to quote a number honestly, and any vendor who gives you a precise figure is guessing. The drivers are your filer status (404(b) attestation is the big one), the number of significant processes and locations in scope, how much of your control evidence is manual, and whether you use external consultants for testing. The single largest controllable cost is manual evidence collection, because it consumes finance-team hours every quarter and it scales with transaction volume. Automating the evidence, not the assessment, is where the savings are.
The bottom line
SOX compliance rewards boring, consistent execution. Document what you do, do what you documented, and keep the proof where you can find it. In accounts payable that means: no one person owns an invoice from entry to payment, vendor bank changes get a second pair of eyes, invoices match their POs, duplicates get blocked rather than recovered, and the system remembers who did what. Get those five right and most of a SOX audit stops being frightening.